From ascarpino at openjdk.java.net Fri Oct 1 00:55:27 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Fri, 1 Oct 2021 00:55:27 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: References: Message-ID: On Fri, 17 Sep 2021 23:22:21 GMT, Valerie Peng wrote: > Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? > > The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. > > The rest are minor code refactoring and updates for the PKCS11 Exception class. > The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. > > Thanks, > Valerie test/jdk/sun/security/pkcs11/Cipher/KeyWrap/TestGeneral.java line 30: > 28: * AES/KW/PKCS5Padding, and AES/KWP/NoPadding impls of SunPKCS11 provider. > 29: * @library /test/lib ../.. > 30: * @run main/othervm TestGeneral General question about all the tests. They use othervm, did they not work with agentvm? test/jdk/sun/security/pkcs11/Cipher/KeyWrap/TestGeneral.java line 74: > 72: } > 73: > 74: //System.out.println("enc out.length=" + out.length); Lelftover debug line? ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From weijun at openjdk.java.net Fri Oct 1 01:49:35 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 01:49:35 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: References: Message-ID: On Thu, 30 Sep 2021 23:15:33 GMT, Hai-May Chao wrote: > As throwing ProviderException is removed from initVerifyWithParam(), could we remove the ProviderException in the try-catch block from the callers of initVerifyWithParam()? For example, one of the callers at: > https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java#L476 `ProviderException` is a `RuntimeException`, so removing it from the method signature does not mean the method will not throw it. Therefore, removing those catch blocks might lead to behavior changes. I'd rather not touch them. ------------- PR: https://git.openjdk.java.net/jdk/pull/5778 From weijun at openjdk.java.net Fri Oct 1 03:32:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 03:32:11 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails [v2] In-Reply-To: References: Message-ID: > Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. > > Some other cleanups: > 1. When using GET for OCSP, make sure no double slash. > 2. Several throws clauses are not necessary. > > No regression test. OCSP needs to access an external server. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: a test ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5778/files - new: https://git.openjdk.java.net/jdk/pull/5778/files/12e8f249..ae58fe45 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5778&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5778&range=00-01 Stats: 62 lines in 4 files changed: 19 ins; 26 del; 17 mod Patch: https://git.openjdk.java.net/jdk/pull/5778.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5778/head:pull/5778 PR: https://git.openjdk.java.net/jdk/pull/5778 From abakhtin at openjdk.java.net Fri Oct 1 10:41:49 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 1 Oct 2021 10:41:49 GMT Subject: RFR: 8274524: SSLSocket.close() hangs if it is called during the ssl handshake [v2] In-Reply-To: References: Message-ID: > Please review the patch for JDK-8274524 > > The fix just adds locks around InputStream read and skip operations to prevent concurrent read from socket. > sun/security/ssl jtreg tests passed > api/javax_net/ssl/SSLSocket/setUseClientMode jck test passed Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: Reimplemented readLock, added lock in readHandshakeRecord ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5760/files - new: https://git.openjdk.java.net/jdk/pull/5760/files/d1c2a4fe..065073d1 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5760&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5760&range=00-01 Stats: 51 lines in 2 files changed: 12 ins; 24 del; 15 mod Patch: https://git.openjdk.java.net/jdk/pull/5760.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5760/head:pull/5760 PR: https://git.openjdk.java.net/jdk/pull/5760 From abakhtin at openjdk.java.net Fri Oct 1 10:52:26 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 1 Oct 2021 10:52:26 GMT Subject: RFR: 8274524: SSLSocket.close() hangs if it is called during the ssl handshake In-Reply-To: References: Message-ID: On Thu, 30 Sep 2021 23:04:20 GMT, Clive Verghese wrote: > Hi @alexeybakhtin, > > Thank you for the PR. > > I have a question regarding the lock, Would adding a `appInput.readLock.lock()` in `SSLSocketImpl:decode(ByteBuffer)` resolve this issue? Hi Clive, Thank you for your review. I think you are right. It can be simplified by using the existing appInput.readLock. SSLSocketImpl: decode () already protected by appInput.readLock in readApplicationRecord () and waitForClose (), so I've added readLock in the readHandshakeRecord (). These are the only places were decode() is called. ------------- PR: https://git.openjdk.java.net/jdk/pull/5760 From weijun at openjdk.java.net Fri Oct 1 14:43:24 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 14:43:24 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails [v3] In-Reply-To: References: Message-ID: > Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. > > Some other cleanups: > 1. When using GET for OCSP, make sure no double slash. > 2. Several throws clauses are not necessary. > > No regression test. OCSP needs to access an external server. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: verifier should not use automatically derived parameters fails ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5778/files - new: https://git.openjdk.java.net/jdk/pull/5778/files/ae58fe45..f6ba88a9 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5778&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5778&range=01-02 Stats: 11 lines in 1 file changed: 0 ins; 5 del; 6 mod Patch: https://git.openjdk.java.net/jdk/pull/5778.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5778/head:pull/5778 PR: https://git.openjdk.java.net/jdk/pull/5778 From weijun at openjdk.java.net Fri Oct 1 14:43:25 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 14:43:25 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails [v2] In-Reply-To: References: Message-ID: On Fri, 1 Oct 2021 03:32:11 GMT, Weijun Wang wrote: >> Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. >> >> Some other cleanups: >> 1. When using GET for OCSP, make sure no double slash. >> 2. Several throws clauses are not necessary. >> >> No regression test. OCSP needs to access an external server. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > a test New commit to disallow a verifier `Signature` be created directly from algorithm and key and initialized with a default parameters. For verifiers, params must be provided explicitly (if needed); otherwise, it's an error. Fortunately no code is using this function at the moment. ------------- PR: https://git.openjdk.java.net/jdk/pull/5778 From cverghese at openjdk.java.net Fri Oct 1 15:33:29 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Fri, 1 Oct 2021 15:33:29 GMT Subject: RFR: 8274524: SSLSocket.close() hangs if it is called during the ssl handshake In-Reply-To: References: Message-ID: On Fri, 1 Oct 2021 10:49:00 GMT, Alexey Bakhtin wrote: >> Hi @alexeybakhtin, >> >> Thank you for the PR. >> >> I have a question regarding the lock, Would adding a `appInput.readLock.lock()` in `SSLSocketImpl:decode(ByteBuffer)` resolve this issue? > >> Hi @alexeybakhtin, >> >> Thank you for the PR. >> >> I have a question regarding the lock, Would adding a `appInput.readLock.lock()` in `SSLSocketImpl:decode(ByteBuffer)` resolve this issue? > > Hi Clive, > Thank you for your review. I think you are right. It can be simplified by using the existing appInput.readLock. > SSLSocketImpl: decode () already protected by appInput.readLock in readApplicationRecord () and waitForClose (), so I've added readLock in the readHandshakeRecord (). These are the only places were decode() is called. Thank you @alexeybakhtin, The change looks good to me, but I am not a reviewer. ------------- PR: https://git.openjdk.java.net/jdk/pull/5760 From weijun at openjdk.java.net Fri Oct 1 17:09:03 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 17:09:03 GMT Subject: RFR: 8273670: Remove weak etypes from default krb5 etype list [v5] In-Reply-To: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> References: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> Message-ID: > This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: backout checksum changes reverted: ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5654/files - new: https://git.openjdk.java.net/jdk/pull/5654/files/173dc441..7371a1b5 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5654&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5654&range=03-04 Stats: 145 lines in 4 files changed: 51 ins; 59 del; 35 mod Patch: https://git.openjdk.java.net/jdk/pull/5654.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5654/head:pull/5654 PR: https://git.openjdk.java.net/jdk/pull/5654 From weijun at openjdk.java.net Fri Oct 1 17:09:05 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 17:09:05 GMT Subject: RFR: 8273670: Remove weak etypes from default krb5 etype list [v4] In-Reply-To: References: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> Message-ID: On Tue, 28 Sep 2021 14:24:01 GMT, Weijun Wang wrote: >> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > restrict availability Backout checksum related changes. Will deal with it in another issue. ------------- PR: https://git.openjdk.java.net/jdk/pull/5654 From weijun at openjdk.java.net Fri Oct 1 17:43:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 1 Oct 2021 17:43:50 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf Message-ID: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. ------------- Commit messages: - 8274656: Remove default_checksum and safe_checksum_type from krb5.conf Changes: https://git.openjdk.java.net/jdk/pull/5788/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5788&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274656 Stats: 1345 lines in 13 files changed: 0 ins; 1343 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5788.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5788/head:pull/5788 PR: https://git.openjdk.java.net/jdk/pull/5788 From valeriep at openjdk.java.net Fri Oct 1 18:00:33 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 18:00:33 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> References: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> Message-ID: <0RvXkwDXeSVrGZEtMM-eR-m_DtgnM8hzvZb2xQsIyIg=.72f77e3f-9de4-493b-941c-91c8506ba233@github.com> On Wed, 29 Sep 2021 22:40:10 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 824: > >> 822: } else if (e.match(CKR_ENCRYPTED_DATA_INVALID) || >> 823: e.match(CKR_GENERAL_ERROR)) { >> 824: // CKR_GENERAL_ERROR is Solaris-specific workaround > > With Solaris no longer support, this could be removed. Are you leaving it for backporting? Yes, thought that it may be useful in case this got backported. > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 57: > >> 55: * doFinal() is called. >> 56: * >> 57: * @since 18 > > Is there only suppose to be one space between `@since` and 18? Sure, will fix. ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From valeriep at openjdk.java.net Fri Oct 1 18:07:34 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 18:07:34 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> References: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> Message-ID: On Wed, 29 Sep 2021 23:56:07 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > test/jdk/sun/security/pkcs11/Cipher/KeyWrap/TestCipherKeyWrapperTest.java line 65: > >> 63: // com/sun/crypto/provider/Cipher/KeyWrap/TestCipherKeyWrapperTest.java >> 64: public class TestCipherKeyWrapperTest extends PKCS11Test { >> 65: private static final int LINIMITED_KEYSIZE = 128; > > Did you mean this to be LIMITED_KEYSIZE? Not sure, the tests are adapted from the existing tests under com/sun/crypto/provider/Cipher/KeyWrap/ and I only do minimum edits to make them test against SunPKCS11 provider. ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From valeriep at openjdk.java.net Fri Oct 1 19:08:28 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 19:08:28 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: References: Message-ID: On Thu, 30 Sep 2021 23:05:44 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > test/jdk/sun/security/pkcs11/Cipher/KeyWrap/TestGeneral.java line 74: > >> 72: } >> 73: >> 74: //System.out.println("enc out.length=" + out.length); > > Lelftover debug line? Yes, will remove. ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From valeriep at openjdk.java.net Fri Oct 1 21:37:38 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 21:37:38 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> References: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> Message-ID: On Thu, 30 Sep 2021 02:32:33 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 129: > >> 127: if (algoParts[0].startsWith("AES")) { >> 128: // need 3 parts >> 129: if (algoParts.length != 3) { > > At this point in the code, isn't it already certain to be a valid transform? The SunPKCS11 entries are limited to the valid transforms. Additionally do you really want AssertionError? Not NoSuchAlgorithmException? Hmm, you are right, no need to check again as there are code in javax.crypto.Cipher class which handles this. I will remove it. ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From hchao at openjdk.java.net Fri Oct 1 22:13:39 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Fri, 1 Oct 2021 22:13:39 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails [v3] In-Reply-To: References: Message-ID: On Fri, 1 Oct 2021 14:43:24 GMT, Weijun Wang wrote: >> Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. >> >> Some other cleanups: >> 1. When using GET for OCSP, make sure no double slash. >> 2. Several throws clauses are not necessary. >> >> No regression test. OCSP needs to access an external server. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > verifier should not use automatically derived parameters fails Looks good. ------------- Marked as reviewed by hchao (Committer). PR: https://git.openjdk.java.net/jdk/pull/5778 From valeriep at openjdk.java.net Fri Oct 1 22:18:34 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 22:18:34 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> References: <0KVR5532GaoDXm9G6ErxqZZ-lKm-FvLtRzF0xlSOHb8=.3beeae0b-9386-4784-8701-2ae7b1f36edd@github.com> Message-ID: On Thu, 30 Sep 2021 19:14:10 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 437: > >> 435: protected byte[] engineDoFinal(byte[] in, int inOfs, int inLen) >> 436: throws IllegalBlockSizeException, BadPaddingException { >> 437: int minOutLen = doFinalLength(inLen); > > nit: seems like this could be maxOutLen given it's the length used to allocate out[]. It can't be any larger, otherwise the operations would fail Sure, I will rename it to maxOutLen ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From valeriep at openjdk.java.net Fri Oct 1 23:59:38 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 1 Oct 2021 23:59:38 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: References: Message-ID: On Fri, 1 Oct 2021 00:51:27 GMT, Anthony Scarpino wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > test/jdk/sun/security/pkcs11/Cipher/KeyWrap/TestGeneral.java line 30: > >> 28: * AES/KW/PKCS5Padding, and AES/KWP/NoPadding impls of SunPKCS11 provider. >> 29: * @library /test/lib ../.. >> 30: * @run main/othervm TestGeneral > > General question about all the tests. They use othervm, did they not work with agentvm? Hmm, good question. There are system provider manipulation code in PKCS11Test class, i.e. Security.addProvider(), Security.removeProvider() calls as well as setting/getting system properties. I suppose if we can be sure that things are back to a clean state after each test, then should be ok to use agentvm instead of othervm. ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From cverghese at openjdk.java.net Sat Oct 2 05:53:54 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Sat, 2 Oct 2021 05:53:54 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. Message-ID: Hi, We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. Sockets created from the SSLSocketFactory see this improvements. Old Benchmarks Benchmark Mode Cnt Score Error Units SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op New Benchmarks SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op I have also attached the JFR profiles from before and after the change. Before SSLOverhead-old After SSLOverhead-new We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. Looking for your feedback ------------- Commit messages: - 8274308: Improve efficiency for HandshakeContext initialization - Benchmark Changes: https://git.openjdk.java.net/jdk/pull/5793/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5793&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274308 Stats: 796 lines in 8 files changed: 607 ins; 148 del; 41 mod Patch: https://git.openjdk.java.net/jdk/pull/5793.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5793/head:pull/5793 PR: https://git.openjdk.java.net/jdk/pull/5793 From kustos at gmx.net Sun Oct 3 15:32:05 2021 From: kustos at gmx.net (Philippe Marschall) Date: Sun, 3 Oct 2021 17:32:05 +0200 Subject: Different way to solve 8241047 Message-ID: Hello First I hope this is the right mailing list. Second, I realize I'm late to the party and this ship may already have sailed. We're using a third party library from a vendor that calls SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship a JDK 17 compatible version of this library this decade. I was wondering if any consideration was given to implementing #getPeerCertificateChain by calling #getPeerCertificates [2] and implementing javax.security.cert.X509Certificate by delegating to java.security.cert.X509Certificate [3]. I believe this would preserve source, binary and behavior compatibility while at the same time freeing implementations from having to deal with javax.security.cert types or #getPeerCertificateChain. The third party library we use does support configuring a custom SSLSocketFactory and we'll likely go with a custom SSLSocketFactory. [1] https://bugs.openjdk.java.net/browse/JDK-8241047 [2] https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86 [3] https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java Cheers Philippe From github.com+30433125+djelinski at openjdk.java.net Mon Oct 4 06:34:20 2021 From: github.com+30433125+djelinski at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Mon, 4 Oct 2021 06:34:20 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: On Sat, 2 Oct 2021 05:45:47 GMT, Clive Verghese wrote: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback The results look very impressive. Could you also benchmark SSLEngine? With SSLEngine we could benchmark the improvements on client and server side separately, and OS's socket handling wouldn't influence the results. I quickly hacked together a SSLEngine benchmark for server-side handshakes [here](https://github.com/djelinski/jdk/blob/2bee5c471b41d60d4248d5d16e868060f0efda19/test/micro/org/openjdk/bench/java/security/SSLEngineStartHandshake.java); note that on the server side I run the following code on every connection; SSLEngine serverEngine = context.createSSLEngine(); serverEngine.setUseClientMode(false); serverEngine.setEnabledProtocols(new String[]{"TLSv1.3"}); serverEngine.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384"}); serverEngine.beginHandshake(); not sure if that's the best way to initialize SSLEngine. Anyway, in this setup I observed a 16% performance degradation; results without your patch: Benchmark Mode Cnt Score Error Units SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.837 ? 0.006 ops/ms SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.187 ? 0.006 ms/op with your patch: Benchmark Mode Cnt Score Error Units SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.702 ? 0.009 ops/ms SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.416 ? 0.013 ms/op ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From cverghese at openjdk.java.net Mon Oct 4 06:34:35 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Mon, 4 Oct 2021 06:34:35 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: On Sun, 3 Oct 2021 18:20:29 GMT, Daniel Jeli?ski wrote: >> Hi, >> >> We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. >> >> In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. >> >> Sockets created from the SSLSocketFactory see this improvements. >> >> Old Benchmarks >> >> Benchmark Mode Cnt Score Error Units >> SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms >> SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op >> >> New Benchmarks >> >> SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms >> SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op >> >> >> >> I have also attached the JFR profiles from before and after the change. >> Before >> SSLOverhead-old >> >> After >> SSLOverhead-new >> >> We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` >> >> In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. >> >> Looking for your feedback > > I quickly hacked together a SSLEngine benchmark for server-side handshakes [here](https://github.com/djelinski/jdk/blob/2bee5c471b41d60d4248d5d16e868060f0efda19/test/micro/org/openjdk/bench/java/security/SSLEngineStartHandshake.java); note that on the server side I run the following code on every connection; > > SSLEngine serverEngine = context.createSSLEngine(); > serverEngine.setUseClientMode(false); > serverEngine.setEnabledProtocols(new String[]{"TLSv1.3"}); > serverEngine.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384"}); > serverEngine.beginHandshake(); > > not sure if that's the best way to initialize SSLEngine. Anyway, in this setup I observed a 16% performance degradation; results without your patch: > > Benchmark Mode Cnt Score Error Units > SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.837 ? 0.006 ops/ms > SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.187 ? 0.006 ms/op > > with your patch: > > Benchmark Mode Cnt Score Error Units > SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.702 ? 0.009 ops/ms > SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.416 ? 0.013 ms/op Hi @djelinski Thank you for putting this together. I will investigate the results of your benchmarks. ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From github.com+1887540+benefrati at openjdk.java.net Mon Oct 4 07:08:07 2021 From: github.com+1887540+benefrati at openjdk.java.net (BenEfrati) Date: Mon, 4 Oct 2021 07:08:07 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key In-Reply-To: References: Message-ID: On Fri, 23 Jul 2021 10:33:14 GMT, Alexey Bakhtin wrote: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey Hey, Same issue using nCipherKM provider Caused by: com.ncipher.provider.nCSecurityException: The key material is not exportable outside of the HSM at com.ncipher.provider.Utils.exportKey(Utils.java:1539) at com.ncipher.provider.Utils.getCrtParams(Utils.java:1486) at com.ncipher.provider.km.KMRSAPrivateCrtKey.getPrimeP(KMRSAPrivateCrtKey.java:87) at sun.security.rsa.RSACore.crtCrypt(RSACore.java:168) at sun.security.rsa.RSACore.rsa(RSACore.java:122) at sun.security.rsa.RSAPSSSignature.engineSign(RSAPSSSignature.java:371) at java.security.Signature.engineSign(Signature.java:1382) at java.security.Signature.sign(Signature.java:698) at sun.security.ssl.CertificateVerify.(CertificateVerify.java:608) at sun.security.ssl.CertificateVerify.produce(CertificateVerify.java:760) at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421) at sun.security.ssl.ServerHelloDone.consume(ServerHelloDone.java:182) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394) Is this fix is planned for OpenJDK 8u312? ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From github.com+741251+turbanoff at openjdk.java.net Mon Oct 4 07:39:17 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Mon, 4 Oct 2021 07:39:17 GMT Subject: RFR: 8274679: Remove unnecessary conversion to String in security code in java.base Message-ID: <6dwlq8Qcojm7hEvmWW1AHyd-Ucs40xbvNZnW70uFnh0=.49999deb-c869-4da1-9904-f1e4ddd5b6e9@github.com> Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway. ------------- Commit messages: - [PATCH] Remove unnecessary conversion to String in security code in java.base Changes: https://git.openjdk.java.net/jdk/pull/5798/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5798&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274679 Stats: 57 lines in 14 files changed: 0 ins; 8 del; 49 mod Patch: https://git.openjdk.java.net/jdk/pull/5798.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5798/head:pull/5798 PR: https://git.openjdk.java.net/jdk/pull/5798 From abakhtin at openjdk.java.net Mon Oct 4 08:07:11 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Mon, 4 Oct 2021 08:07:11 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key In-Reply-To: References: Message-ID: On Sun, 3 Oct 2021 09:11:40 GMT, BenEfrati wrote: > Is this fix is planned for OpenJDK 8u312? Hi @BenEfrati, No chance to go to OpenJDK 8u312. Maybe 8u322 if it will be approved ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From github.com+10835776+stsypanov at openjdk.java.net Mon Oct 4 13:10:10 2021 From: github.com+10835776+stsypanov at openjdk.java.net (=?UTF-8?B?0KHQtdGA0LPQtdC5?= =?UTF-8?B?IA==?= =?UTF-8?B?0KbRi9C/0LDQvdC+0LI=?=) Date: Mon, 4 Oct 2021 13:10:10 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: On Sat, 2 Oct 2021 05:45:47 GMT, Clive Verghese wrote: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback src/java.base/share/classes/sun/security/ssl/HandshakeContext.java line 169: > 167: this.algorithmConstraints = new SSLAlgorithmConstraints( > 168: sslConfig.userSpecifiedAlgorithmConstraints); > 169: this.activeProtocols = new LinkedList(sslConfig.activeProtocols); Just wonder why LinkedLIst, not ArrayList? ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From weijun at openjdk.java.net Mon Oct 4 13:38:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 13:38:12 GMT Subject: RFR: 8274679: Remove unnecessary conversion to String in security code in java.base In-Reply-To: <6dwlq8Qcojm7hEvmWW1AHyd-Ucs40xbvNZnW70uFnh0=.49999deb-c869-4da1-9904-f1e4ddd5b6e9@github.com> References: <6dwlq8Qcojm7hEvmWW1AHyd-Ucs40xbvNZnW70uFnh0=.49999deb-c869-4da1-9904-f1e4ddd5b6e9@github.com> Message-ID: On Sun, 3 Oct 2021 16:24:33 GMT, Andrey Turbanov wrote: > Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway. Change looks fine. Thanks for taking of this. ------------- Marked as reviewed by weijun (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5798 From weijun at openjdk.java.net Mon Oct 4 14:03:09 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 14:03:09 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application In-Reply-To: References: Message-ID: <-v-g_AZBWN_FeMpHTD9MZaJhVwAbFexqtbAFaq-cJ0M=.8667796b-cb16-4d67-870e-2237d48bfeda@github.com> On Wed, 29 Sep 2021 10:45:41 GMT, Larry-N wrote: > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 306: > 304: () -> java.util.ServiceLoader.load( > 305: LoginModule.class, contextClassLoader)); > 306: Set> lmProviders = sc.stream().collect(Collectors.toSet()); It's probably necessary to put the `collect` call above inside doPriv as well. The actual class loading might happen later. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Mon Oct 4 14:22:08 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 14:22:08 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application In-Reply-To: References: Message-ID: On Wed, 29 Sep 2021 10:45:41 GMT, Larry-N wrote: > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 721: > 719: for ( Provider lm: lmp){ > 720: if (lm.type().getName().equals(name)){ > 721: moduleStack[i].module = lm.get(); There is a small behavior change here. Originally the login module class is loaded first and then its name is checked. With this change, the name is first checked and then class loaded. This is certainly a performance boost but unfortunately the test at `test/jdk/javax/security/auth/spi/Loader.java` would fail. That test was written to ensure that services provided through a service loader are checked first and then fallback to `Class.forName()`. Either you need to enhance the test to confirm this in a new way, or it would have to be removed. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Mon Oct 4 14:25:14 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 14:25:14 GMT Subject: RFR: 8274333: Redundant null comparison after Pattern.split In-Reply-To: References: Message-ID: On Sun, 26 Sep 2021 15:10:52 GMT, Andrey Turbanov wrote: > In couple of classes, result part of arrays of Pattern.split is compared with `null`. Pattern.split (and hence String.split) never returns `null` in array elements. Such comparisons are redundant. Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5708 From jnimeh at openjdk.java.net Mon Oct 4 15:27:08 2021 From: jnimeh at openjdk.java.net (Jamil Nimeh) Date: Mon, 4 Oct 2021 15:27:08 GMT Subject: RFR: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails [v3] In-Reply-To: References: Message-ID: On Fri, 1 Oct 2021 14:43:24 GMT, Weijun Wang wrote: >> Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. >> >> Some other cleanups: >> 1. When using GET for OCSP, make sure no double slash. >> 2. Several throws clauses are not necessary. >> >> No regression test. OCSP needs to access an external server. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > verifier should not use automatically derived parameters fails Looks good. I like the algorithm agility enhancements to SimpleOCSPServer and CertificateBuilder. ------------- Marked as reviewed by jnimeh (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5778 From weijun at openjdk.java.net Mon Oct 4 15:34:10 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 15:34:10 GMT Subject: Integrated: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: References: Message-ID: <5_DfeMsAEWMWC8OC1I0K3f17Fbos6D2q2dEYZmZz8hA=.3c2f2516-2130-4efc-a5b2-5ac530051b5a@github.com> On Thu, 30 Sep 2021 15:44:32 GMT, Weijun Wang wrote: > Extra parameters need to be set for RSASSA-PSS signatures. We already have a helper method for that. > > Some other cleanups: > 1. When using GET for OCSP, make sure no double slash. > 2. Several throws clauses are not necessary. > > No regression test. OCSP needs to access an external server. This pull request has now been integrated. Changeset: f63c4a83 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/f63c4a832a1aea451f47aaf86d5361e970c6a28f Stats: 112 lines in 9 files changed: 26 ins; 47 del; 39 mod 8274471: Verification of OCSP Response signed with RSASSA-PSS fails Reviewed-by: hchao, jnimeh ------------- PR: https://git.openjdk.java.net/jdk/pull/5778 From weijun at openjdk.java.net Mon Oct 4 17:47:16 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 17:47:16 GMT Subject: RFR: 8274721: UnixSystem fails to provide uid, gid or groups if no username is available Message-ID: Two changes: 1. Calculation of groups is put in a separate block. 2. Add fallback for uid and gid No regression test. Hard to reproduce bud reporter's environment in jtreg. ------------- Commit messages: - 8274721: UnixSystem fails to provide uid, gid or groups if no username is available Changes: https://git.openjdk.java.net/jdk/pull/5808/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5808&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274721 Stats: 47 lines in 1 file changed: 15 ins; 6 del; 26 mod Patch: https://git.openjdk.java.net/jdk/pull/5808.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5808/head:pull/5808 PR: https://git.openjdk.java.net/jdk/pull/5808 From valeriep at openjdk.java.net Mon Oct 4 18:51:09 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 4 Oct 2021 18:51:09 GMT Subject: RFR: 8273670: Remove weak etypes from default krb5 etype list [v5] In-Reply-To: References: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> Message-ID: On Fri, 1 Oct 2021 17:09:03 GMT, Weijun Wang wrote: >> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > backout checksum changes > > reverted: Marked as reviewed by valeriep (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5654 From valeriep at openjdk.java.net Mon Oct 4 19:21:07 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 4 Oct 2021 19:21:07 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf In-Reply-To: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: <2Lmj3dJpuUJXMBDqrS9DexxJ1Zk7djfTw9yPdb3S8a8=.f47cf8d9-ffb5-4f7a-984a-09c2d0b17e25@github.com> On Fri, 1 Oct 2021 17:36:13 GMT, Weijun Wang wrote: > Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. src/java.security.jgss/share/classes/sun/security/krb5/Checksum.java line 75: > 73: // draft-brezak-win2k-krb-rc4-hmac-04.txt > 74: public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138; > 75: nit: How about updating and fixing the copyright years? ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Mon Oct 4 19:25:06 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 19:25:06 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf In-Reply-To: <2Lmj3dJpuUJXMBDqrS9DexxJ1Zk7djfTw9yPdb3S8a8=.f47cf8d9-ffb5-4f7a-984a-09c2d0b17e25@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> <2Lmj3dJpuUJXMBDqrS9DexxJ1Zk7djfTw9yPdb3S8a8=.f47cf8d9-ffb5-4f7a-984a-09c2d0b17e25@github.com> Message-ID: On Mon, 4 Oct 2021 19:18:18 GMT, Valerie Peng wrote: >> Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. > > src/java.security.jgss/share/classes/sun/security/krb5/Checksum.java line 75: > >> 73: // draft-brezak-win2k-krb-rc4-hmac-04.txt >> 74: public static final int CKSUMTYPE_HMAC_MD5_ARCFOUR = -138; >> 75: > > nit: How about updating and fixing the copyright years? Will update it in the next commit. ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Mon Oct 4 19:32:30 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 19:32:30 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v2] In-Reply-To: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: > Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: update copyright years ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5788/files - new: https://git.openjdk.java.net/jdk/pull/5788/files/dd85a079..83b94920 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5788&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5788&range=00-01 Stats: 3 lines in 3 files changed: 0 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5788.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5788/head:pull/5788 PR: https://git.openjdk.java.net/jdk/pull/5788 From valeriep at openjdk.java.net Mon Oct 4 19:32:30 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 4 Oct 2021 19:32:30 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf In-Reply-To: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: On Fri, 1 Oct 2021 17:36:13 GMT, Weijun Wang wrote: > Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. Do we still need all the constants defined in sun/security/krb5/internal/cryptoKeyUsage.java now that the corresponding classes are removed? ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From valeriep at openjdk.java.net Mon Oct 4 19:32:31 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 4 Oct 2021 19:32:31 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v2] In-Reply-To: References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: On Mon, 4 Oct 2021 19:29:27 GMT, Weijun Wang wrote: >> Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > update copyright years src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java line 320: > 318: byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ); > 319: // if the checksum type is one of the keyed checksum types, > 320: // use session key. nit: does this comment need updating? ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Mon Oct 4 19:32:32 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 19:32:32 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v2] In-Reply-To: References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: On Mon, 4 Oct 2021 19:26:04 GMT, Valerie Peng wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> update copyright years > > src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java line 320: > >> 318: byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ); >> 319: // if the checksum type is one of the keyed checksum types, >> 320: // use session key. > > nit: does this comment need updating? Will remove it. I think there is no need to explain why -1 is used. ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Mon Oct 4 19:42:08 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 4 Oct 2021 19:42:08 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf In-Reply-To: References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: On Mon, 4 Oct 2021 19:29:27 GMT, Valerie Peng wrote: > Do we still need all the constants defined in sun/security/krb5/internal/cryptoKeyUsage.java now that the corresponding classes are removed? I haven't touched this file, and I also haven't cleaned up constants in `sun/security/krb5/internal/Krb5.java`. I thought they can just be left there as placeholders. ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From valeriep at openjdk.java.net Mon Oct 4 19:59:08 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 4 Oct 2021 19:59:08 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v2] In-Reply-To: References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: <8Lqc1vIelxx98OQYz9uHVEdLZmtZxuMiuaRcfouqdKA=.3999524a-04dc-48b7-bf73-384725d2abaa@github.com> On Mon, 4 Oct 2021 19:28:30 GMT, Weijun Wang wrote: >> src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsReq.java line 320: >> >>> 318: byte[] temp = reqBody.asn1Encode(Krb5.KRB_TGS_REQ); >>> 319: // if the checksum type is one of the keyed checksum types, >>> 320: // use session key. >> >> nit: does this comment need updating? > > Will remove it. I think there is no need to explain why -1 is used. Sure ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Tue Oct 5 01:00:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 5 Oct 2021 01:00:11 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application In-Reply-To: <-v-g_AZBWN_FeMpHTD9MZaJhVwAbFexqtbAFaq-cJ0M=.8667796b-cb16-4d67-870e-2237d48bfeda@github.com> References: <-v-g_AZBWN_FeMpHTD9MZaJhVwAbFexqtbAFaq-cJ0M=.8667796b-cb16-4d67-870e-2237d48bfeda@github.com> Message-ID: On Mon, 4 Oct 2021 13:59:43 GMT, Weijun Wang wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 306: > >> 304: () -> java.util.ServiceLoader.load( >> 305: LoginModule.class, contextClassLoader)); >> 306: Set> lmProviders = sc.stream().collect(Collectors.toSet()); > > It's probably necessary to put the `collect` call above inside doPriv as well. The actual class loading might happen later. I'm seeing a JCK failure on this change. Will investigate more. At the same time, is it possible to merge this synchronized block into the one below? ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From aefimov at openjdk.java.net Tue Oct 5 12:10:28 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 5 Oct 2021 12:10:28 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI Message-ID: This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. The following API classes are added to `java.net.spi` package to facilitate this: - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. More details in [JEP-418](https://openjdk.java.net/jeps/418). Testing: new and existing `tier1:tier3` tests ------------- Commit messages: - 8244202: Implementation of JEP 418: Internet-Address Resolution SPI Changes: https://git.openjdk.java.net/jdk/pull/5822/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8244202 Stats: 2779 lines in 50 files changed: 2524 ins; 134 del; 121 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From github.com+741251+turbanoff at openjdk.java.net Tue Oct 5 13:40:12 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Tue, 5 Oct 2021 13:40:12 GMT Subject: Integrated: 8274079: Cleanup unnecessary calls to Throwable.initCause() in java.base module In-Reply-To: References: Message-ID: On Thu, 16 Sep 2021 19:03:26 GMT, Andrey Turbanov wrote: > Pass "cause" exception as constructor parameter is shorter and easier to read. This pull request has now been integrated. Changeset: 1459180f Author: Andrey Turbanov Committer: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/1459180f352a5632c0afca2ed55abf31e4b0bfb0 Stats: 132 lines in 22 files changed: 0 ins; 77 del; 55 mod 8274079: Cleanup unnecessary calls to Throwable.initCause() in java.base module Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/5551 From aph-open at littlepinkcloud.com Tue Oct 5 13:55:07 2021 From: aph-open at littlepinkcloud.com (Andrew Haley) Date: Tue, 5 Oct 2021 14:55:07 +0100 Subject: Please have a quick look at 8274730: AArch64: AES/GCM acceleration is broken by the fix for JDK-8273297 Message-ID: <933c7ca3-2168-74a5-9f3d-68202005d1ec@littlepinkcloud.com> I had to touch common code in C2 to unbreak AArch64, so I'd like another reviewer, please. It's pretty simple, thanks. https://github.com/openjdk/jdk/pull/5819 -- Andrew Haley (he/him) Java Platform Lead Engineer Red Hat UK Ltd. https://keybase.io/andrewhaley EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671 From sean.mullan at oracle.com Tue Oct 5 14:27:27 2021 From: sean.mullan at oracle.com (Sean Mullan) Date: Tue, 5 Oct 2021 10:27:27 -0400 Subject: Different way to solve 8241047 In-Reply-To: References: Message-ID: <09c69566-b8ea-9101-ff07-570922098a3e@oracle.com> Hi Philippe, On 10/3/21 11:32 AM, Philippe Marschall wrote: > Hello > > First I hope this is the right mailing list. Second, I realize I'm late > to the party and this ship may already have sailed. Yes, this is the right mailing list. > We're using a third party library from a vendor that calls > SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship > a JDK 17 compatible version of this library this decade. The method in question has not been removed from 17 so their code should continue to work as long as the deprecated methods continue to be overridden. It's unfortunate that the 3rd party library cannot be changed - is it active? The SSLSession.getPeerCertificateChain() has been deprecated since Java 9 and marked for removal since Java 13, and there has been a replacement API available SSLSession.getPeerCertificates() since Java 1.4. That's a lot of time to migrate. > I was wondering if any consideration was given to implementing > #getPeerCertificateChain by calling #getPeerCertificates [2] and > implementing javax.security.cert.X509Certificate by delegating to > java.security.cert.X509Certificate [3]. I believe this would preserve > source, binary and behavior compatibility while at the same time freeing > implementations from having to deal with javax.security.cert types or > #getPeerCertificateChain. It is an interesting suggestion and I can see your point. I don't think there is any fundamental reason we could not change the default implementation of the SSLSession.getPeerCertificateChain() method, but since it would be a change to the specification, it could not be backported to 17. Also, these methods are marked for removal, so changing the default implementation at this point probably doesn't add much value. --Sean > The third party library we use does support configuring a custom > SSLSocketFactory and we'll likely go with a custom SSLSocketFactory. > > [1] https://bugs.openjdk.java.net/browse/JDK-8241047 > [2] > https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86 > [3] > https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java > > Cheers > Philippe > From mullan at openjdk.java.net Tue Oct 5 17:03:08 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 5 Oct 2021 17:03:08 GMT Subject: RFR: 8273670: Remove weak etypes from default krb5 etype list [v5] In-Reply-To: References: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> Message-ID: <6jeM6kYuz7aRI5zzj6i495FIgyu828f8sZq4o7YQugE=.fc91924b-0f9a-4d7b-938b-ac9320e9233e@github.com> On Fri, 1 Oct 2021 17:09:03 GMT, Weijun Wang wrote: >> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > backout checksum changes > > reverted: Marked as reviewed by mullan (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5654 From valeriep at openjdk.java.net Tue Oct 5 18:11:09 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Tue, 5 Oct 2021 18:11:09 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v2] In-Reply-To: References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: <0Xv50Va2q8KvdaRvhf0JFh3rEVsZf5JR9zvlvot2oY8=.9a7f15d5-3a63-4ea1-abee-8a2d4746efba@github.com> On Mon, 4 Oct 2021 19:32:30 GMT, Weijun Wang wrote: >> Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > update copyright years Looks good. Thanks. ------------- Marked as reviewed by valeriep (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Tue Oct 5 18:21:22 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 5 Oct 2021 18:21:22 GMT Subject: Integrated: 8273670: Remove weak etypes from default krb5 etype list In-Reply-To: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> References: <8riZXsI2hujdk0CMDRn856-Am5CQtjsuEN_cnNhaoNg=.03da33f1-7d8a-41af-8da3-88598fd1e410@github.com> Message-ID: On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang wrote: > This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well. This pull request has now been integrated. Changeset: 03d3c033 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/03d3c0338437bf10b631881c8910ca85985742f6 Stats: 173 lines in 7 files changed: 73 ins; 61 del; 39 mod 8273670: Remove weak etypes from default krb5 etype list Reviewed-by: valeriep, mullan ------------- PR: https://git.openjdk.java.net/jdk/pull/5654 From weijun at openjdk.java.net Tue Oct 5 18:23:34 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 5 Oct 2021 18:23:34 GMT Subject: RFR: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf [v3] In-Reply-To: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: > Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: clean up comment ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5788/files - new: https://git.openjdk.java.net/jdk/pull/5788/files/83b94920..1a975f92 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5788&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5788&range=01-02 Stats: 2 lines in 1 file changed: 0 ins; 2 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5788.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5788/head:pull/5788 PR: https://git.openjdk.java.net/jdk/pull/5788 From weijun at openjdk.java.net Tue Oct 5 18:23:34 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 5 Oct 2021 18:23:34 GMT Subject: Integrated: 8274656: Remove default_checksum and safe_checksum_type from krb5.conf In-Reply-To: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> References: <5_dUkH9npb4WOgEq8wSkJQWHxQgsQ2jR-ueFrLDUYgg=.5a58c92f-fd71-48f4-8073-9684a52ad5d3@github.com> Message-ID: On Fri, 1 Oct 2021 17:36:13 GMT, Weijun Wang wrote: > Remove support for the 2 settings. Remove classes around the KRB_PRIV and KRB_SAFE message types that were never used in Java. This pull request has now been integrated. Changeset: 1e752033 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/1e75203356666a3213deddd775ad1e883ea6d78d Stats: 1350 lines in 13 files changed: 0 ins; 1345 del; 5 mod 8274656: Remove default_checksum and safe_checksum_type from krb5.conf Reviewed-by: valeriep ------------- PR: https://git.openjdk.java.net/jdk/pull/5788 From cancomert at gmail.com Tue Oct 5 18:36:06 2021 From: cancomert at gmail.com (can comert) Date: Tue, 5 Oct 2021 20:36:06 +0200 Subject: Integrated: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: <5_DfeMsAEWMWC8OC1I0K3f17Fbos6D2q2dEYZmZz8hA=.3c2f2516-2130-4efc-a5b2-5ac530051b5a@github.com> References: <5_DfeMsAEWMWC8OC1I0K3f17Fbos6D2q2dEYZmZz8hA=.3c2f2516-2130-4efc-a5b2-5ac530051b5a@github.com> Message-ID: I have seen the issue is already fixed and will be available for the JDK 18. Thank you very much for your great work and fast response! Is there any backporting for a LTS version planned? Best Regards, Can 4 Eki 2021 Pzt 17:34 tarihinde Weijun Wang ?unu yazd?: > On Thu, 30 Sep 2021 15:44:32 GMT, Weijun Wang wrote: > > > Extra parameters need to be set for RSASSA-PSS signatures. We already > have a helper method for that. > > > > Some other cleanups: > > 1. When using GET for OCSP, make sure no double slash. > > 2. Several throws clauses are not necessary. > > > > No regression test. OCSP needs to access an external server. > > This pull request has now been integrated. > > Changeset: f63c4a83 > Author: Weijun Wang > URL: > https://git.openjdk.java.net/jdk/commit/f63c4a832a1aea451f47aaf86d5361e970c6a28f > Stats: 112 lines in 9 files changed: 26 ins; 47 del; 39 mod > > 8274471: Verification of OCSP Response signed with RSASSA-PSS fails > > Reviewed-by: hchao, jnimeh > > ------------- > > PR: https://git.openjdk.java.net/jdk/pull/5778 > -------------- next part -------------- An HTML attachment was scrubbed... URL: From weijun.wang at oracle.com Tue Oct 5 20:04:50 2021 From: weijun.wang at oracle.com (Wei-Jun Wang) Date: Tue, 5 Oct 2021 20:04:50 +0000 Subject: Integrated: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: References: <5_DfeMsAEWMWC8OC1I0K3f17Fbos6D2q2dEYZmZz8hA=.3c2f2516-2130-4efc-a5b2-5ac530051b5a@github.com> Message-ID: I think it's worth backporting to older LTS releases. Will ask sustaining on it. Thanks, Weijun > On Oct 5, 2021, at 2:36 PM, can comert wrote: > > > Is there any backporting for a LTS version planned? From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 07:12:20 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 07:12:20 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources Message-ID: 8274809: Update java.base classes to use try-with-resources ------------- Commit messages: - [PATCH] Use try-with-resources to close FileInputStream in java.base Changes: https://git.openjdk.java.net/jdk/pull/5818/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274809 Stats: 54 lines in 7 files changed: 2 ins; 40 del; 12 mod Patch: https://git.openjdk.java.net/jdk/pull/5818.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5818/head:pull/5818 PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+10835776+stsypanov at openjdk.java.net Wed Oct 6 07:23:21 2021 From: github.com+10835776+stsypanov at openjdk.java.net (=?UTF-8?B?0KHQtdGA0LPQtdC5?= =?UTF-8?B?IA==?= =?UTF-8?B?0KbRi9C/0LDQvdC+0LI=?=) Date: Wed, 6 Oct 2021 07:23:21 GMT Subject: RFR: 8274811: Remove superfluous use of boxing in java.base In-Reply-To: References: Message-ID: On Sat, 11 Sep 2021 12:11:50 GMT, Andrey Turbanov wrote: > Usages of primitive types should be preferred and makes code easier to read. > Similar cleanups: > 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop > 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset src/java.base/share/classes/java/util/ResourceBundle.java line 3732: > 3730: } > 3731: > 3732: private static final boolean TRACE_ON = Boolean.parseBoolean( I think for `Boolean` it doesn't make significant difference, as both `Boolean.TRUE` and `Boolean.FALSE` are cached and initialized immediately along with the class itself: public static Boolean valueOf(String s) { return parseBoolean(s) ? TRUE : FALSE; } ------------- PR: https://git.openjdk.java.net/jdk/pull/5481 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 07:23:20 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 07:23:20 GMT Subject: RFR: 8274811: Remove superfluous use of boxing in java.base Message-ID: Usages of primitive types should be preferred and makes code easier to read. Similar cleanups: 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset ------------- Commit messages: - [PATCH] Remove superfluous use of boxing in java.base - [PATCH] Remove superfluous use of boxing in java.* modules - [PATCH] Remove superfluous use of boxing in java.* modules Changes: https://git.openjdk.java.net/jdk/pull/5481/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5481&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274811 Stats: 11 lines in 4 files changed: 0 ins; 0 del; 11 mod Patch: https://git.openjdk.java.net/jdk/pull/5481.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5481/head:pull/5481 PR: https://git.openjdk.java.net/jdk/pull/5481 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 07:23:22 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 07:23:22 GMT Subject: RFR: 8274811: Remove superfluous use of boxing in java.base In-Reply-To: References: Message-ID: On Sat, 11 Sep 2021 17:22:01 GMT, ?????? ??????? wrote: >> Usages of primitive types should be preferred and makes code easier to read. >> Similar cleanups: >> 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop >> 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset > > src/java.base/share/classes/java/util/ResourceBundle.java line 3732: > >> 3730: } >> 3731: >> 3732: private static final boolean TRACE_ON = Boolean.parseBoolean( > > I think for `Boolean` it doesn't make significant difference, as both `Boolean.TRUE` and `Boolean.FALSE` are cached and initialized immediately along with the class itself: > > public static Boolean valueOf(String s) { > return parseBoolean(s) ? TRUE : FALSE; > } Yes, there is no allocation for booleans. But still 2 redundant method calls in interpreter mode (valueOf+booleanValue) ------------- PR: https://git.openjdk.java.net/jdk/pull/5481 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 12:29:23 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 12:29:23 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base Message-ID: Redundant castings make code harder to read. Found them by IntelliJ IDEA. I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. ------------- Commit messages: - [PATCH] Remove unnecessary castings in java.base - [PATCH] Remove unnecessary castings in java.base Changes: https://git.openjdk.java.net/jdk/pull/5454/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5454&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274835 Stats: 38 lines in 15 files changed: 1 ins; 4 del; 33 mod Patch: https://git.openjdk.java.net/jdk/pull/5454.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5454/head:pull/5454 PR: https://git.openjdk.java.net/jdk/pull/5454 From mullan at openjdk.java.net Wed Oct 6 13:05:07 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 6 Oct 2021 13:05:07 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: References: Message-ID: <2g6lp6Qoc6CkGSZxYcxU6J9lyufzUB_nM-JtXOt7Yng=.66528e37-4512-47d6-9818-7acc6a99a42d@github.com> On Thu, 9 Sep 2021 20:12:47 GMT, Andrey Turbanov wrote: > Redundant castings make code harder to read. > Found them by IntelliJ IDEA. > I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. The security related files look fine. ------------- Marked as reviewed by mullan (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5454 From mullan at openjdk.java.net Wed Oct 6 13:08:11 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 6 Oct 2021 13:08:11 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: References: Message-ID: On Tue, 5 Oct 2021 09:36:23 GMT, Andrey Turbanov wrote: > 8274809: Update java.base classes to use try-with-resources The security related files look fine. ------------- Marked as reviewed by mullan (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5818 From sebukoleth at gmail.com Wed Oct 6 03:53:52 2021 From: sebukoleth at gmail.com (Sebu Koleth) Date: Tue, 5 Oct 2021 20:53:52 -0700 Subject: X509TrustManager check in SSLContextImpl Message-ID: Apologies if this is the wrong mailing list for this question, and if yes, please point to the right one. In sun.security.ssl.SSLContextImpl we have the following method: private X509TrustManager chooseTrustManager(TrustManager[] tm) throws KeyManagementException { // We only use the first instance of X509TrustManager passed to us. for (int i = 0; tm != null && i < tm.length; i++) { if (tm[i] instanceof X509TrustManager) { * if (SunJSSE.isFIPS() && !(tm[i] instanceof X509TrustManagerImpl))* { throw new KeyManagementException ("FIPS mode: only SunJSSE TrustManagers may be used"); } if (tm[i] instanceof X509ExtendedTrustManager) { return (X509TrustManager)tm[i]; } else { return new AbstractTrustManagerWrapper( (X509TrustManager)tm[i]); } } } // nothing found, return a dummy X509TrustManager. return DummyX509TrustManager.INSTANCE; } In the FIPS case why is it required for the TrustManager to be an instance of X509TrustManagerImpl? Isn't it sufficient for it to be an instance of X509ExtendedTrustManager? regards, Sebu Koleth -- The most popular software for writing fiction isn't Word. It's Excel. 408 dot 759 dot 1870 -------------- next part -------------- An HTML attachment was scrubbed... URL: From wetmore at openjdk.java.net Wed Oct 6 16:05:13 2021 From: wetmore at openjdk.java.net (Bradford Wetmore) Date: Wed, 6 Oct 2021 16:05:13 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: References: Message-ID: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> On Tue, 5 Oct 2021 09:36:23 GMT, Andrey Turbanov wrote: > 8274809: Update java.base classes to use try-with-resources Reviewed the crypto/security files. src/java.base/share/classes/sun/security/timestamp/HttpTimestamper.java line 115: > 113: > 114: // Send the request > 115: try (DataOutputStream output = new DataOutputStream(connection.getOutputStream())) { Please break this up so it doesn't have lines > 80. e.g. try (DataOutputStream output = new DataOutputStream(connection.getOutputStream())) { This makes side-by-side viewing very hard without a wider monitor. Thank you. src/java.base/share/classes/sun/security/timestamp/HttpTimestamper.java line 127: > 125: // Receive the reply > 126: byte[] replyBuffer = null; > 127: try (BufferedInputStream input = new BufferedInputStream(connection.getInputStream())) { Same comment as above. ------------- Marked as reviewed by wetmore (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5818 From wetmore at openjdk.java.net Wed Oct 6 16:14:09 2021 From: wetmore at openjdk.java.net (Bradford Wetmore) Date: Wed, 6 Oct 2021 16:14:09 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: References: Message-ID: On Tue, 5 Oct 2021 09:36:23 GMT, Andrey Turbanov wrote: > 8274809: Update java.base classes to use try-with-resources I checked the rest. The one BufferedInputStream change is puzzling. Please explain or address. Files like HttpTimestamper need the copyright dates updated to 2021. src/java.base/share/classes/sun/net/NetProperties.java line 71: > 69: f = new File(f, "net.properties"); > 70: fname = f.getCanonicalPath(); > 71: try (FileInputStream fis = new FileInputStream(fname)) { Why did the BufferedInputStream get pulled out here? src/java.base/share/classes/sun/security/util/PolicyUtil.java line 156: > 154: } > 155: > 156: try (InputStream inStream = new BufferedInputStream(getInputStream(keyStoreUrl))) { Same comment as above. ------------- Marked as reviewed by wetmore (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5818 From naoto at openjdk.java.net Wed Oct 6 16:28:06 2021 From: naoto at openjdk.java.net (Naoto Sato) Date: Wed, 6 Oct 2021 16:28:06 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: References: Message-ID: On Thu, 9 Sep 2021 20:12:47 GMT, Andrey Turbanov wrote: > Redundant castings make code harder to read. > Found them by IntelliJ IDEA. > I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. Calendar-related changes look good to me. ------------- Marked as reviewed by naoto (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5454 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 16:29:08 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 16:29:08 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:04:54 GMT, Bradford Wetmore wrote: >> 8274809: Update java.base classes to use try-with-resources > > src/java.base/share/classes/sun/net/NetProperties.java line 71: > >> 69: f = new File(f, "net.properties"); >> 70: fname = f.getCanonicalPath(); >> 71: try (FileInputStream fis = new FileInputStream(fname)) { > > Why did the BufferedInputStream get pulled out here? I decieded to remove it because `Properties.load` already buffers inputstream. So usage of BufferedInputStream seems redundant. https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/util/Properties.java#L471 ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 16:29:09 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 16:29:09 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:24:03 GMT, Andrey Turbanov wrote: >> src/java.base/share/classes/sun/net/NetProperties.java line 71: >> >>> 69: f = new File(f, "net.properties"); >>> 70: fname = f.getCanonicalPath(); >>> 71: try (FileInputStream fis = new FileInputStream(fname)) { >> >> Why did the BufferedInputStream get pulled out here? > > I decieded to remove it because `Properties.load` already buffers inputstream. So usage of BufferedInputStream seems redundant. > https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/util/Properties.java#L471 I will revert back to `BufferedInputStream` and will create a separate PR to cleanup redundant buffering around Properties.load calls. ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From prappo at openjdk.java.net Wed Oct 6 16:29:09 2021 From: prappo at openjdk.java.net (Pavel Rappo) Date: Wed, 6 Oct 2021 16:29:09 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources In-Reply-To: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> References: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> Message-ID: On Wed, 6 Oct 2021 16:00:41 GMT, Bradford Wetmore wrote: >> 8274809: Update java.base classes to use try-with-resources > > src/java.base/share/classes/sun/security/timestamp/HttpTimestamper.java line 127: > >> 125: // Receive the reply >> 126: byte[] replyBuffer = null; >> 127: try (BufferedInputStream input = new BufferedInputStream(connection.getInputStream())) { > > Same comment as above. In this and the immediately preceding case, it might be better to use `var`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From lancea at openjdk.java.net Wed Oct 6 16:33:09 2021 From: lancea at openjdk.java.net (Lance Andersen) Date: Wed, 6 Oct 2021 16:33:09 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: References: Message-ID: On Thu, 9 Sep 2021 20:12:47 GMT, Andrey Turbanov wrote: > Redundant castings make code harder to read. > Found them by IntelliJ IDEA. > I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. Marked as reviewed by lancea (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5454 From coffeys at openjdk.java.net Wed Oct 6 17:07:25 2021 From: coffeys at openjdk.java.net (Sean Coffey) Date: Wed, 6 Oct 2021 17:07:25 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks Message-ID: Use correct manifest file name in the Manifest verifier checks. Also - extra null check The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. ------------- Commit messages: - 8273826: Correct Manifest file name and NPE checks Changes: https://git.openjdk.java.net/jdk/pull/5841/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5841&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8273826 Stats: 137 lines in 5 files changed: 127 ins; 2 del; 8 mod Patch: https://git.openjdk.java.net/jdk/pull/5841.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5841/head:pull/5841 PR: https://git.openjdk.java.net/jdk/pull/5841 From darcy at openjdk.java.net Wed Oct 6 17:15:08 2021 From: darcy at openjdk.java.net (Joe Darcy) Date: Wed, 6 Oct 2021 17:15:08 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: References: Message-ID: <5cblPwQq4ebGNXXrtO9EoHnSZ_tcsn-EVxfMQMVEjOI=.9936fe80-1b9a-468c-8d3e-80eaad0977be@github.com> On Thu, 9 Sep 2021 20:12:47 GMT, Andrey Turbanov wrote: > Redundant castings make code harder to read. > Found them by IntelliJ IDEA. > I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. Curious. The JDK build is done with javac -Xlint:cast warning enabled (JDK-8032734) which is intended to catch issues like this. Perhaps IntelliJ is using a different (or sharper) analysis. ------------- PR: https://git.openjdk.java.net/jdk/pull/5454 From weijun at openjdk.java.net Wed Oct 6 18:03:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 6 Oct 2021 18:03:11 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:58:51 GMT, Sean Coffey wrote: > Use correct manifest file name in the Manifest verifier checks. > Also - extra null check > > The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. Marked as reviewed by weijun (Reviewer). src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java line 66: > 64: > 65: private String name = null; > 66: private String manifestFileName; Make this final and add a comment that it will never be null. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 18:27:34 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 18:27:34 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v2] In-Reply-To: References: Message-ID: > 8274809: Update java.base classes to use try-with-resources Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8274809: Update java.base classes to use try-with-resources fix post-review comment ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5818/files - new: https://git.openjdk.java.net/jdk/pull/5818/files/6d8ce900..78893df9 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=00-01 Stats: 7 lines in 2 files changed: 1 ins; 1 del; 5 mod Patch: https://git.openjdk.java.net/jdk/pull/5818.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5818/head:pull/5818 PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 18:27:35 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 18:27:35 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v2] In-Reply-To: References: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> Message-ID: On Wed, 6 Oct 2021 16:20:48 GMT, Pavel Rappo wrote: >> src/java.base/share/classes/sun/security/timestamp/HttpTimestamper.java line 127: >> >>> 125: // Receive the reply >>> 126: byte[] replyBuffer = null; >>> 127: try (BufferedInputStream input = new BufferedInputStream(connection.getInputStream())) { >> >> Same comment as above. > > In this and the immediately preceding case, it might be better to use `var`. I like variant with `var` more. Updated ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 18:47:26 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 18:47:26 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v3] In-Reply-To: References: Message-ID: > 8274809: Update java.base classes to use try-with-resources Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8274809: Update java.base classes to use try-with-resources update copyright year ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5818/files - new: https://git.openjdk.java.net/jdk/pull/5818/files/78893df9..423c3069 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=01-02 Stats: 5 lines in 4 files changed: 1 ins; 1 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5818.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5818/head:pull/5818 PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 18:47:27 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 18:47:27 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v3] In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:11:25 GMT, Bradford Wetmore wrote: >Files like HttpTimestamper need the copyright dates updated to 2021. Updated ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From wetmore at openjdk.java.net Wed Oct 6 19:48:09 2021 From: wetmore at openjdk.java.net (Bradford Wetmore) Date: Wed, 6 Oct 2021 19:48:09 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v3] In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 18:47:26 GMT, Andrey Turbanov wrote: >> 8274809: Update java.base classes to use try-with-resources > > Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: > > 8274809: Update java.base classes to use try-with-resources > update copyright year Greater than 80 chars comment missing in latest changeset. ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From wetmore at openjdk.java.net Wed Oct 6 19:48:10 2021 From: wetmore at openjdk.java.net (Bradford Wetmore) Date: Wed, 6 Oct 2021 19:48:10 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v3] In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:07:12 GMT, Bradford Wetmore wrote: >> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: >> >> 8274809: Update java.base classes to use try-with-resources >> update copyright year > > src/java.base/share/classes/sun/security/util/PolicyUtil.java line 156: > >> 154: } >> 155: >> 156: try (InputStream inStream = new BufferedInputStream(getInputStream(keyStoreUrl))) { > > Same comment as above. Looks like it's still > 80 chars ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From wetmore at openjdk.java.net Wed Oct 6 19:56:08 2021 From: wetmore at openjdk.java.net (Bradford Wetmore) Date: Wed, 6 Oct 2021 19:56:08 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v3] In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 18:47:26 GMT, Andrey Turbanov wrote: >> 8274809: Update java.base classes to use try-with-resources > > Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: > > 8274809: Update java.base classes to use try-with-resources > update copyright year src/java.base/share/classes/sun/net/NetProperties.java line 72: > 70: fname = f.getCanonicalPath(); > 71: try (FileInputStream in = new FileInputStream(fname)) { > 72: BufferedInputStream bin = new BufferedInputStream(in); Shouldn't this have a multiple resource block in the try-with block here: try (FileInputStream in = new FileInputStream(fname); BufferedInputStream bin = new BufferedInputStream(in)) { props.land(bin); } ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 20:37:30 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 20:37:30 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v4] In-Reply-To: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> References: <8vS2rfHkUZ_KrdCq8XUiU37uhmbP2RyQYMCX_JGs__g=.f0249d06-12d7-45ce-8a66-552268e43d15@github.com> Message-ID: On Wed, 6 Oct 2021 16:00:26 GMT, Bradford Wetmore wrote: >> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: >> >> 8274809: Update java.base classes to use try-with-resources >> fix review comments > > src/java.base/share/classes/sun/security/timestamp/HttpTimestamper.java line 115: > >> 113: >> 114: // Send the request >> 115: try (DataOutputStream output = new DataOutputStream(connection.getOutputStream())) { > > Please break this up so it doesn't have lines > 80. e.g. > > try (DataOutputStream output = > new DataOutputStream(connection.getOutputStream())) { > > This makes side-by-side viewing very hard without a wider monitor. > > Thank you. Update. ------------- PR: https://git.openjdk.java.net/jdk/pull/5818 From github.com+741251+turbanoff at openjdk.java.net Wed Oct 6 20:37:29 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Wed, 6 Oct 2021 20:37:29 GMT Subject: RFR: 8274809: Update java.base classes to use try-with-resources [v4] In-Reply-To: References: Message-ID: > 8274809: Update java.base classes to use try-with-resources Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8274809: Update java.base classes to use try-with-resources fix review comments ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5818/files - new: https://git.openjdk.java.net/jdk/pull/5818/files/423c3069..3b05ec49 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=02-03 Stats: 5 lines in 2 files changed: 2 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5818.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5818/head:pull/5818 PR: https://git.openjdk.java.net/jdk/pull/5818 From bpb at openjdk.java.net Wed Oct 6 21:08:12 2021 From: bpb at openjdk.java.net (Brian Burkhalter) Date: Wed, 6 Oct 2021 21:08:12 GMT Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: References: Message-ID: On Thu, 9 Sep 2021 20:12:47 GMT, Andrey Turbanov wrote: > Redundant castings make code harder to read. > Found them by IntelliJ IDEA. > I tried to select only casts which are definitely safe to remove. Also didn't touch primitive types casts. `java.io` change looks all right. ------------- Marked as reviewed by bpb (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5454 From hchao at openjdk.java.net Thu Oct 7 02:24:06 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 7 Oct 2021 02:24:06 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:58:51 GMT, Sean Coffey wrote: > Use correct manifest file name in the Manifest verifier checks. > Also - extra null check > > The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. Looks good. ------------- Marked as reviewed by hchao (Committer). PR: https://git.openjdk.java.net/jdk/pull/5841 From github.com+741251+turbanoff at openjdk.java.net Thu Oct 7 07:35:21 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Thu, 7 Oct 2021 07:35:21 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes Message-ID: StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: 1. Plain String concatenation should be preferred 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. ------------- Commit messages: - [PATCH] Cleanup usages of StringBuffer in java.base module - [PATCH] Cleanup usages of StringBuffer in java.base module Changes: https://git.openjdk.java.net/jdk/pull/5432/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5432&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274879 Stats: 32 lines in 12 files changed: 0 ins; 0 del; 32 mod Patch: https://git.openjdk.java.net/jdk/pull/5432.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5432/head:pull/5432 PR: https://git.openjdk.java.net/jdk/pull/5432 From coffeys at openjdk.java.net Thu Oct 7 10:44:39 2021 From: coffeys at openjdk.java.net (Sean Coffey) Date: Thu, 7 Oct 2021 10:44:39 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: > Use correct manifest file name in the Manifest verifier checks. > Also - extra null check > > The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. Sean Coffey has updated the pull request incrementally with one additional commit since the last revision: Make variables final ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5841/files - new: https://git.openjdk.java.net/jdk/pull/5841/files/a63c81ad..3d72a6d7 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5841&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5841&range=00-01 Stats: 3 lines in 1 file changed: 1 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5841.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5841/head:pull/5841 PR: https://git.openjdk.java.net/jdk/pull/5841 From aefimov at openjdk.java.net Thu Oct 7 12:11:36 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Thu, 7 Oct 2021 12:11:36 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v2] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains two additional commits since the last revision: - Merge branch 'master' into JDK-8244202_JEP418_impl - 8244202: Implementation of JEP 418: Internet-Address Resolution SPI ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/77551538..41717fc7 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=00-01 Stats: 4216 lines in 179 files changed: 1929 ins; 1744 del; 543 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From coffeys at openjdk.java.net Thu Oct 7 14:24:10 2021 From: coffeys at openjdk.java.net (Sean Coffey) Date: Thu, 7 Oct 2021 14:24:10 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 17:54:15 GMT, Weijun Wang wrote: >> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision: >> >> Make variables final > > src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java line 66: > >> 64: >> 65: private String name = null; >> 66: private String manifestFileName; > > Make this final and add a comment that it will never be null. Thanks for the review - Made final and added comment. Also decided to make the "Manifest man" variable final here also while here. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From mullan at openjdk.java.net Thu Oct 7 15:02:10 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 7 Oct 2021 15:02:10 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 10:44:39 GMT, Sean Coffey wrote: >> Use correct manifest file name in the Manifest verifier checks. >> Also - extra null check >> >> The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. > > Sean Coffey has updated the pull request incrementally with one additional commit since the last revision: > > Make variables final Marked as reviewed by mullan (Reviewer). test/jdk/sun/security/tools/jarsigner/warnings/LowerCaseManifest.java line 38: > 36: * @library /test/lib ../ > 37: * @build jdk.test.lib.util.JarUtils > 38: * @run main LowerCaseManifest You don't need this line as this is the default @run setting. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From weijun at openjdk.java.net Thu Oct 7 15:02:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 7 Oct 2021 15:02:11 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 14:21:27 GMT, Sean Coffey wrote: >> src/java.base/share/classes/sun/security/util/ManifestEntryVerifier.java line 66: >> >>> 64: >>> 65: private String name = null; >>> 66: private String manifestFileName; >> >> Make this final and add a comment that it will never be null. > > Thanks for the review - Made final and added comment. Also decided to make the "Manifest man" variable final here also while here. Great, the more final there are, the less I need to look back and forth while reading the code. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From coffeys at openjdk.java.net Thu Oct 7 15:17:13 2021 From: coffeys at openjdk.java.net (Sean Coffey) Date: Thu, 7 Oct 2021 15:17:13 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 14:57:53 GMT, Sean Mullan wrote: >> Sean Coffey has updated the pull request incrementally with one additional commit since the last revision: >> >> Make variables final > > test/jdk/sun/security/tools/jarsigner/warnings/LowerCaseManifest.java line 38: > >> 36: * @library /test/lib ../ >> 37: * @build jdk.test.lib.util.JarUtils >> 38: * @run main LowerCaseManifest > > You don't need this line as this is the default @run setting. Looks like it's required if there's a @build directive ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From mullan at openjdk.java.net Thu Oct 7 15:17:13 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 7 Oct 2021 15:17:13 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 15:09:22 GMT, Sean Coffey wrote: >> test/jdk/sun/security/tools/jarsigner/warnings/LowerCaseManifest.java line 38: >> >>> 36: * @library /test/lib ../ >>> 37: * @build jdk.test.lib.util.JarUtils >>> 38: * @run main LowerCaseManifest >> >> You don't need this line as this is the default @run setting. > > Looks like it's required if there's a @build directive Ok. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From weijun at openjdk.java.net Thu Oct 7 15:17:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 7 Oct 2021 15:17:13 GMT Subject: RFR: 8273826: Correct Manifest file name and NPE checks [v2] In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 15:12:33 GMT, Sean Mullan wrote: >> Looks like it's required if there's a @build directive > > Ok. It might be necessary because there is already a `@build` there. ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From coffeys at openjdk.java.net Thu Oct 7 15:17:15 2021 From: coffeys at openjdk.java.net (Sean Coffey) Date: Thu, 7 Oct 2021 15:17:15 GMT Subject: Integrated: 8273826: Correct Manifest file name and NPE checks In-Reply-To: References: Message-ID: On Wed, 6 Oct 2021 16:58:51 GMT, Sean Coffey wrote: > Use correct manifest file name in the Manifest verifier checks. > Also - extra null check > > The test doesn't reproduce the exact issue reported but should prevent future regressions in this area. This pull request has now been integrated. Changeset: 03a8d342 Author: Sean Coffey URL: https://git.openjdk.java.net/jdk/commit/03a8d342b86e720d3cba08d540182b4ab161fba3 Stats: 139 lines in 5 files changed: 128 ins; 2 del; 9 mod 8273826: Correct Manifest file name and NPE checks Reviewed-by: weijun, hchao, mullan ------------- PR: https://git.openjdk.java.net/jdk/pull/5841 From naoto at openjdk.java.net Thu Oct 7 16:52:13 2021 From: naoto at openjdk.java.net (Naoto Sato) Date: Thu, 7 Oct 2021 16:52:13 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes In-Reply-To: References: Message-ID: On Thu, 9 Sep 2021 06:50:21 GMT, Andrey Turbanov wrote: > StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: > 1. Plain String concatenation should be preferred > 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance > > In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. src/java.base/share/classes/java/lang/Character.java line 123: > 121: * than U+FFFF are called supplementary characters. The Java > 122: * platform uses the UTF-16 representation in {@code char} arrays and > 123: * in the {@code String} and {@code StringBuilder} classes. In Not sure simple replacement applies here, as `StringBuffer` still uses `UTF-16` representation. You may add `StringBuilder` as well here, but I think you might want to file a CSR to clarify. ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From amaembo at gmail.com Thu Oct 7 03:29:58 2021 From: amaembo at gmail.com (Tagir Valeev) Date: Thu, 7 Oct 2021 10:29:58 +0700 Subject: RFR: 8274835: Remove unnecessary castings in java.base In-Reply-To: <5cblPwQq4ebGNXXrtO9EoHnSZ_tcsn-EVxfMQMVEjOI=.9936fe80-1b9a-468c-8d3e-80eaad0977be@github.com> References: <5cblPwQq4ebGNXXrtO9EoHnSZ_tcsn-EVxfMQMVEjOI=.9936fe80-1b9a-468c-8d3e-80eaad0977be@github.com> Message-ID: On Thu, Oct 7, 2021 at 12:15 AM Joe Darcy wrote: > Curious. The JDK build is done with javac -Xlint:cast warning enabled (JDK-8032734) which is intended to catch issues like this. Perhaps IntelliJ is using a different (or sharper) analysis. Yes, our analysis is written independently of Javac (mostly by Anna Kozlova) and we had a long history of false-positives/false-negatives in this inspection, so it was tuned many times. It's not nearly simple. For now, it's turned on for the whole IntelliJ IDEA Ultimate repository (a warning causes the CI build to fail). I've found only five explicit suppressions in our codebase. Not sure if all of them are still necessary. > > ------------- > > PR: https://git.openjdk.java.net/jdk/pull/5454 From github.com+18036229+chengjin01 at openjdk.java.net Fri Oct 8 04:53:10 2021 From: github.com+18036229+chengjin01 at openjdk.java.net (Cheng Jin) Date: Fri, 8 Oct 2021 04:53:10 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> Message-ID: <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> On Wed, 2 Jun 2021 20:13:34 GMT, Maurizio Cimadamore wrote: >> This patch overhauls the library loading mechanism used by the Foreign Linker API. We realized that, while handy, the *default* lookup abstraction (`LibraryLookup::ofDefault`) was behaving inconsistentlt across platforms. >> >> This patch replaces `LibraryLookup` with a simpler `SymbolLookup` abstraction, a functional interface. Crucially, `SymbolLookup` does not concern with library loading, only symbol lookup. For this reason, two factories are added: >> >> * `SymbolLookup::loaderLookup` - which obtains a lookup that can be used to lookup symbols in libraries loaded by current loader >> * `CLinker::systemLookup` - a more stable replacement for the *default* lookup, which looks for symbols in libc.so (or its equivalent in other platforms). The contents of this lookup are unspecified. >> >> Both factories are *restricted*, so they can only be called when `--enable-native-access` is set. > >> _Mailing list message from [Chapman Flack](mailto:chap at anastigmatix.net) on [security-dev](mailto:security-dev at mail.openjdk.java.net):_ >> >> On 06/02/21 13:30, Maurizio Cimadamore wrote: >> >> > This patch replaces `LibraryLookup` with a simpler `SymbolLookup` >> > abstraction, a functional interface. Crucially, `SymbolLookup` does not >> > concern with library loading, only symbol lookup. For this reason, two >> > factories are added: >> >> Hi, >> >> While I am thinking about this, what will be the behavior when the JVM >> itself has been dynamically loaded into an embedding application, and >> launched with the JNI invocation API? >> >> Will there be a *Lookup flavor that is able to find any exported symbol >> known in the embedding environment the JVM was loaded into? (This is the >> sort of condition the Mac OS linker checks when given the -bundle_loader >> option.) >> >> Regards, >> Chapman Flack (maintainer of a project that happens to work that way) > > Hi, > at the moment we don't have plans to add such a lookup, but I believe it should be possible to build such a lookup using `dlopen` and the linker API. I have provided an example elsewhere of how easy it easy to build a wrapper lookup around dlopen/dlsym: > > https://gist.github.com/mcimadamore/0883ea6f4836ae0c1d2a31c48197da1a > > Perhaps something like that could be useful in the use case you mention? Hi @mcimadamore, As you mentioned at https://github.com/openjdk/jdk/pull/4316#issuecomment-853238872, the system lookup is supported by the underlying `NativeLibraries` which also works on OpenJDK16 to support `LibraryLookup::ofDefault`. But my finding is that it `LibraryLookup::ofDefault` works good on AIX (with `libc.a`) in OpenJDK16 but `CLinker.systemLookup()` ended up with `NoSuchElementException` after changing the code in `SystemLookup.java` and `CABI.java` as follows: private static final SymbolLookup syslookup = switch (CABI.current()) { case SysV, LinuxAArch64, MacOsAArch64, AIX -> libLookup(libs -> libs.loadLibrary("syslookup")); case Win64 -> makeWindowsLookup(); // out of line to workaround javac crash }; with a simple test & output: import jdk.incubator.foreign.CLinker; import static jdk.incubator.foreign.CLinker.*; import jdk.incubator.foreign.SymbolLookup; import jdk.incubator.foreign.Addressable; public class Test { private static CLinker clinker = CLinker.getInstance(); private static final SymbolLookup defaultLibLookup = CLinker.systemLookup(); public static void main(String args[]) throws Throwable { Addressable strlenSymbol = defaultLibLookup.lookup("strlen").get(); } } bin/java --enable-native-access=ALL-UNNAMED --add-modules jdk.incubator.foreign -Dforeign.restricted=permit Test WARNING: Using incubator modules: jdk.incubator.foreign Exception in thread "main" java.util.NoSuchElementException: No value present <----- at java.base/java.util.Optional.get(Optional.java:143) at Test.main(Test.java:11) So I am wondering what happened to the system lookup in such case given there should be no fundamental difference in leveraging `NativeLibraries` (I assume the library loading in OpenJDK16 & 17 is the same at this point) unless there is something else new in OpenJDK17 I am unaware of (e.g. the changes in `Lib.gmk` or `lib-std.m4`, or a custom system lookup is required on AIX, etc). Thanks. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From weijun at openjdk.java.net Fri Oct 8 07:29:27 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 8 Oct 2021 07:29:27 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base In-Reply-To: References: Message-ID: <2wrfMoUmLw_xar7QqdTGlx3lRRn5ezXWZI3F6MIJoVo=.9e0d608d-6cf2-47ad-ae11-134f5d77bffe@github.com> On Fri, 17 Sep 2021 08:56:47 GMT, Andrey Turbanov wrote: > String.contains was introduced in Java 5. > Some code in java.base still uses old approach with `String.indexOf` to check if String contains specified substring. > I propose to migrate such usages. Makes code shorter and easier to read. security-related change looks fine. ------------- Marked as reviewed by weijun (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5559 From github.com+741251+turbanoff at openjdk.java.net Fri Oct 8 07:29:27 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Fri, 8 Oct 2021 07:29:27 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base Message-ID: String.contains was introduced in Java 5. Some code in java.base still uses old approach with `String.indexOf` to check if String contains specified substring. I propose to migrate such usages. Makes code shorter and easier to read. ------------- Commit messages: - [PATCH] Use String.contains() instead of String.indexOf() in java.base - [PATCH] Use String.contains() instead of String.indexOf() in java.base Changes: https://git.openjdk.java.net/jdk/pull/5559/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5559&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8274949 Stats: 40 lines in 17 files changed: 0 ins; 3 del; 37 mod Patch: https://git.openjdk.java.net/jdk/pull/5559.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5559/head:pull/5559 PR: https://git.openjdk.java.net/jdk/pull/5559 From dfuchs at openjdk.java.net Fri Oct 8 09:38:04 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 8 Oct 2021 09:38:04 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base In-Reply-To: References: Message-ID: <2MqVsvFTfYzzjenWPASS0ZB0lzHlnwF3GJ7K8lOqpP0=.db5edd8a-b93e-46b4-a33d-4fe63a96caef@github.com> On Fri, 17 Sep 2021 08:56:47 GMT, Andrey Turbanov wrote: > String.contains was introduced in Java 5. > Some code in java.base still uses old approach with `String.indexOf` to check if String contains specified substring. > I propose to migrate such usages. Makes code shorter and easier to read. Changes to java.net look OK. Did you run tier1, tier2? ------------- Marked as reviewed by dfuchs (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5559 From vtewari at openjdk.java.net Fri Oct 8 10:15:07 2021 From: vtewari at openjdk.java.net (Vyom Tewari) Date: Fri, 8 Oct 2021 10:15:07 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base In-Reply-To: References: Message-ID: On Fri, 17 Sep 2021 08:56:47 GMT, Andrey Turbanov wrote: > String.contains was introduced in Java 5. > Some code in java.base still uses old approach with `String.indexOf` to check if String contains specified substring. > I propose to migrate such usages. Makes code shorter and easier to read. java.net changes look OK to me. ------------- Marked as reviewed by vtewari (Committer). PR: https://git.openjdk.java.net/jdk/pull/5559 From lancea at openjdk.java.net Fri Oct 8 10:20:09 2021 From: lancea at openjdk.java.net (Lance Andersen) Date: Fri, 8 Oct 2021 10:20:09 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base In-Reply-To: References: Message-ID: On Fri, 17 Sep 2021 08:56:47 GMT, Andrey Turbanov wrote: > String.contains was introduced in Java 5. > Some code in java.base still uses old approach with `String.indexOf` to check if String contains specified substring. > I propose to migrate such usages. Makes code shorter and easier to read. Marked as reviewed by lancea (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5559 From github.com+741251+turbanoff at openjdk.java.net Fri Oct 8 14:01:10 2021 From: github.com+741251+turbanoff at openjdk.java.net (Andrey Turbanov) Date: Fri, 8 Oct 2021 14:01:10 GMT Subject: RFR: 8274949: Use String.contains() instead of String.indexOf() in java.base In-Reply-To: <2MqVsvFTfYzzjenWPASS0ZB0lzHlnwF3GJ7K8lOqpP0=.db5edd8a-b93e-46b4-a33d-4fe63a96caef@github.com> References: <2MqVsvFTfYzzjenWPASS0ZB0lzHlnwF3GJ7K8lOqpP0=.db5edd8a-b93e-46b4-a33d-4fe63a96caef@github.com> Message-ID: On Fri, 8 Oct 2021 09:35:25 GMT, Daniel Fuchs wrote: >Did you run tier1, tier2? I did run tier2. (tier1 is automatically checked by GithubActions). No new tests failed. Only _usual_ tests, which always fail on my machine, were failed. ------------- PR: https://git.openjdk.java.net/jdk/pull/5559 From mcimadamore at openjdk.java.net Fri Oct 8 21:32:12 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Fri, 8 Oct 2021 21:32:12 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> Message-ID: On Fri, 8 Oct 2021 04:43:08 GMT, Cheng Jin wrote: > So I am wondering what happened to the system lookup in such case given there should be no fundamental difference in leveraging `NativeLibraries` (I assume the library loading in OpenJDK16 & 17 is the same at this point) unless there is something else new in OpenJDK17 I am unaware of (e.g. the changes in `Lib.gmk` or `lib-std.m4`, or a custom system lookup is required on AIX, etc). Thanks. In 17, SystemLookup loads a specific library that is generated at build time - which contains all the c stdlib symbols. That's what the Lib.gmk changes are for. What I suspect is that the library is not generated at all, or not correctly on AIX, which then causes the system lookup to misbehave. I would start by double checking that you have a file like this: /lib/libsyslookup.so And then, if the library exists, check that it has the right dependency; on my linux it's an empty library, but which depends on libc, libm and libdl: ldd lib/libsyslookup.so linux-vdso.so.1 (0x00007fff2bdf7000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f35f1def000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f35f1ca0000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f35f1c9a000) ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From github.com+18036229+chengjin01 at openjdk.java.net Fri Oct 8 21:49:10 2021 From: github.com+18036229+chengjin01 at openjdk.java.net (Cheng Jin) Date: Fri, 8 Oct 2021 21:49:10 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> Message-ID: On Fri, 8 Oct 2021 21:29:19 GMT, Maurizio Cimadamore wrote: >> Hi @mcimadamore, >> >> As you mentioned at https://github.com/openjdk/jdk/pull/4316#issuecomment-853238872, the system lookup is supported by the underlying `NativeLibraries` which also works on OpenJDK16 to support `LibraryLookup::ofDefault`. >> >> But my finding is that it `LibraryLookup::ofDefault` works good on AIX (with `libc.a`) in OpenJDK16 but `CLinker.systemLookup()` ended up with `NoSuchElementException` after changing the code in `SystemLookup.java` and `CABI.java` as follows: >> >> private static final SymbolLookup syslookup = switch (CABI.current()) { >> case SysV, LinuxAArch64, MacOsAArch64, AIX -> libLookup(libs -> libs.loadLibrary("syslookup")); >> case Win64 -> makeWindowsLookup(); // out of line to workaround javac crash >> }; >> >> with a simple test & output: >> >> import jdk.incubator.foreign.CLinker; >> import static jdk.incubator.foreign.CLinker.*; >> import jdk.incubator.foreign.SymbolLookup; >> import jdk.incubator.foreign.Addressable; >> >> public class Test { >> private static CLinker clinker = CLinker.getInstance(); >> private static final SymbolLookup defaultLibLookup = CLinker.systemLookup(); >> >> public static void main(String args[]) throws Throwable { >> Addressable strlenSymbol = defaultLibLookup.lookup("strlen").get(); >> } >> } >> >> bin/java --enable-native-access=ALL-UNNAMED --add-modules jdk.incubator.foreign -Dforeign.restricted=permit Test >> WARNING: Using incubator modules: jdk.incubator.foreign >> Exception in thread "main" java.util.NoSuchElementException: No value present <----- >> at java.base/java.util.Optional.get(Optional.java:143) >> at Test.main(Test.java:11) >> >> >> So I am wondering what happened to the system lookup in such case given there should be no fundamental difference in leveraging `NativeLibraries` (I assume the library loading in OpenJDK16 & 17 is the same at this point) unless there is something else new in OpenJDK17 I am unaware of (e.g. the changes in `Lib.gmk` or `lib-std.m4`, or a custom system lookup is required on AIX, etc). Thanks. > >> So I am wondering what happened to the system lookup in such case given there should be no fundamental difference in leveraging `NativeLibraries` (I assume the library loading in OpenJDK16 & 17 is the same at this point) unless there is something else new in OpenJDK17 I am unaware of (e.g. the changes in `Lib.gmk` or `lib-std.m4`, or a custom system lookup is required on AIX, etc). Thanks. > > In 17, SystemLookup loads a specific library that is generated at build time - which contains all the c stdlib symbols. That's what the Lib.gmk changes are for. What I suspect is that the library is not generated at all, or not correctly on AIX, which then causes the system lookup to misbehave. > > I would start by double checking that you have a file like this: > > /lib/libsyslookup.so > > And then, if the library exists, check that it has the right dependency; on my linux it's an empty library, but which depends on libc, libm and libdl: > > > ldd lib/libsyslookup.so > linux-vdso.so.1 (0x00007fff2bdf7000) > libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f35f1def000) > libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f35f1ca0000) > libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f35f1c9a000) Hi @mcimadamore, Here's output of `libsyslookup.so` on AIX: $ ldd ./lib/libsyslookup.so ./lib/libsyslookup.so needs: <--- nothing here $ whereis libc libc: /usr/lib/libc.a /usr/lib/libc128.a /usr/ccs/lib/libc.a So it is high likely that there were no dependencies in this generated library. > perhaps on AIX something similar to what we did for Windows [1] would be better. That's what I thought to be the only way around but might need to figure out the specifics on AIX. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From github.com+6776231+talden at openjdk.java.net Sat Oct 9 03:19:09 2021 From: github.com+6776231+talden at openjdk.java.net (Talden) Date: Sat, 9 Oct 2021 03:19:09 GMT Subject: RFR: 8274811: Remove superfluous use of boxing in java.base In-Reply-To: References: Message-ID: On Sat, 11 Sep 2021 12:11:50 GMT, Andrey Turbanov wrote: > Usages of primitive types should be preferred and makes code easier to read. > Similar cleanups: > 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop > 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4135: > 4133: if (date != null) { > 4134: if (date.matches("\\d\\d\\d\\d\\/\\d\\d\\/\\d\\d")) { > 4135: c.set(Integer.parseInt(date.substring(0, 4)), Could this, and several of the other cases identified in this PR, be replaced with a call to the `Integer.parseInt(CharSequence, int, int, int)` method to also avoid the String allocation? Though there are enough other places in the JDK where this opportunity seems valuable that maybe it warrants a tracking issue of its own. ------------- PR: https://git.openjdk.java.net/jdk/pull/5481 From darcy at openjdk.java.net Sat Oct 9 19:51:18 2021 From: darcy at openjdk.java.net (Joe Darcy) Date: Sat, 9 Oct 2021 19:51:18 GMT Subject: RFR: 8275003: Suppress warnings on non-serializable non-transient instance fields in windows mscapi Message-ID: Analogous to other recent cleanups like JDK-8274393, suppress warnings for serialization-related issues in the windows mscapi code. ------------- Commit messages: - Applease jcheck. - 8275003: Suppress warnings on non-serializable non-transient instance fields in windows mscapi Changes: https://git.openjdk.java.net/jdk/pull/5879/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5879&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275003 Stats: 5 lines in 2 files changed: 2 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5879.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5879/head:pull/5879 PR: https://git.openjdk.java.net/jdk/pull/5879 From kustos at gmx.net Sun Oct 10 17:09:20 2021 From: kustos at gmx.net (Philippe Marschall) Date: Sun, 10 Oct 2021 19:09:20 +0200 Subject: Different way to solve 8241047 In-Reply-To: <09c69566-b8ea-9101-ff07-570922098a3e@oracle.com> References: <09c69566-b8ea-9101-ff07-570922098a3e@oracle.com> Message-ID: <076bbb59-39f2-6e5c-9373-ac18b48cca16@gmx.net> On 05.10.21 16:27, Sean Mullan wrote: > Hi Philippe, > > ... > > The method in question has not been removed from 17 so their code should > continue to work as long as the deprecated methods continue to be > overridden. It's unfortunate that the 3rd party library cannot be > changed - is it active? It's the client library of a widely deployed middleware from a well known vendor. The client library does not implement SSLSession but ends up calling #getPeerCertificateChain through the default socket factory. Sometimes it would be fun to to back to uni and write a software that scans the whole of Maven Central for callers of particular methods. > The SSLSession.getPeerCertificateChain() has > been deprecated since Java 9 and marked for removal since Java 13, and > there has been a replacement API available > SSLSession.getPeerCertificates() since Java 1.4. That's a lot of time to > migrate. It wasn't enough time for this particular vendor. > ... > > It is an interesting suggestion and I can see your point. I don't think > there is any fundamental reason we could not change the default > implementation of the SSLSession.getPeerCertificateChain() method, but > since it would be a change to the specification, it could not be > backported to 17. That's more or less what I expected but I thought I had to ask. I think we should be able to work around it by making the client library use a custom socket factory. > Also, these methods are marked for removal, so > changing the default implementation at this point probably doesn't add > much value. It would allow people who rely on third party dependencies that call #getPeerCertificateChain to migrate to JDK 21, assuming it won't be removed until then. If the types and package are removed by JDK 21 then indeed it wouldn't add much value. Cheers Philippe From cancomert at gmail.com Mon Oct 11 11:58:28 2021 From: cancomert at gmail.com (can comert) Date: Mon, 11 Oct 2021 13:58:28 +0200 Subject: JDK-8274471/Incident Report 9166550 : Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: References: Message-ID: Hello Andrew, Yes I tested it and I can verify that it works with Java 18 JDK as expected. Thank you very much for your effort. Here is the output of my example program with debug flags enabled: C:\work\java\jdk-18\bin\java.exe -Djava.security.auth.debug=certpath,ocsp start program ... certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Mon Oct 11 13:49:56 CEST 2021 until Mon Oct 11 14:49:56 CEST 2021 certpath: Checking validity of OCSP response on Mon Oct 11 13:49:56 CEST 2021 with allowed interval between Mon Oct 11 13:34:56 CEST 2021 and Mon Oct 11 14:04:56 CEST 2021 certpath: -checker7 validation succeeded certpath: cert1 validation succeeded. certpath: Cert path validation succeeded. (PKIX validation algorithm) certpath: -------------------------------------------------------------- ... success end program Best regards, Can Andrew Wang , 10 Eki 2021 Paz, 08:27 tarihinde ?unu yazd?: > Hi Mehmet, > > > > We have fixed the issue. Can you kindly verify the fix by downloading the > latest version of JDK 18 from https://jdk.java.net/18/ and let us know > the results? > > > > Thanks and regards, > > > > Andrew > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cancomert at gmail.com Mon Oct 11 15:35:14 2021 From: cancomert at gmail.com (can comert) Date: Mon, 11 Oct 2021 17:35:14 +0200 Subject: Integrated: 8274471: Verification of OCSP Response signed with RSASSA-PSS fails In-Reply-To: References: <5_DfeMsAEWMWC8OC1I0K3f17Fbos6D2q2dEYZmZz8hA=.3c2f2516-2130-4efc-a5b2-5ac530051b5a@github.com> Message-ID: Thank you very much! Regards, Can Wei-Jun Wang , 5 Eki 2021 Sal, 22:05 tarihinde ?unu yazd?: > I think it's worth backporting to older LTS releases. Will ask sustaining > on it. > > Thanks, > Weijun > > > On Oct 5, 2021, at 2:36 PM, can comert wrote: > > > > > > Is there any backporting for a LTS version planned? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From duke at openjdk.java.net Mon Oct 11 20:47:14 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Mon, 11 Oct 2021 20:47:14 GMT Subject: RFR: 8275079: Remove unnecessary conversion to String in java.net.http Message-ID: Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway ------------- Commit messages: - 8275079: Remove unnecessary conversion to String in java.net.http - [PATCH] Remove unnecessary conversion to String Changes: https://git.openjdk.java.net/jdk/pull/5795/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5795&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275079 Stats: 34 lines in 13 files changed: 0 ins; 3 del; 31 mod Patch: https://git.openjdk.java.net/jdk/pull/5795.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5795/head:pull/5795 PR: https://git.openjdk.java.net/jdk/pull/5795 From weijun at openjdk.java.net Mon Oct 11 20:47:14 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 11 Oct 2021 20:47:14 GMT Subject: RFR: 8275079: Remove unnecessary conversion to String in java.net.http In-Reply-To: References: Message-ID: <87fb8y4-vNQNzTfuT7k29GdH0VHrOQsJEoCvec5TpCk=.d4dce725-fbd0-4661-b560-e3e90d251c4f@github.com> On Sat, 2 Oct 2021 20:05:37 GMT, Andrey Turbanov wrote: > Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway Some small comments. src/java.net.http/share/classes/jdk/internal/net/http/Http1AsyncReceiver.java line 738: > 736: if (flowTag != null) { > 737: dbgTag = tag = "Http1AsyncReceiver("+ flowTag + ")"; > 738: } else { If the only use of `flowTag` is `flow` in string, it looks like `flow` is enough. i.e. if (flow != null) { dbgTag = tag = "Http1AsyncReceiver("+ flow + ")"; } src/java.net.http/share/classes/jdk/internal/net/http/Http1Response.java line 831: > 829: @Override > 830: public String toString() { > 831: return super.toString() + "/parser=" + parser; Can we use `super` instead of `super.toString()`? ------------- PR: https://git.openjdk.java.net/jdk/pull/5795 From duke at openjdk.java.net Mon Oct 11 20:47:15 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Mon, 11 Oct 2021 20:47:15 GMT Subject: RFR: 8275079: Remove unnecessary conversion to String in java.net.http In-Reply-To: <87fb8y4-vNQNzTfuT7k29GdH0VHrOQsJEoCvec5TpCk=.d4dce725-fbd0-4661-b560-e3e90d251c4f@github.com> References: <87fb8y4-vNQNzTfuT7k29GdH0VHrOQsJEoCvec5TpCk=.d4dce725-fbd0-4661-b560-e3e90d251c4f@github.com> Message-ID: On Mon, 4 Oct 2021 13:39:00 GMT, Weijun Wang wrote: >> Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway > > src/java.net.http/share/classes/jdk/internal/net/http/Http1AsyncReceiver.java line 738: > >> 736: if (flowTag != null) { >> 737: dbgTag = tag = "Http1AsyncReceiver("+ flowTag + ")"; >> 738: } else { > > If the only use of `flowTag` is `flow` in string, it looks like `flow` is enough. i.e. > > > if (flow != null) { > dbgTag = tag = "Http1AsyncReceiver("+ flow + ")"; > } Good idea. Improved. > src/java.net.http/share/classes/jdk/internal/net/http/Http1Response.java line 831: > >> 829: @Override >> 830: public String toString() { >> 831: return super.toString() + "/parser=" + parser; > > Can we use `super` instead of `super.toString()`? Nope. `super` is not a valid java expression. ------------- PR: https://git.openjdk.java.net/jdk/pull/5795 From duke at openjdk.java.net Mon Oct 11 21:08:49 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Mon, 11 Oct 2021 21:08:49 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes In-Reply-To: References: Message-ID: On Thu, 7 Oct 2021 16:48:06 GMT, Naoto Sato wrote: >> StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: >> 1. Plain String concatenation should be preferred >> 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance >> >> In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. > > src/java.base/share/classes/java/lang/Character.java line 123: > >> 121: * than U+FFFF are called supplementary characters. The Java >> 122: * platform uses the UTF-16 representation in {@code char} arrays and >> 123: * in the {@code String} and {@code StringBuilder} classes. In > > Not sure simple replacement applies here, as `StringBuffer` still uses `UTF-16` representation. You may add `StringBuilder` as well here, but I think you might want to file a CSR to clarify. reverted changes in this spec. ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From valeriep at openjdk.java.net Mon Oct 11 23:32:26 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 11 Oct 2021 23:32:26 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider [v2] In-Reply-To: References: Message-ID: > Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? > > The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. > > The rest are minor code refactoring and updates for the PKCS11 Exception class. > The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. > > Thanks, > Valerie Valerie Peng has updated the pull request incrementally with one additional commit since the last revision: Minor update for review comments. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5569/files - new: https://git.openjdk.java.net/jdk/pull/5569/files/4268589e..a79c2fd0 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5569&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5569&range=00-01 Stats: 11 lines in 2 files changed: 1 ins; 7 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5569.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5569/head:pull/5569 PR: https://git.openjdk.java.net/jdk/pull/5569 From ascarpino at openjdk.java.net Tue Oct 12 03:56:49 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Tue, 12 Oct 2021 03:56:49 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider [v2] In-Reply-To: References: Message-ID: <-XqxxpPEkebnEhmbGjdbmYbEk8ht-0O0jcblQdS3L8s=.fb61af05-aadd-4445-8ab9-9de3fea202f8@github.com> On Mon, 11 Oct 2021 23:32:26 GMT, Valerie Peng wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > Valerie Peng has updated the pull request incrementally with one additional commit since the last revision: > > Minor update for review comments. The changes look good ------------- Marked as reviewed by ascarpino (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5569 From serb at openjdk.java.net Tue Oct 12 07:10:48 2021 From: serb at openjdk.java.net (Sergey Bylokhov) Date: Tue, 12 Oct 2021 07:10:48 GMT Subject: RFR: 8268764: Use Long.hashCode() instead of int-cast where applicable [v4] In-Reply-To: References: Message-ID: On Thu, 1 Jul 2021 12:19:53 GMT, ?????? ??????? wrote: >> In some JDK classes there's still the following hashCode() implementation: >> >> long objNum; >> >> public int hashCode() { >> return (int) objNum; >> } >> >> This outdated expression should be replaced with Long.hashCode(long) as it >> >> - uses all bits of the original value, does not discard any information upfront. For example, depending on how you are generating the IDs, the upper bits could change more frequently (or the opposite). >> >> - does not introduce any bias towards values with more ones (zeros), as it would be the case if the two halves were combined with an OR (AND) operation. >> >> See https://stackoverflow.com/a/4045083 >> >> This is related to https://github.com/openjdk/jdk/pull/4309 > > ?????? ??????? has updated the pull request incrementally with one additional commit since the last revision: > > 8268764: Update copy-right year Marked as reviewed by serb (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/4491 From dfuchs at openjdk.java.net Tue Oct 12 11:07:52 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Tue, 12 Oct 2021 11:07:52 GMT Subject: RFR: 8275079: Remove unnecessary conversion to String in java.net.http In-Reply-To: References: Message-ID: <5FSqzpEvZGf9ySa94vZxYUWWMUmzXNovK-IH_FAgYwY=.fe97f522-7a64-46a4-a673-bdf6378d8052@github.com> On Sat, 2 Oct 2021 20:05:37 GMT, Andrey Turbanov wrote: > Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway LGTM Hi Andrey - I will sponsor this change. ------------- Marked as reviewed by dfuchs (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5795 From mcimadamore at openjdk.java.net Tue Oct 12 15:07:55 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 15:07:55 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> Message-ID: On Fri, 8 Oct 2021 21:45:21 GMT, Cheng Jin wrote: > That's what I thought to be the only way around but might need to figure out the specifics on AIX. Is `libc.a` loadable on AIX (e.g. with System.loadLibrary) ? (Sorry I don't have a machine to test readily available). If so, we might just load `libc` and `libm` and drop the shim library generation on AIX. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From duke at openjdk.java.net Tue Oct 12 15:27:55 2021 From: duke at openjdk.java.net (Cheng Jin) Date: Tue, 12 Oct 2021 15:27:55 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> Message-ID: On Tue, 12 Oct 2021 15:04:02 GMT, Maurizio Cimadamore wrote: > Is libc.a loadable on AIX (e.g. with System.loadLibrary) ? I tried to load `libc.a` and `libc` this way but neither of them works on AIX. e.g. public class StdLibTest { private static CLinker clinker = CLinker.getInstance(); static { System.loadLibrary("libc.a"); <----- } private static final SymbolLookup defaultLibLookup = SymbolLookup.loaderLookup(); public static void main(String args[]) throws Throwable { Addressable strlenSymbol = defaultLibLookup.lookup("strlen").get(); } } $ ./bin/java --enable-native-access=ALL-UNNAMED --add-modules jdk.incubator.foreign -Dforeign.restricted=permit --enable-native-access=ALL-UNNAMED StdLibTest WARNING: Using incubator modules: jdk.incubator.foreign Exception in thread "main" java.lang.UnsatisfiedLinkError: Can't load libc.a <------- at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:1822) at java.base/java.lang.System.loadLibrary(System.java:694) at StdLibTest.(StdLibTest.java:23) and public class StdLibTest { private static CLinker clinker = CLinker.getInstance(); static { System.loadLibrary("libc"); <------- } private static final SymbolLookup defaultLibLookup = SymbolLookup.loaderLookup(); public static void main(String args[]) throws Throwable { Addressable strlenSymbol = defaultLibLookup.lookup("strlen").get(); } } $ ./bin/java --enable-native-access=ALL-UNNAMED --add-modules jdk.incubator.foreign -Dforeign.restricted=permit --enable-native-access=ALL-UNNAMED StdLibTest WARNING: Using incubator modules: jdk.incubator.foreign Exception in thread "main" java.lang.UnsatisfiedLinkError: Can't load libc <------ at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:1822) at java.base/java.lang.System.loadLibrary(System.java:694) at StdLibTest.(StdLibTest.java:23) ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From aefimov at openjdk.java.net Tue Oct 12 15:43:24 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 12 Oct 2021 15:43:24 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: - Add @since tags to new API classes - Add checks and test for empty stream resolver results ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/41717fc7..d302a49a Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=01-02 Stats: 150 lines in 6 files changed: 146 ins; 0 del; 4 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From mcimadamore at openjdk.java.net Tue Oct 12 16:37:57 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 16:37:57 GMT Subject: RFR: 8275063: Implementation of Memory Access API (Second incubator) Message-ID: This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. [1] - https://openjdk.java.net/jeps/419 ------------- Commit messages: - Fix issues with Aarch64 VaList implementation - Drop argument type profiling for removed `MemoryAccess` class - Add missing files - Tweak javadoc for MemeorySegment/MemoryAddress::setUtf8String - Initial push from panama/foreign Changes: https://git.openjdk.java.net/jdk/pull/5907/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275063 Stats: 14262 lines in 186 files changed: 6583 ins; 5144 del; 2535 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From mcimadamore at openjdk.java.net Tue Oct 12 16:37:57 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 16:37:57 GMT Subject: RFR: 8275063: Implementation of Memory Access API (Second incubator) In-Reply-To: References: Message-ID: <-PiXRcdXSgem16bbZeDqOiJpOJu7FT_FaB8nFYHoGig=.91ba78cb-66d9-4ed3-82e9-184ab4b2616c@github.com> On Tue, 12 Oct 2021 11:16:51 GMT, Maurizio Cimadamore wrote: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 This PR contains mainly API changes. We have tried to simplify the API, by removing redundant classes and moving functionalities where they belong. Below we list the main changes introduced in this PR. A big thanks to all who helped along the way: @briangoetz, @ChrisHegarty, @FrauBoes, @iwanowww, @JornVernee, @PaulSandoz, @sundararajana and @rose00. ### Value layouts and carriers This is perhaps the biggest change in the API, which has a knock-on effect in other areas as well. In the past, a value layout used to be a fairly *neutral* description of a piece of memory containing a scalar value. A value layout has a size, alignment and endianness. Since a value layout contains no information on *how* the value is to be dereferenced by Java clients, said clients have to specify a *carrier* when obtaining a var handle from a value layout. In this iteration, we have decided to attach carrier types to value layouts - so, in addition to size, alignment and endianness, all value layouts now have a `carrier` accessor, which returns a `j.l.Class`. You will find several hand-specialized version of `ValueLayout`, one for each main carrier type (e.g. `ValueLayout.OfInt` for the `int` carrier). Attaching carrier information to layouts simplifies the API in many ways: * When obtaining a var handle from a layout, it is no longer necessary to provide a carrier; the layout in fact contains all the necessary information for the dereference operation to occur. * Similarly, when linking downcall method handles, the `MethodType` parameter is no longer necessary, as now carrier information can be inferred from the provided `FunctionDescriptor`. * We can express dereference operations in a more general fashion - e.g. `get(ValueLayout.OfInt)` instead of `getInt(ByteOrder)`. Note how the new form is more *complete*. This iteration also adds support for `boolean` and `MemoryAddress` carriers in memory access var handles. ### Layout attributes To help the `CLinker` distinguish between a 32-bit layout modelling to a C `int` and a similar layout modelling a C `float` we have in the past resorted to *layout attributes* - that is, we injected custom classification information in layouts, and then required clients working with the `CLinker` API to only work with such augmented layouts. Because of the changes described above, this is no longer necessary: a layout is always associated with a Java carrier, so the `CLinker` can always disambiguate between `ValueLayout.OfInt` and `ValueLayout.OfFloat` even though they have the same size. For this reason, API support for custom layout attributes has been dropped in this iteration. Similarly, platform-dependent layout constants in `CLinker` have been removed; clients interacting with the foreign linker can simply use the basic layout constants defined in `ValueLayout` (e.g. `JAVA_INT`, `JAVA_FLOAT`, ...) - which is not too different from using the JNI types `jint` and `jfloat`. Of course tools (such as `jextract`) are free to define *custom* layouts which model C type for a specific platform. ### Memory dereference Previous iterations of the API provided ready-made dereference operations as static methods in the `MemoryAccess` class. This class is now removed, and all the dereference operations have been moved to `MemorySegment` and `MemoryAddress`. As mentioned before, the new dereference operations have a new form. Instead of: MemorySegment segment = ... MemoryAccess.getIntAtOffset(segment, /*offset */ 100, /* endianness */ ByteOrder.nativeOrder()); The new API works as follows: MemorySegment segment = ... int val = segment.get(JAVA_INT, /*offset */ 100); Note that the new dereference method is not static, and that parameters such as endianness are now omitted, since clients can just specify the value layout they want to work with. Also, since the new dereference methods are not static, we no longer need the workaround to enable VM argument type profiling (this was necessary to make static methods in `MemoryAccess` class perform reasonably well in the face of profile pollution). The same dereference operations are also available in `MemoryAddress`; when working with native code it might be necessary to dereference a raw pointer. In Java 17, to write a basic comparator function for qsort, the following code is needed: static int qsortCompare(MemoryAddress addr1, MemoryAddress addr2) { return MemoryAccess.getIntAtOffset(MemorySegment.globalNativeSegment(), addr1.toRawLongValue()) - MemoryAccess.getIntAtOffset(MemorySegment.globalNativeSegment(), addr2.toRawLongValue()); With the proposed changes, the above code simplifies to: static int qsortCompare(MemoryAddress addr1, MemoryAddress addr2) { return addr1.get(C_INT, 0) - addr2.get(C_INT, 0); } Which is far more readable. Note that dereferencing a memory address is still a potentially unsafe operation, as an address has no spatia/temporall bounds. For this reason, dereference operation on `MemoryAddress` are marked as *restricted*. ### Memory copy This iteration adds more support for copying Java arrays to and from memory segments. In Java 17, it is possible to copy a Java array into a memory segment, as follows: int[] array = .... MemorySegment segment = ... MemorySegment heapView = MemorySegment.ofArray(array); segment.asSlice(startSegmentOffset, nelems * 4) .copyFrom(heapView.asSlice(startArrayOffset * 4, nelems * 4)) This code snippet is suboptimal for several reasons: * three temporary segments have to be created: the heap view, plus the two slices * note how the code has to carefully slice the source/target segment to make sure that only the desired elements are copied, and at the desired target offset in the segment. * offset in arrays is expressed in elements, whereas offset in segments is expressed in bytes - which calls for potential mistakes. * it is not possible to specify custom endianness/alignment for the copy operation With the changes in this PR, the above code becomes: int[] array = .... MemorySegment segment = ... MemorySegment.copy(array, startArrayOffset, segment, JAVA_INT, startSegmentOffset, nelems); The above code is much simpler, with less potential for mistakes. Also, the extra value layout allows client to inject additional alignment constraints and endianness (if required). ### Role of `MemoryAddress` In Java 17, `MemoryAddress` has a scope accessor. This is useful when reasoning about an address obtained from a memory segment, but is far less useful when thinking about an address received from a native call. While it is possible to model the latter as an address associated with the *global scope*, `MemoryAddress` supports several operations which allow clients to attach spatial and temporal bounds to an address, turning it into a `MemorySegment`. If the address already has a scope, the semantics of some of these operation becomes confusing. For this reason, in this iteration `MemoryAddress` is only used to model raw native addresses. There is no scope associated with a memory address - dereferencing a raw address is always unsafe. This change brings more clarity to API, as `MemoryAddress` is nothing but a simple wrapper around a `long` value. This also means that obtaining a `MemoryAddress` from a heap segment is no longer a possibility; in other words, clients that don't care about native interop should probably just use `MemorySegment` and forget about `MemoryAddress`. ### Downcall method handle safety In Java 17, by-reference parameters to downcall method handles are passed as `MemoryAddress` arguments. This means that e.g. passing a segment by-reference requires a conversion (from segment to memory address, using `MemorySegment::address`). This conversion is lossy, as we lose information about the original memory segment (spatial and temporal bounds). As a result, passing parameter by-reference to downcall method handle is less safe. The changes described in this PR introduce stronger safety guarantees for by-reference parameters. The `CLinker` will now map any such parameter to the `Addressable` type - a common super interface of all things that can be passed by reference. This means clients can pass a memory segment *directly* to a downcall method handle, no conversion required. Because of that, the `CLinker` runtime can make sure that e.g. arguments passed by reference are kept alive for the entire duration of the native call. ### Native symbols In Java 17, looking up a symbol on a native library is done using the `SymbolLookup` interface. This interface used to return a plain `MemoryAddress` (the address of the native function). Given the changes described above, `MemoryAddress` is no longer a great choice: * a `MemoryAddress` now models a raw native memory address, and has no scope * a `MemoryAddress` can be easily dereferenced* For this reason, a new abstraction is added, namely `NativeSymbol`, which is used to model the entry point of a symbol (a function or a global variable) in a native library. A native symbol is `Addressable`, has a name and a resource scope. Since native symbols have a scope, the `CLinker` runtime can make sure that the scope of the native symbol corresponding to the native function being executed cannot be closed prematurely. This effectively allows clients to support safe library loading abstractions which support [deterministic library unloading](https://github.com/sundararajana/panama-jextract-samples/blob/master/dlopen/Dlopen.java). Additionally, we have tweaked the `CLinker::upcallStub` method to also return an *anonymous* `NativeSymbol`, rather than a raw `MemoryAddress`. ### Resource scope tweaks This PR removes the distinction between *implicit* and *explicit* scopes. Now all scopes (except for the *global scope*) are closeable, and can be associated with a `Cleaner`, if required. Another change in the resource scope API is in how temporal scope dependencies are handled. In Java 17 scopes could be acquired and released: MemorySegment segment = ... ResourceScope.Handle segmentHandle = segment.scope().acquire(); try { } finally { segment.scope().release(segmentHandle); } This PR removes the `ResourceScope::acquire` and `ResourceScope::release` methods, and allows instead to capture dependencies between scopes in a more explicit fashion: MemorySegment segment = ... try (ResourceScope criticalScope = ResourceScope.newConfinedScope()) { criticalScope.keepAlive(segment.scope()); } API javadoc: http://cr.openjdk.java.net/~mcimadamore/8275064/javadoc/jdk/incubator/foreign/package-summary.html Specdiff: http://cr.openjdk.java.net/~mcimadamore/8275064/specdiff_out/overview-summary.html ------------- PR: https://git.openjdk.java.net/jdk/pull/5907 From erikj at openjdk.java.net Tue Oct 12 17:03:52 2021 From: erikj at openjdk.java.net (Erik Joelsson) Date: Tue, 12 Oct 2021 17:03:52 GMT Subject: RFR: 8275063: Implementation of Memory Access API (Second incubator) In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 11:16:51 GMT, Maurizio Cimadamore wrote: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Build changes look good. ------------- Marked as reviewed by erikj (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5907 From fguallini at openjdk.java.net Tue Oct 12 17:12:09 2021 From: fguallini at openjdk.java.net (Fernando Guallini) Date: Tue, 12 Oct 2021 17:12:09 GMT Subject: RFR: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security Message-ID: This patch improves code coverage on the following classes: - com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac - com.sun.org.apache.xml.internal.security.utils.ElementProxy - com.sun.org.apache.xml.internal.security.keys.KeyInfo The new tests exercise code blocks that are not currently covered by other tests. ------------- Commit messages: - add code coverage to KeyInfo and IntegrityHmac Changes: https://git.openjdk.java.net/jdk/pull/5913/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5913&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8272908 Stats: 253 lines in 3 files changed: 246 ins; 0 del; 7 mod Patch: https://git.openjdk.java.net/jdk/pull/5913.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5913/head:pull/5913 PR: https://git.openjdk.java.net/jdk/pull/5913 From mcimadamore at openjdk.java.net Tue Oct 12 17:30:53 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 17:30:53 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries In-Reply-To: References: <1RwBnwfTi0XsUzPYQHKHTZ7jxgkhgsJfEG28Q33RahA=.6a992ad3-b289-4c93-9dc9-72a948f67581@github.com> <-Sgl3wbFP-k2nDAbFsX3fZ9vs_7-Fno-FeyThJ_VBDY=.a6da9845-64ab-4bdf-bd0e-fd8c4ba77da7@github.com> Message-ID: On Tue, 12 Oct 2021 15:24:41 GMT, Cheng Jin wrote: > I tried to load `libc.a` and `libc` this way but neither of them works on AIX. Sorry - what I meant is - `System::load`, which accepts a full path and extension. E.g. System.load("/usr/lib/libc.a"); ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From duke at openjdk.java.net Tue Oct 12 18:14:54 2021 From: duke at openjdk.java.net (Cheng Jin) Date: Tue, 12 Oct 2021 18:14:54 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries [v7] In-Reply-To: References: Message-ID: On Thu, 3 Jun 2021 20:49:44 GMT, Maurizio Cimadamore wrote: >> This patch overhauls the library loading mechanism used by the Foreign Linker API. We realized that, while handy, the *default* lookup abstraction (`LibraryLookup::ofDefault`) was behaving inconsistentlt across platforms. >> >> This patch replaces `LibraryLookup` with a simpler `SymbolLookup` abstraction, a functional interface. Crucially, `SymbolLookup` does not concern with library loading, only symbol lookup. For this reason, two factories are added: >> >> * `SymbolLookup::loaderLookup` - which obtains a lookup that can be used to lookup symbols in libraries loaded by current loader >> * `CLinker::systemLookup` - a more stable replacement for the *default* lookup, which looks for symbols in libc.so (or its equivalent in other platforms). The contents of this lookup are unspecified. >> >> Both factories are *restricted*, so they can only be called when `--enable-native-access` is set. > > Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: > > Address review comments on shim lib makefile Just tried with `System.load()` but still ended up with pretty much the same failure given both of them eventually invokes `ClassLoader.loadLibrary` to load the library in which case there is no big difference at this point. static { System.load("/usr/lib/libc.a"); } Exception in thread "main" java.lang.UnsatisfiedLinkError: Can't load /usr/lib/libc.a <---- at java.base/java.lang.ClassLoader.loadLibrary(ClassLoader.java:1793) at java.base/java.lang.System.load(System.java:672) at StdLibTest.(StdLibTest.java:24) ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From valeriep at openjdk.java.net Tue Oct 12 19:06:47 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Tue, 12 Oct 2021 19:06:47 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider [v2] In-Reply-To: <-XqxxpPEkebnEhmbGjdbmYbEk8ht-0O0jcblQdS3L8s=.fb61af05-aadd-4445-8ab9-9de3fea202f8@github.com> References: <-XqxxpPEkebnEhmbGjdbmYbEk8ht-0O0jcblQdS3L8s=.fb61af05-aadd-4445-8ab9-9de3fea202f8@github.com> Message-ID: On Tue, 12 Oct 2021 03:54:14 GMT, Anthony Scarpino wrote: > > > The changes look good Thanks much for review! Could you please also review the CSR as well https://bugs.openjdk.java.net/browse/JDK-8274174? ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From duke at openjdk.java.net Tue Oct 12 19:16:52 2021 From: duke at openjdk.java.net (=?UTF-8?B?0KHQtdGA0LPQtdC5?= =?UTF-8?B?IA==?= =?UTF-8?B?0KbRi9C/0LDQvdC+0LI=?=) Date: Tue, 12 Oct 2021 19:16:52 GMT Subject: Integrated: 8268764: Use Long.hashCode() instead of int-cast where applicable In-Reply-To: References: Message-ID: On Tue, 15 Jun 2021 12:15:11 GMT, ?????? ??????? wrote: > In some JDK classes there's still the following hashCode() implementation: > > long objNum; > > public int hashCode() { > return (int) objNum; > } > > This outdated expression should be replaced with Long.hashCode(long) as it > > - uses all bits of the original value, does not discard any information upfront. For example, depending on how you are generating the IDs, the upper bits could change more frequently (or the opposite). > > - does not introduce any bias towards values with more ones (zeros), as it would be the case if the two halves were combined with an OR (AND) operation. > > See https://stackoverflow.com/a/4045083 > > This is related to https://github.com/openjdk/jdk/pull/4309 This pull request has now been integrated. Changeset: 124f8237 Author: Sergey Tsypanov Committer: Sergey Bylokhov URL: https://git.openjdk.java.net/jdk/commit/124f82377ba93359bc59118ee315ba194080fa92 Stats: 21 lines in 9 files changed: 6 ins; 0 del; 15 mod 8268764: Use Long.hashCode() instead of int-cast where applicable Reviewed-by: kevinw, prr, kizune, serb ------------- PR: https://git.openjdk.java.net/jdk/pull/4491 From duke at openjdk.java.net Tue Oct 12 20:39:13 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Tue, 12 Oct 2021 20:39:13 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes [v2] In-Reply-To: References: Message-ID: > StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: > 1. Plain String concatenation should be preferred > 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance > > In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes revert changes in spec to avoid CSR ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5432/files - new: https://git.openjdk.java.net/jdk/pull/5432/files/14005d1d..c8d68c2a Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5432&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5432&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5432.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5432/head:pull/5432 PR: https://git.openjdk.java.net/jdk/pull/5432 From naoto at openjdk.java.net Tue Oct 12 20:39:14 2021 From: naoto at openjdk.java.net (Naoto Sato) Date: Tue, 12 Oct 2021 20:39:14 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes [v2] In-Reply-To: References: Message-ID: On Mon, 11 Oct 2021 21:05:46 GMT, Andrey Turbanov wrote: >> src/java.base/share/classes/java/lang/Character.java line 123: >> >>> 121: * than U+FFFF are called supplementary characters. The Java >>> 122: * platform uses the UTF-16 representation in {@code char} arrays and >>> 123: * in the {@code String} and {@code StringBuilder} classes. In >> >> Not sure simple replacement applies here, as `StringBuffer` still uses `UTF-16` representation. You may add `StringBuilder` as well here, but I think you might want to file a CSR to clarify. > > reverted changes in this spec. Did you modify the PR? I am unable to locate the revert. ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From duke at openjdk.java.net Tue Oct 12 20:39:14 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Tue, 12 Oct 2021 20:39:14 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes [v2] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 20:33:20 GMT, Naoto Sato wrote: >> reverted changes in this spec. > > Did you modify the PR? I am unable to locate the revert. Oops. Forgot to push ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From mcimadamore at openjdk.java.net Tue Oct 12 20:41:00 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 20:41:00 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries [v7] In-Reply-To: References: Message-ID: <7hT9Tr0x6g2JNV1_rqMhinm1FDaIiYtsVYtvR8__RkA=.45963198-0705-490e-86e1-486b6e140a12@github.com> On Tue, 12 Oct 2021 18:11:56 GMT, Cheng Jin wrote: > Just tried with `System.load()` but still ended up with pretty much the same failure given both of them eventually invokes `ClassLoader.loadLibrary` to load the library in which case there is no big difference at this point. Yes and no. System::loadLibrary wants a library name (no extension). It will add a library prefix (e.g. `lib` on linux) and a library suffix (e.g. `.so` on linux). So, if you do: System.loadLibrary("c") You will end up with `libc.so`. The `System::loadLibrary` logic will then try to find that file in any of the known library paths. `System.load` avoids this by accepting the full path of the library. So there's no guessing the path, nor guessing of prefix/suffix. But it seems like loading still fails, likely because we try to load this library with `dlopen` but this is a static library, so for `dlopen` it just doesn't make sense. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From naoto at openjdk.java.net Tue Oct 12 20:46:50 2021 From: naoto at openjdk.java.net (Naoto Sato) Date: Tue, 12 Oct 2021 20:46:50 GMT Subject: RFR: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes [v2] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 20:39:13 GMT, Andrey Turbanov wrote: >> StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: >> 1. Plain String concatenation should be preferred >> 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance >> >> In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. > > Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: > > 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes > revert changes in spec to avoid CSR Marked as reviewed by naoto (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From duke at openjdk.java.net Tue Oct 12 20:49:56 2021 From: duke at openjdk.java.net (Cheng Jin) Date: Tue, 12 Oct 2021 20:49:56 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries [v7] In-Reply-To: References: Message-ID: On Thu, 3 Jun 2021 20:49:44 GMT, Maurizio Cimadamore wrote: >> This patch overhauls the library loading mechanism used by the Foreign Linker API. We realized that, while handy, the *default* lookup abstraction (`LibraryLookup::ofDefault`) was behaving inconsistentlt across platforms. >> >> This patch replaces `LibraryLookup` with a simpler `SymbolLookup` abstraction, a functional interface. Crucially, `SymbolLookup` does not concern with library loading, only symbol lookup. For this reason, two factories are added: >> >> * `SymbolLookup::loaderLookup` - which obtains a lookup that can be used to lookup symbols in libraries loaded by current loader >> * `CLinker::systemLookup` - a more stable replacement for the *default* lookup, which looks for symbols in libc.so (or its equivalent in other platforms). The contents of this lookup are unspecified. >> >> Both factories are *restricted*, so they can only be called when `--enable-native-access` is set. > > Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: > > Address review comments on shim lib makefile If so, I am wondering whether there is anything else left (inherited from JDK16) in JDK17 we can leverage to support `libc.a` on AIX except the way similar to Windows. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From mcimadamore at openjdk.java.net Tue Oct 12 20:51:02 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Tue, 12 Oct 2021 20:51:02 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v2] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: Fix TestLinkToNativeRBP test ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/be0dd36e..23f69054 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=00-01 Stats: 7 lines in 1 file changed: 1 ins; 4 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From jvernee at openjdk.java.net Tue Oct 12 21:30:53 2021 From: jvernee at openjdk.java.net (Jorn Vernee) Date: Tue, 12 Oct 2021 21:30:53 GMT Subject: RFR: 8268129: LibraryLookup::ofDefault leaks symbols from loaded libraries [v7] In-Reply-To: References: Message-ID: On Thu, 3 Jun 2021 20:49:44 GMT, Maurizio Cimadamore wrote: >> This patch overhauls the library loading mechanism used by the Foreign Linker API. We realized that, while handy, the *default* lookup abstraction (`LibraryLookup::ofDefault`) was behaving inconsistentlt across platforms. >> >> This patch replaces `LibraryLookup` with a simpler `SymbolLookup` abstraction, a functional interface. Crucially, `SymbolLookup` does not concern with library loading, only symbol lookup. For this reason, two factories are added: >> >> * `SymbolLookup::loaderLookup` - which obtains a lookup that can be used to lookup symbols in libraries loaded by current loader >> * `CLinker::systemLookup` - a more stable replacement for the *default* lookup, which looks for symbols in libc.so (or its equivalent in other platforms). The contents of this lookup are unspecified. >> >> Both factories are *restricted*, so they can only be called when `--enable-native-access` is set. > > Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: > > Address review comments on shim lib makefile I think the reason it worked in JDK 16 is because all the symbols in the JVM were visible through the system lookup, and the JVM statically links the standard library (AFAIU). So, just because the VM code depended on something, it could be loaded by the system lookup. But, that would mean that not all symbols in the standard library were visible... and also, being able to find _any_ symbol in the JVM was a bug. I think the only solution here - assuming that libc is not available as a dynamic library on typical AIX systems - is to figure out how to repackage these static libraries as a dynamic library, retaining all the symbols, and then bundle that dynamic library with the JDK. ------------- PR: https://git.openjdk.java.net/jdk/pull/4316 From psandoz at openjdk.java.net Wed Oct 13 00:06:03 2021 From: psandoz at openjdk.java.net (Paul Sandoz) Date: Wed, 13 Oct 2021 00:06:03 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v2] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 20:51:02 GMT, Maurizio Cimadamore wrote: >> This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. >> >> [1] - https://openjdk.java.net/jeps/419 > > Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: > > Fix TestLinkToNativeRBP test Like with previous reviews of code for Panama JEPs there are not many comments on this PR, since prior reviews occurred for PRs in the panama-foreign repo. src/jdk.incubator.foreign/share/classes/jdk/incubator/foreign/CLinker.java line 77: > 75: * Furthermore, if the function descriptor's return layout is a group layout, the resulting downcall method handle accepts > 76: * an extra parameter of type {@link SegmentAllocator}, which is used by the linker runtime to allocate the > 77: * memory region associated with the struct returned by the downcall method handle. Suggestion: * memory region associated with the struct returned by the downcall method handle. src/jdk.incubator.foreign/share/classes/jdk/incubator/foreign/CLinker.java line 88: > 86: * in which the specialized signature of a given variable arity callsite is described in full. Alternatively, > 87: * if the foreign library allows it, clients might also be able to interact with variable arity methods > 88: * using by passing a trailing parameter of type {@link VaList}. Suggestion: * by passing a trailing parameter of type {@link VaList}. src/jdk.incubator.foreign/share/classes/jdk/incubator/foreign/CLinker.java line 145: > 143: * Lookup a symbol in the standard libraries associated with this linker. > 144: * The set of symbols available for lookup is unspecified, as it depends on the platform and on the operating system. > 145: * @return a linker-specific library lookup which is suitable to find symbols in the standard libraries associated with this linker. Suggestion: * @return a symbol in the standard libraries associated with this linker. src/jdk.incubator.foreign/share/classes/jdk/incubator/foreign/FunctionDescriptor.java line 93: > 91: Objects.requireNonNull(argLayouts); > 92: Arrays.stream(argLayouts).forEach(Objects::requireNonNull); > 93: return new FunctionDescriptor(null, argLayouts); We need to clone `argLayouts`, otherwise the user can modify the contents. Internally, using `List.of` is useful, since it does the cloning and null checks, and that is the type that is returned. Also `argumentLayouts` uses `Arrays.asList` which supports modification of the contents. src/jdk.incubator.foreign/share/classes/jdk/incubator/foreign/SegmentAllocator.java line 394: > 392: *

> 393: * The returned allocator might throw an {@link OutOfMemoryError} if the total memory allocated with this allocator > 394: * exceeds the arena size, or the system capacity. Furthermore, the returned allocator is not thread safe, and all The "the returned allocator is not thread safe" contradicts the prior sentence "An allocator associated with a shared resource scope is thread-safe and allocation requests may be performed concurrently". Perhaps just say: "

The returned allocator is not thread safe if the given scope is a shared scope. Concurrent allocation needs to be guarded with synchronization primitives. " src/jdk.incubator.foreign/share/classes/jdk/internal/foreign/AbstractMemorySegmentImpl.java line 260: > 258: > 259: @Override > 260: public final MemorySegment asOverlappingSlice(MemorySegment other) { Please ignore these comments if you wish. Adding `max() // exclusive` to complement `min()` might be useful. In these cases i find it easier to sort the segments e.g. `var a = this; var b = other; if (a.min() > b.min()) { // swap a and b }` then the subsequent logic tends to get simpler e.g. overlap test is `if (b.min() < a.max())`, `segmentOffset` is always +ve. src/jdk.incubator.foreign/share/classes/jdk/internal/foreign/ConfinedScope.java line 100: > 98: do { > 99: value = (int)ASYNC_RELEASE_COUNT.getVolatile(this); > 100: } while (!ASYNC_RELEASE_COUNT.compareAndSet(this, value, value + 1)); Use `getAndAdd` (and ignore the return value). ------------- PR: https://git.openjdk.java.net/jdk/pull/5907 From jpai at openjdk.java.net Wed Oct 13 10:56:57 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Wed, 13 Oct 2021 10:56:57 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" Message-ID: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. Looking at the output attached in that JBS issue, there's this: command: main LogParameters reason: Assumed action based on file name: run main LogParameters Mode: agentvm which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. ------------- Commit messages: - 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" Changes: https://git.openjdk.java.net/jdk/pull/5927/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5927&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8254267 Stats: 3 lines in 1 file changed: 1 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5927.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5927/head:pull/5927 PR: https://git.openjdk.java.net/jdk/pull/5927 From mcimadamore at openjdk.java.net Wed Oct 13 12:07:58 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Wed, 13 Oct 2021 12:07:58 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v3] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: Apply suggestions from code review Co-authored-by: Paul Sandoz ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/23f69054..d6bf27ff Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=01-02 Stats: 3 lines in 1 file changed: 0 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From mcimadamore at openjdk.java.net Wed Oct 13 12:48:06 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Wed, 13 Oct 2021 12:48:06 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v4] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: Address review comments ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/d6bf27ff..27e71ee7 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=02-03 Stats: 35 lines in 4 files changed: 8 ins; 11 del; 16 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From mullan at openjdk.java.net Wed Oct 13 13:50:13 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 13 Oct 2021 13:50:13 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key Message-ID: This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. - AlgorithmDecomposer now stores the canonical algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. ------------- Commit messages: - Remove trailing whitespace. - 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key Changes: https://git.openjdk.java.net/jdk/pull/5928/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8243585 Stats: 175 lines in 8 files changed: 66 ins; 57 del; 52 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Wed Oct 13 14:03:49 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 13 Oct 2021 14:03:49 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" In-Reply-To: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 10:49:57 GMT, Jaikiran Pai wrote: > The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. > > The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. > > Looking at the output attached in that JBS issue, there's this: > > > command: main LogParameters > reason: Assumed action based on file name: run main LogParameters > Mode: agentvm > > which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. > > The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. > > P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. Thanks for looking into this bug. The test was written by me and I have always wondering why it could fail again and again. Your explanation might be the reason so let's give it a try. Approved. test/jdk/javax/xml/crypto/dsig/LogParameters.java line 2: > 1: /* > 2: * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. It should be "2020, 2021,". ------------- Marked as reviewed by weijun (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5927 From jpai at openjdk.java.net Wed Oct 13 14:22:16 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Wed, 13 Oct 2021 14:22:16 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: > The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. > > The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. > > Looking at the output attached in that JBS issue, there's this: > > > command: main LogParameters > reason: Assumed action based on file name: run main LogParameters > Mode: agentvm > > which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. > > The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. > > P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: fix copyright year ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5927/files - new: https://git.openjdk.java.net/jdk/pull/5927/files/856c361a..2213629b Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5927&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5927&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5927.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5927/head:pull/5927 PR: https://git.openjdk.java.net/jdk/pull/5927 From jpai at openjdk.java.net Wed Oct 13 14:22:17 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Wed, 13 Oct 2021 14:22:17 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 14:00:35 GMT, Weijun Wang wrote: >> Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: >> >> fix copyright year > > test/jdk/javax/xml/crypto/dsig/LogParameters.java line 2: > >> 1: /* >> 2: * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved. > > It should be "2020, 2021,". Indeed. Updated the PR to fix this now. ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From rhalade at openjdk.java.net Wed Oct 13 16:20:48 2021 From: rhalade at openjdk.java.net (Rajan Halade) Date: Wed, 13 Oct 2021 16:20:48 GMT Subject: RFR: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 17:04:27 GMT, Fernando Guallini wrote: > This patch improves code coverage on the following classes: > - com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac > - com.sun.org.apache.xml.internal.security.utils.ElementProxy > - com.sun.org.apache.xml.internal.security.keys.KeyInfo > > The new tests exercise code blocks that are not currently covered by other tests. test/jdk/com/sun/org/apache/xml/internal/security/SignatureKeyInfo.java line 117: > 115: doc.getElementsByTagNameNS(NS, "Signature"); > 116: if (nl.getLength() == 0) { > 117: throw new Exception("Could not find signature Element"); update this to RuntimeException ------------- PR: https://git.openjdk.java.net/jdk/pull/5913 From rhalade at openjdk.java.net Wed Oct 13 16:28:51 2021 From: rhalade at openjdk.java.net (Rajan Halade) Date: Wed, 13 Oct 2021 16:28:51 GMT Subject: RFR: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 17:04:27 GMT, Fernando Guallini wrote: > This patch improves code coverage on the following classes: > - com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac > - com.sun.org.apache.xml.internal.security.utils.ElementProxy > - com.sun.org.apache.xml.internal.security.keys.KeyInfo > > The new tests exercise code blocks that are not currently covered by other tests. Marked as reviewed by rhalade (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5913 From dfuchs at openjdk.java.net Wed Oct 13 17:12:53 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Wed, 13 Oct 2021 17:12:53 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 14:22:16 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: > > fix copyright year Wait! I believe the issue is elsewhere... ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From dfuchs at openjdk.java.net Wed Oct 13 17:20:49 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Wed, 13 Oct 2021 17:20:49 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 14:22:16 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: > > fix copyright year You need to stick the logger returned by `Logger.getLogger(String.class.getName())` into a static variable to prevent it from being garbage collected. Indeed, if you don't do that, there will be only weak references to that logger, and the next call to `Logger.getLogger(String.class.getName())` might return a brand new instance. Another possibility is to stick it in a local `logger` variable and call Reference.reachabilityFence(logger) at the end of main() in order to prevent its garbage collection before main() exits... Aside note: why `String.class.getName()`? is the logged message generated by java.lang.String? that would be dangerous - as strings are used all over the place in java.util.logging... Oh - the issue is elsewhere, but since you are modifying the configuration of loggers you do need to run in /othervm too - so don't undo that change... ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From ascarpino at openjdk.java.net Wed Oct 13 17:38:58 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Wed, 13 Oct 2021 17:38:58 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider [v2] In-Reply-To: References: Message-ID: On Mon, 11 Oct 2021 23:32:26 GMT, Valerie Peng wrote: >> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? >> >> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. >> >> The rest are minor code refactoring and updates for the PKCS11 Exception class. >> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. >> >> Thanks, >> Valerie > > Valerie Peng has updated the pull request incrementally with one additional commit since the last revision: > > Minor update for review comments. I have marked the CSR as reviewed ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From weijun at openjdk.java.net Wed Oct 13 18:54:51 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 13 Oct 2021 18:54:51 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 14:22:16 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: > > fix copyright year I can confirm that inside JDK all returned value of this `getLogger()` method are stored in a static field, **except for** the one in this test. ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From duke at openjdk.java.net Wed Oct 13 22:13:19 2021 From: duke at openjdk.java.net (Mahendra Chhipa) Date: Wed, 13 Oct 2021 22:13:19 GMT Subject: RFR: JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs Message-ID: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> ?t.www.MessageHeader and some other internal APIs ------------- Commit messages: - JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs Changes: https://git.openjdk.java.net/jdk/pull/5937/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5937&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8061729 Stats: 167 lines in 10 files changed: 111 ins; 15 del; 41 mod Patch: https://git.openjdk.java.net/jdk/pull/5937.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5937/head:pull/5937 PR: https://git.openjdk.java.net/jdk/pull/5937 From valeriep at openjdk.java.net Wed Oct 13 22:47:48 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Wed, 13 Oct 2021 22:47:48 GMT Subject: RFR: 8264849: Add KW and KWP support to PKCS11 provider [v2] In-Reply-To: References: Message-ID: On Wed, 13 Oct 2021 17:36:24 GMT, Anthony Scarpino wrote: > > > I have marked the CSR as reviewed Thanks! ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From jpai at openjdk.java.net Thu Oct 14 03:25:07 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Thu, 14 Oct 2021 03:25:07 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v3] In-Reply-To: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: <2iD1KHwmsS3nxk0ShQjpdLZRrDcc4Nee4PaqG7NPKIM=.1ededdb4-a5b5-4764-bcdf-4314592cfdef@github.com> > The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. > > The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. > > Looking at the output attached in that JBS issue, there's this: > > > command: main LogParameters > reason: Assumed action based on file name: run main LogParameters > Mode: agentvm > > which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. > > The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. > > P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. Jaikiran Pai has updated the pull request incrementally with two additional commits since the last revision: - add a summary to the test as well as use a different logger than String.class to avoid any confusion - hold on to the logger instance ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5927/files - new: https://git.openjdk.java.net/jdk/pull/5927/files/2213629b..c4371826 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5927&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5927&range=01-02 Stats: 12 lines in 1 file changed: 9 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5927.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5927/head:pull/5927 PR: https://git.openjdk.java.net/jdk/pull/5927 From jpai at openjdk.java.net Thu Oct 14 03:25:07 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Thu, 14 Oct 2021 03:25:07 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 14:22:16 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with one additional commit since the last revision: > > fix copyright year Hello Daniel, > You need to stick the logger returned by `Logger.getLogger(String.class.getName())` into a static variable to prevent it from being garbage collected. Indeed, if you don't do that, there will be only weak references to that logger, and the next call to `Logger.getLogger(String.class.getName())` might return a brand new instance. You are right. Good catch. I hadn't thought of that aspect at all. I've now updated the PR to create the logger instance in a static field. ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From jpai at openjdk.java.net Thu Oct 14 03:34:45 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Thu, 14 Oct 2021 03:34:45 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 17:15:53 GMT, Daniel Fuchs wrote: > Aside note: why `String.class.getName()`? is the logged message generated by java.lang.String? that would be dangerous - as strings are used all over the place in java.util.logging... I had a look at the original issue for which this test was introduced https://bugs.openjdk.java.net/browse/JDK-8247907. As Max notes in that JBS issue, the bug was in log messages which are parameterized. Internally, the implementation of `com.sun.org.slf4j.internal.Logger` just delegates the calls to a `java.util.logging.Logger` and the fix was to properly transform the parameterization placeholders before passing on the calls to the `java.util.logging.Logger`[1]. So from what I understand, this `LogParameters` testcase is just there to test a parameterized log message through the `com.sun.org.slf4j.internal.Logger` and as such it doesn't matter what logger name (or class) is passed to create the logger instance. To avoid any confusion about the `String.class` usage for the logger instance, I have now updated the PR to use a different logger name (and class) while constructing the `java.util.logging.Logger` and `com.sun.org.slf4j.internal.Logger` instances. Additionally, I've added some code comments in the test and also added a `@summary` to explain what this test does. The test continues to pass with these changes. [1] https://hg.openjdk.java.net/jdk/jdk/rev/216c6baa0564#l2.119 ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From dfuchs at openjdk.java.net Thu Oct 14 09:42:50 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Thu, 14 Oct 2021 09:42:50 GMT Subject: RFR: JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs In-Reply-To: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> References: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> Message-ID: On Wed, 13 Oct 2021 22:04:23 GMT, Mahendra Chhipa wrote: > There are some regression tests depending on sun.net.www.MessageHeader, the internal API dependency should be removed. Some of other internal API dependancies are removed in following issues : > JDK-8273142 > JDK-8268464 > JDK-8268133 It may be that the new library HttpHeaderParser works for the small use cases in which it is used, but its parsing of header fields is approximative. I am a bit uncomfortable by replacing a well tested parser (MessageHeader) with something that obviously doesn't implement the spec correctly - even though it's possible that the cases where it would give back a wrong answer do not occur in the scenario where it is used. What is the underlying rationale for wanting to stop using MessageHeader in tests? test/jdk/sun/net/www/protocol/http/NTLMTest.java line 163: > 161: > 162: for (int i=start; i 163: MessageHeader header = new MessageHeader (s.getInputStream()); This change introduces a subtle behaviour difference in the test that may result in spurious "Connection Reset" exception. I would prefer if the existing logic was kept - and the test continued parsing the request headers before writing to the output. test/lib/jdk/test/lib/net/HttpHeaderParser.java line 47: > 45: while(true) { > 46: headerString = br.readLine(); > 47: if(headerString == null || headerString.isBlank()) { This is not completely correct, a blank line would be an error, I think, or possibly an empty continuation line. isBlank() should be replaced by isEmpty(). test/lib/jdk/test/lib/net/HttpHeaderParser.java line 54: > 52: List values = new ArrayList<>(); > 53: String headerValue = headerString.substring(headerString.indexOf(": ") + 2); > 54: String [] valueArray = headerValue.split(","); This is not right either - at least that's not how MessageHeader (or the HttpClient or HttpServer header parsers work). Multi-valued header correspond to header fields whose name appear on several lines. foo: bar, baz => single value "bar, baz" foo: bar foo: baz multiple values => "bar", "baz" Usually - analyzing the value - and possibly splitting it around `,` or `;` is done in the second step at a higher level. test/lib/jdk/test/lib/net/HttpHeaderParser.java line 62: > 60: } else { > 61: requestDetails = headerString.trim(); > 62: } This is not right: the request line - or status line - is the first line which is read - not just any line that doesn't contain `:` FWIW, a request line may contain the full URL and therefore may contain `:` test/lib/jdk/test/lib/net/HttpHeaderParser.java line 63: > 61: requestDetails = headerString.trim(); > 62: } > 63: } You should also take into account continuation lines (lines that begin with a space) - and IIRC a continuation would be \r followed by a space - so I'm not 100% sure that using readline() is completely appropriate as it will consume \r, \n, or \r\n equally. ------------- PR: https://git.openjdk.java.net/jdk/pull/5937 From fguallini at openjdk.java.net Thu Oct 14 10:16:16 2021 From: fguallini at openjdk.java.net (Fernando Guallini) Date: Thu, 14 Oct 2021 10:16:16 GMT Subject: RFR: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security [v2] In-Reply-To: References: Message-ID: <5zOMGuR5UlZtZZm22eOF2GeHNOkUMYMLJWJdx8riChE=.570647f0-ebc4-4e79-b972-c4daf4b1dc90@github.com> > This patch improves code coverage on the following classes: > - com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac > - com.sun.org.apache.xml.internal.security.utils.ElementProxy > - com.sun.org.apache.xml.internal.security.keys.KeyInfo > > The new tests exercise code blocks that are not currently covered by other tests. Fernando Guallini has updated the pull request incrementally with one additional commit since the last revision: throw RuntimeException ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5913/files - new: https://git.openjdk.java.net/jdk/pull/5913/files/4d8c0c89..4916ebad Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5913&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5913&range=00-01 Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5913.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5913/head:pull/5913 PR: https://git.openjdk.java.net/jdk/pull/5913 From fguallini at openjdk.java.net Thu Oct 14 10:16:17 2021 From: fguallini at openjdk.java.net (Fernando Guallini) Date: Thu, 14 Oct 2021 10:16:17 GMT Subject: RFR: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security [v2] In-Reply-To: References: Message-ID: On Wed, 13 Oct 2021 16:17:37 GMT, Rajan Halade wrote: >> Fernando Guallini has updated the pull request incrementally with one additional commit since the last revision: >> >> throw RuntimeException > > test/jdk/com/sun/org/apache/xml/internal/security/SignatureKeyInfo.java line 117: > >> 115: doc.getElementsByTagNameNS(NS, "Signature"); >> 116: if (nl.getLength() == 0) { >> 117: throw new Exception("Could not find signature Element"); > > update this to RuntimeException done ------------- PR: https://git.openjdk.java.net/jdk/pull/5913 From dfuchs at openjdk.java.net Thu Oct 14 10:51:52 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Thu, 14 Oct 2021 10:51:52 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v3] In-Reply-To: <2iD1KHwmsS3nxk0ShQjpdLZRrDcc4Nee4PaqG7NPKIM=.1ededdb4-a5b5-4764-bcdf-4314592cfdef@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> <2iD1KHwmsS3nxk0ShQjpdLZRrDcc4Nee4PaqG7NPKIM=.1ededdb4-a5b5-4764-bcdf-4314592cfdef@github.com> Message-ID: On Thu, 14 Oct 2021 03:25:07 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with two additional commits since the last revision: > > - add a summary to the test as well as use a different logger than String.class to avoid any confusion > - hold on to the logger instance Thanks Jaikiran. LGTM! ------------- Marked as reviewed by dfuchs (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5927 From weijun at openjdk.java.net Thu Oct 14 13:15:56 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 13:15:56 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v2] In-Reply-To: References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Thu, 14 Oct 2021 03:32:19 GMT, Jaikiran Pai wrote: > So from what I understand, this `LogParameters` testcase is just there to Absolutely correct. ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From weijun at openjdk.java.net Thu Oct 14 13:44:00 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 13:44:00 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 Message-ID: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. ------------- Commit messages: - 8275252: Migrate cacerts from JKS to password-less PKCS12 Changes: https://git.openjdk.java.net/jdk/pull/5948/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5948&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275252 Stats: 81 lines in 3 files changed: 2 ins; 69 del; 10 mod Patch: https://git.openjdk.java.net/jdk/pull/5948.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5948/head:pull/5948 PR: https://git.openjdk.java.net/jdk/pull/5948 From erikj at openjdk.java.net Thu Oct 14 13:57:49 2021 From: erikj at openjdk.java.net (Erik Joelsson) Date: Thu, 14 Oct 2021 13:57:49 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. Build change looks good. ------------- Marked as reviewed by erikj (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5948 From jpai at openjdk.java.net Thu Oct 14 14:41:58 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Thu, 14 Oct 2021 14:41:58 GMT Subject: RFR: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" [v3] In-Reply-To: <2iD1KHwmsS3nxk0ShQjpdLZRrDcc4Nee4PaqG7NPKIM=.1ededdb4-a5b5-4764-bcdf-4314592cfdef@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> <2iD1KHwmsS3nxk0ShQjpdLZRrDcc4Nee4PaqG7NPKIM=.1ededdb4-a5b5-4764-bcdf-4314592cfdef@github.com> Message-ID: On Thu, 14 Oct 2021 03:25:07 GMT, Jaikiran Pai wrote: >> The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. >> >> The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. >> >> Looking at the output attached in that JBS issue, there's this: >> >> >> command: main LogParameters >> reason: Assumed action based on file name: run main LogParameters >> Mode: agentvm >> >> which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. >> >> The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. >> >> P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. > > Jaikiran Pai has updated the pull request incrementally with two additional commits since the last revision: > > - add a summary to the test as well as use a different logger than String.class to avoid any confusion > - hold on to the logger instance Thank you Max and Daniel for the reviews. ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From jpai at openjdk.java.net Thu Oct 14 14:41:59 2021 From: jpai at openjdk.java.net (Jaikiran Pai) Date: Thu, 14 Oct 2021 14:41:59 GMT Subject: Integrated: 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" In-Reply-To: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> References: <9cVLLUA43Is2mOdOhmCk2w5-Ih600NiRd6yPtTxZIEc=.a848e303-8c82-4264-8d15-be55821209b1@github.com> Message-ID: On Wed, 13 Oct 2021 10:49:57 GMT, Jaikiran Pai wrote: > The commit here tries to address an intermittent failure reported in https://bugs.openjdk.java.net/browse/JDK-8254267. > > The `LogParameters` test case sets the log level to `ALL` for the `java.lang.String.class` and then attaches a handler to it. It then proceeds to write out a log message at `DEBUG` level and expects the log message to have been delivered to the handler. This should all work fine and does work fine except for those intermittent failures. > > Looking at the output attached in that JBS issue, there's this: > > > command: main LogParameters > reason: Assumed action based on file name: run main LogParameters > Mode: agentvm > > which states that the test is using `agentvm` mode, since the test itself doesn't specify a specific mode. For a test like this one which deals with log level management of `java.util.logging` infrastructure, in theory, there are chances that some other tests within the same JVM instance might impact the output and can potentially contribute to intermittent failures like this one. > > The commit in this PR tries to address that issue by explicitly running the test in `othervm` mode. > > P.S: Every once in a while my logins to JBS don't work and if I just wait for a few hours, things get sorted on its own. Today is one such occasion - successful login, but it still shows me as logged out and doesn't allow me to do anything. So I decided to directly create this PR instead of first commenting there. This pull request has now been integrated. Changeset: 40d69f0c Author: Jaikiran Pai URL: https://git.openjdk.java.net/jdk/commit/40d69f0c41c8550605c3a1e6e572aecd3a8cf138 Stats: 15 lines in 1 file changed: 10 ins; 0 del; 5 mod 8254267: javax/xml/crypto/dsig/LogParameters.java failed with "RuntimeException: Unexpected log output:" Reviewed-by: weijun, dfuchs ------------- PR: https://git.openjdk.java.net/jdk/pull/5927 From weijun at openjdk.java.net Thu Oct 14 14:53:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 14:53:11 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore Message-ID: You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. ------------- Commit messages: - 8231107: Storing PKCS12 keystore without integrity protection and no enc certs not easy Changes: https://git.openjdk.java.net/jdk/pull/5950/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5950&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8231107 Stats: 59 lines in 2 files changed: 29 ins; 16 del; 14 mod Patch: https://git.openjdk.java.net/jdk/pull/5950.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5950/head:pull/5950 PR: https://git.openjdk.java.net/jdk/pull/5950 From duke at openjdk.java.net Thu Oct 14 15:45:50 2021 From: duke at openjdk.java.net (Michael Osipov) Date: Thu, 14 Oct 2021 15:45:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: <5kwYGe1i7vi-xErsqesfSObRYkyV_7GvjrfHyxyARnY=.a1fc7c37-6f07-4ab8-81f5-674e83ba8fa1@github.com> On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. I don't understand how this can work at all. I wrote a custom `CertDownloader` for our company use where I wanted to migrate to PKCS#12. Suddenly all of my applications started to fail on OpenJDK8u until I have figured out that PKCS#12 was not designed to be passwordless and due to the missing ecryption the trusted CA aren't visible. This bug is known as: * https://bugs.openjdk.java.net/browse/JDK-8231107 * https://bugs.openjdk.java.net/browse/JDK-8194702 I had to revert to JKS for now. Unless those drizzle down to 8u, 11u, 17u this is going to be hard. I still would love to see a trust store (not key store) which either reads OpenSSL's [`CAfile` or `CApath`](https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_load_verify_locations.html). This would greatly improve compat between Java and the OS default store on may OS, e.g., Debian, FreeBSD, RHEL, etc. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From hchao at openjdk.java.net Thu Oct 14 16:13:10 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 14 Oct 2021 16:13:10 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner Message-ID: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. ------------- Commit messages: - 8272163: Add -version option to keytool and jarsigner Changes: https://git.openjdk.java.net/jdk/pull/5954/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8272163 Stats: 117 lines in 6 files changed: 116 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5954.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954 PR: https://git.openjdk.java.net/jdk/pull/5954 From weijun at openjdk.java.net Thu Oct 14 17:34:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 17:34:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. If you look into the code change for `make/ToolsJdk.gmk`, you can see 2 system properties used while generating the new cacerts file. With them, the new file becomes password-less. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From fguallini at openjdk.java.net Thu Oct 14 18:29:55 2021 From: fguallini at openjdk.java.net (Fernando Guallini) Date: Thu, 14 Oct 2021 18:29:55 GMT Subject: Integrated: 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 17:04:27 GMT, Fernando Guallini wrote: > This patch improves code coverage on the following classes: > - com.sun.org.apache.xml.internal.security.algorithms.implementations.IntegrityHmac > - com.sun.org.apache.xml.internal.security.utils.ElementProxy > - com.sun.org.apache.xml.internal.security.keys.KeyInfo > > The new tests exercise code blocks that are not currently covered by other tests. This pull request has now been integrated. Changeset: a16f2d0a Author: Fernando Guallini Committer: Rajan Halade URL: https://git.openjdk.java.net/jdk/commit/a16f2d0a3c326dd8b3b2133a9c170d998b7aa631 Stats: 253 lines in 3 files changed: 246 ins; 0 del; 7 mod 8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security Reviewed-by: rhalade ------------- PR: https://git.openjdk.java.net/jdk/pull/5913 From duke at openjdk.java.net Thu Oct 14 19:10:50 2021 From: duke at openjdk.java.net (Michael Osipov) Date: Thu, 14 Oct 2021 19:10:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 17:31:26 GMT, Weijun Wang wrote: > > > If you look into the code change for `make/ToolsJdk.gmk`, you can see 2 system properties used while generating the new cacerts file. With them, the new file becomes password-less. This I have seen, but what about: * Generating this trust store with Java code like I do? * Will this solve the two mentioned tickets? ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Thu Oct 14 19:26:47 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 19:26:47 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 19:07:55 GMT, Michael Osipov wrote: > Generating this trust store with Java code like I do? What do you mean "like you do"? If you accept the proposed format in this PR, then just follow what `GenerateCACerts.java` is doing and how it's called. If you are thinking about reading the openssl trust store, that's not what this PR is for. This PR intends to find a modern format that is 100% interoperable with older JDK releases. As for the other two tickets, they are related. If JDK-8231107 is resolved, then there's no need to set the 2 system properties. JDK-8194702 is not fixable because the certificates are already encrypted. Instead, https://bugs.openjdk.java.net/browse/JDK-8274913 was proposed, but only newly generated keystores after it will get the benefit. Still, this PR does not depend on the other two tickets. This PR is about one single keystore -- cacerts -- which can be treated special. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From duke at openjdk.java.net Thu Oct 14 19:40:51 2021 From: duke at openjdk.java.net (Michael Osipov) Date: Thu, 14 Oct 2021 19:40:51 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. Let me summarize/rephrase your last message: To trick in the Makefile and the changed Java code (same way as I do in my code) produce a password-less truststore. Now since JDK-8231107 depicts that loading with a null password does not work the same way as with JKS this means that JDK-8231107 must also be applied to all supported JDK versions to make the output of this PR usable. Doesn't it? Note: JDK-8274913 is not publically available and I don't have a JBS account also I do report issues with Apache projects to Rory O'Donnell sometimes. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Thu Oct 14 19:53:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 19:53:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. No, this PR is totally independent. Once a password-less pkcs12 file is generated, it can be read by any JDK since JDK 7u with a null password and the certs are visible. The other 2 tickets are all about storing, storing with a null password, storing with a default algorithm. I've made JDK-8274913 public. It's just an idea and not proposed to any release. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From duke at openjdk.java.net Thu Oct 14 20:01:47 2021 From: duke at openjdk.java.net (Michael Osipov) Date: Thu, 14 Oct 2021 20:01:47 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 19:50:33 GMT, Weijun Wang wrote: > > > No, this PR is totally independent. Once a password-less pkcs12 file is generated, it can be read by any JDK since JDK 7u with a null password and the certs are visible. The other 2 tickets are all about storing, storing with a null password, storing with a default algorithm. > > I've made JDK-8274913 public. It's just an idea and not proposed to any release. OK, now I see. This makes sense now. Storing is a different and as I see in your code somewhere `NONE` needs to be provided and it is not obvious apparently. Storing will remain a pain in all JDK versions unless JDK-8274913 is implemented which will solve JDK-8231107. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From duke at openjdk.java.net Thu Oct 14 20:06:50 2021 From: duke at openjdk.java.net (Michael Osipov) Date: Thu, 14 Oct 2021 20:06:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 20:02:32 GMT, Weijun Wang wrote: > > > For password-less pksc12, JDK-8231107 is more relevant. JDK-8274913 still has MacData, which is quite useless for cacerts, and leaving a well-known password there is awkward. Agree, makes sense. BTW: https://github.com/ctron/pem-keystore#reading-a-ca-bundle ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Thu Oct 14 20:06:49 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 20:06:49 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. For password-less pksc12, JDK-8231107 is more relevant. JDK-8274913 still has MacData, which is quite useless for cacerts, and leaving a well-known password there is awkward. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Thu Oct 14 23:02:06 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 14 Oct 2021 23:02:06 GMT Subject: RFR: 8049520: FileCredentialsCache loads cache once and is never refreshed Message-ID: Just re-load the CredentialsCache like we did on non-Windows non-macOS systems. ------------- Commit messages: - 8049520: FileCredentialsCache loads cache once and is never refreshed Changes: https://git.openjdk.java.net/jdk/pull/5960/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5960&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8049520 Stats: 73 lines in 2 files changed: 65 ins; 6 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5960.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5960/head:pull/5960 PR: https://git.openjdk.java.net/jdk/pull/5960 From duke at openjdk.java.net Fri Oct 15 02:05:54 2021 From: duke at openjdk.java.net (duke) Date: Fri, 15 Oct 2021 02:05:54 GMT Subject: Withdrawn: 8271566: DSA signature length value is not accurate in P11Signature In-Reply-To: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com> References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com> Message-ID: <7z49Eb-Ys_cfqCm7hp_YAM7y0b_h-InEQpo9Bg1L-Rc=.5cc95a7f-dfec-4320-9a05-9042250a7979@github.com> On Mon, 2 Aug 2021 19:31:54 GMT, Martin Balao wrote: > As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4. > > Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed. > > No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey. > > -- > [1] - https://bugs.openjdk.java.net/browse/JDK-8271566 This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.java.net/jdk/pull/4961 From duke at openjdk.java.net Fri Oct 15 12:38:14 2021 From: duke at openjdk.java.net (Mahendra Chhipa) Date: Fri, 15 Oct 2021 12:38:14 GMT Subject: RFR: JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs [v2] In-Reply-To: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> References: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> Message-ID: > There are some regression tests depending on sun.net.www.MessageHeader, the internal API dependency should be removed. Some of other internal API dependancies are removed in following issues : > JDK-8273142 > JDK-8268464 > JDK-8268133 Mahendra Chhipa has updated the pull request incrementally with one additional commit since the last revision: Implemented review comments. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5937/files - new: https://git.openjdk.java.net/jdk/pull/5937/files/47f7ba24..6d9f17f4 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5937&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5937&range=00-01 Stats: 20 lines in 2 files changed: 12 ins; 4 del; 4 mod Patch: https://git.openjdk.java.net/jdk/pull/5937.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5937/head:pull/5937 PR: https://git.openjdk.java.net/jdk/pull/5937 From mullan at openjdk.java.net Fri Oct 15 12:59:49 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 15 Oct 2021 12:59:49 GMT Subject: RFR: 8049520: FileCredentialsCache loads cache once and is never refreshed In-Reply-To: References: Message-ID: On Thu, 14 Oct 2021 22:53:42 GMT, Weijun Wang wrote: > Just re-load the CredentialsCache like we did on non-Windows non-macOS systems. test/jdk/sun/security/krb5/ccache/Refresh.java line 2: > 1: /* > 2: * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. Year should be 2021? test/jdk/sun/security/krb5/ccache/Refresh.java line 26: > 24: /* > 25: * @test > 26: * @bug 8028780 Wrong bug number/summary. Is this test from somewhere else originally? ------------- PR: https://git.openjdk.java.net/jdk/pull/5960 From dfuchs at openjdk.java.net Fri Oct 15 12:59:52 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 15 Oct 2021 12:59:52 GMT Subject: RFR: JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs [v2] In-Reply-To: References: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> Message-ID: On Fri, 15 Oct 2021 12:38:14 GMT, Mahendra Chhipa wrote: >> There are some regression tests depending on sun.net.www.MessageHeader, the internal API dependency should be removed. Some of other internal API dependancies are removed in following issues : >> JDK-8273142 >> JDK-8268464 >> JDK-8268133 > > Mahendra Chhipa has updated the pull request incrementally with one additional commit since the last revision: > > Implemented review comments. test/lib/jdk/test/lib/net/HttpHeaderParser.java line 45: > 43: String headerString = ""; > 44: BufferedReader br = new BufferedReader(new InputStreamReader(this.is)); > 45: //First line is either request line or status line Alignment issue? Could you fix the formatting? test/lib/jdk/test/lib/net/HttpHeaderParser.java line 46: > 44: BufferedReader br = new BufferedReader(new InputStreamReader(this.is)); > 45: //First line is either request line or status line > 46: requestOrStatusLine = br.readLine().strip(); Stripping the line could hide errors, as a status/request line is not supposed to start with a whitespace, for instance test/lib/jdk/test/lib/net/HttpHeaderParser.java line 62: > 60: } > 61: if(!headerMap.containsKey(key.strip())) { > 62: headerMap.put(key.strip(), values); It may not be a good idea to remove whitespace in a header key as it should not contain any whitespace. Doing so could hide protocol errors. test/lib/jdk/test/lib/net/HttpHeaderParser.java line 69: > 67: } > 68: } > 69: } Still missing code to handle continuation lines. ------------- PR: https://git.openjdk.java.net/jdk/pull/5937 From dfuchs at openjdk.java.net Fri Oct 15 13:11:48 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 15 Oct 2021 13:11:48 GMT Subject: RFR: JDK-8061729 : Update java/net tests to eliminate dependency on sun.net.www.MessageHeader and some other internal APIs [v2] In-Reply-To: References: <4tKaoxFush9cULj1K3MZKg-lplg6_ockGrb9x31y598=.b802e871-4c6f-41ea-8763-1ea0e64c87a1@github.com> Message-ID: On Fri, 15 Oct 2021 12:38:14 GMT, Mahendra Chhipa wrote: >> There are some regression tests depending on sun.net.www.MessageHeader, the internal API dependency should be removed. Some of other internal API dependancies are removed in following issues : >> JDK-8273142 >> JDK-8268464 >> JDK-8268133 > > Mahendra Chhipa has updated the pull request incrementally with one additional commit since the last revision: > > Implemented review comments. It would be good to have a separate test to test the behavior of the new library `HttpHeaderParser` class. As an example, here [1] is the test we have written for the HttpClient Http1HeaderParser. You will see that it defines a numbers of test cases (response headers) - both positive and negative - and verifies that `sun.net.www.MessageHeader` and `Http1HeaderParser` give the same results in the positive case. It would be good to have something similar for `HttpHeaderParser` as it would give more confidence that the parsing is correct. You would need of course to add in your test new test cases that contain a request line - the Http1HeaderParser only parses status line since it's only used on the client side. [1] https://github.com/openjdk/jdk/blob/master/test/jdk/java/net/httpclient/whitebox/java.net.http/jdk/internal/net/http/Http1HeaderParserTest.java ------------- PR: https://git.openjdk.java.net/jdk/pull/5937 From mullan at openjdk.java.net Fri Oct 15 13:24:52 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 15 Oct 2021 13:24:52 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Thu, 14 Oct 2021 16:04:08 GMT, Hai-May Chao wrote: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 This will also need a CSR so I added the csr label. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From weijun at openjdk.java.net Fri Oct 15 13:29:19 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 15 Oct 2021 13:29:19 GMT Subject: RFR: 8049520: FileCredentialsCache loads cache once and is never refreshed [v2] In-Reply-To: References: Message-ID: <_6zwmOucaZyQB9zr-4YE0lXAQqJvKJ1OH6vVJ6OdxZY=.44c165e6-8978-476f-97bb-112ed3561a1b@github.com> > Just re-load the CredentialsCache like we did on non-Windows non-macOS systems. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: test info ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5960/files - new: https://git.openjdk.java.net/jdk/pull/5960/files/dbfd4f66..8cd6de4d Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5960&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5960&range=00-01 Stats: 3 lines in 1 file changed: 0 ins; 0 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5960.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5960/head:pull/5960 PR: https://git.openjdk.java.net/jdk/pull/5960 From weijun at openjdk.java.net Fri Oct 15 13:29:24 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 15 Oct 2021 13:29:24 GMT Subject: RFR: 8049520: FileCredentialsCache loads cache once and is never refreshed [v2] In-Reply-To: References: Message-ID: On Fri, 15 Oct 2021 12:54:37 GMT, Sean Mullan wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> test info > > test/jdk/sun/security/krb5/ccache/Refresh.java line 26: > >> 24: /* >> 25: * @test >> 26: * @bug 8028780 > > Wrong bug number/summary. Is this test from somewhere else originally? On no. I copied from a nearby test and forgot to update these fields. New commit pushed. ------------- PR: https://git.openjdk.java.net/jdk/pull/5960 From mullan at openjdk.java.net Fri Oct 15 13:35:49 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 15 Oct 2021 13:35:49 GMT Subject: RFR: 8049520: FileCredentialsCache loads cache once and is never refreshed [v2] In-Reply-To: <_6zwmOucaZyQB9zr-4YE0lXAQqJvKJ1OH6vVJ6OdxZY=.44c165e6-8978-476f-97bb-112ed3561a1b@github.com> References: <_6zwmOucaZyQB9zr-4YE0lXAQqJvKJ1OH6vVJ6OdxZY=.44c165e6-8978-476f-97bb-112ed3561a1b@github.com> Message-ID: On Fri, 15 Oct 2021 13:29:19 GMT, Weijun Wang wrote: >> Just re-load the CredentialsCache like we did on non-Windows non-macOS systems. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > test info Marked as reviewed by mullan (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5960 From weijun at openjdk.java.net Fri Oct 15 13:52:52 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 15 Oct 2021 13:52:52 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Thu, 14 Oct 2021 16:04:08 GMT, Hai-May Chao wrote: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 For the CSR, is it necessary to list the `-help` output change? src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 348: > 346: } > 347: doPrintVersion(); > 348: } What happens if `-version` appears elsewhere? I tried some other commands. When both `-version` and other arguments are provided, `java` ignores the others and prints out version info. `javac` prints out the version info and compiles as well. It's possible that user writes a script or alias that always run the tool with some options (Ex: `-keystore`, `-storepass`, `-verbose`). Maybe we should not fail if `-version` is used with other options (no matter at the beginning or the end). src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 600: > 598: } > 599: > 600: static void usageTooManyArg() { Since the method is only for `-version` and the printed message also mentions "version", maybe it's better to choose a specific name. src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 602: > 600: static void usageTooManyArg() { > 601: System.out.println(rb.getString( > 602: "Option.should.not.be.specified.for.version")); Neither arguments not options should be specified here. test/jdk/sun/security/tools/jarsigner/VersionTest.java line 40: > 38: .shouldHaveExitValue(0); > 39: > 40: SecurityTools.jarsigner("-version -extraopt") You might want to use some legal arguments here, for example, `-version -help`. Otherwise, the error might be because the extra option is not supported. Or, you can check if an expected error message is printed out. test/jdk/sun/security/tools/keytool/VersionTest.java line 40: > 38: .shouldHaveExitValue(0); > 39: > 40: SecurityTools.keytool("-version -extraopt") Same comment as above. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From weijun at openjdk.java.net Fri Oct 15 13:55:00 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 15 Oct 2021 13:55:00 GMT Subject: Integrated: 8049520: FileCredentialsCache loads cache once and is never refreshed In-Reply-To: References: Message-ID: On Thu, 14 Oct 2021 22:53:42 GMT, Weijun Wang wrote: > Just re-load the CredentialsCache like we did on non-Windows non-macOS systems. This pull request has now been integrated. Changeset: 8e020642 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/8e02064288a5954ab71b306fc31978a47012ef50 Stats: 73 lines in 2 files changed: 65 ins; 6 del; 2 mod 8049520: FileCredentialsCache loads cache once and is never refreshed Reviewed-by: mullan ------------- PR: https://git.openjdk.java.net/jdk/pull/5960 From mullan at openjdk.java.net Fri Oct 15 14:04:48 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 15 Oct 2021 14:04:48 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > 72: cert = (X509Certificate) cf.generateCertificate(fis); > 73: } > 74: ks.setCertificateEntry(alias, cert); In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this? ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From ihse at openjdk.java.net Fri Oct 15 14:15:52 2021 From: ihse at openjdk.java.net (Magnus Ihse Bursie) Date: Fri, 15 Oct 2021 14:15:52 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Fri, 15 Oct 2021 14:02:15 GMT, Sean Mullan wrote: >> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. > > make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: > >> 72: cert = (X509Certificate) cf.generateCertificate(fis); >> 73: } >> 74: ks.setCertificateEntry(alias, cert); > > In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this? If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-) ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Fri Oct 15 15:00:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Fri, 15 Oct 2021 15:00:50 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: <6yXAA76EWqiG9yTID2x0gyUYFy4EsM4Veo1QHgRtzFQ=.4397d5c5-fcae-4649-9042-d0670ef0ec94@github.com> On Fri, 15 Oct 2021 14:12:55 GMT, Magnus Ihse Bursie wrote: >> make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 74: >> >>> 72: cert = (X509Certificate) cf.generateCertificate(fis); >>> 73: } >>> 74: ks.setCertificateEntry(alias, cert); >> >> In the previous code, we always used a fixed date (cert's notBefore) for the creation date. Now, it seems it will be always different and based on when it was created. I'm not really sure if this is an issue in practice, but I think it is worth thinking about a bit more - do you have any thoughts on this? > > If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-) The certificate stored in a PKCS12 file has no date associated. Whenever you load a keystore, the creation time is set to the load time. In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and it will not change unless the certs themselves are changed. Here is the actual bytes for one certificate entry inside: 0000:1AD48 [] SEQUENCE 0005:0659 [0] SEQUENCE 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag) 0016:05DB [01] cont [0] 001A:05D7 [010] SEQUENCE 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509) 002A:05C7 [0101] cont [0] 002E:05C3 [01010] OCTET STRING (1729119956) 0000: 30 82 05 BB 30 82 03 A3 A0 03 02 01 02 02 08 57 0...0..........W 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 09 2A 86 48 86 F7 ...B...0...*.H.. 0020: 0D 01 01 0B 05 00 30 6B 31 0B 30 09 06 03 55 04 ......0k1.0...U. (1471 bytes) 05F1:006D [02] SET 05F3:0053 [020] SEQUENCE 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName) 0600:0046 [0201] SET 0602:0044 [02010] STRING "actalisauthenticationrootca [jdk]" 0646:0018 [021] SEQUENCE 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 (ORACLE_TrustedKeyUsage) 0656:0008 [0211] SET 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage) ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From dfuchs at openjdk.java.net Fri Oct 15 15:31:53 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 15 Oct 2021 15:31:53 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: <-JuSgJLSkme6YraHYehOdUah6GSER-EUo3Mq4TVjXKU=.f700cbe6-021a-43c4-a5ae-c0dc7b42d313@github.com> On Tue, 12 Oct 2021 15:43:24 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: > > - Add @since tags to new API classes > - Add checks and test for empty stream resolver results src/java.base/share/classes/java/net/InetAddress.java line 231: > 229: * The first provider found will be used to instantiate the {@link InetAddressResolver InetAddressResolver} > 230: * by invoking the {@link InetAddressResolverProvider#get(InetAddressResolverProvider.Configuration)} > 231: * method. The instantiated {@code InetAddressResolver} will be installed as the system-wide Maybe "... method. The **returned** {@code InetAddressResolver} will be installed ..." src/java.base/share/classes/java/net/InetAddress.java line 486: > 484: return cns; > 485: } finally { > 486: bootstrapResolver = null; This is incorrect. This will set bootstrapResolver to null in the case where you return it at line 468 - which means that a second call will then find it null. I believe you want to set it to null in the finally clause only if you reached line 470. You could achieve this by declaring a local variable - e.g `InetAddressResolver tempResolver = null;` before entering the try-finally then set that variable at line 470 `return tempResolver = bootstrapResolver;` and in finally do `if (tempResolver == null) bootsrapResolver = null;` To test this you could try to call e.g. `InetAddress.getByName` twice in succession in your test: I believe it will fail with the code as it stands, but will succeed with my proposed changes... src/java.base/share/classes/java/net/InetAddress.java line 860: > 858: return host; > 859: } > 860: } catch (RuntimeException | UnknownHostException e) { This may deserve a comment: resolver.lookUpHostName and InetAddress.getAllbyName0 delegate to the system-wide resolver, which could be custom, and we treat any unexpected RuntimeException thrown by the provider at that point as we would treat an UnknownHostException or an unmatched host name. src/java.base/share/classes/java/net/InetAddress.java line 1063: > 1061: public Stream lookupAddresses(String host, LookupPolicy policy) > 1062: throws UnknownHostException { > 1063: Objects.requireNonNull(host); Should we also double check that `policy` is not null? Or maybe assert it? src/java.base/share/classes/java/net/InetAddress.java line 1203: > 1201: + " as hosts file " + hostsFile + " not found "); > 1202: } > 1203: // Check number of found addresses: I wonder if the logic here could be simplified by first checking whether only IPv4 addresses are requested, and then if only IPv6 addresses are requested. That is - evacuate the simple cases first and then only deal with the more complex case where you have to combine the two lists... ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mcimadamore at openjdk.java.net Fri Oct 15 16:54:58 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Fri, 15 Oct 2021 16:54:58 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v5] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: * Fix javadoc issue in VaList * Fix bug in concurrent logic for shared scope acquire ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/27e71ee7..5ed94c30 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=03-04 Stats: 10 lines in 2 files changed: 2 ins; 3 del; 5 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From mcimadamore at openjdk.java.net Fri Oct 15 16:56:08 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Fri, 15 Oct 2021 16:56:08 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v5] In-Reply-To: References: Message-ID: On Fri, 15 Oct 2021 16:54:58 GMT, Maurizio Cimadamore wrote: >> This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. >> >> [1] - https://openjdk.java.net/jeps/419 > > Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: > > * Fix javadoc issue in VaList > * Fix bug in concurrent logic for shared scope acquire src/jdk.incubator.foreign/share/classes/jdk/internal/foreign/SharedScope.java line 138: > 136: ResourceCleanup prev = (ResourceCleanup) FST.getAcquire(this); > 137: cleanup.next = prev; > 138: ResourceCleanup newSegment = (ResourceCleanup) FST.compareAndExchangeRelease(this, prev, cleanup); In this place we can actually overwrite CLOSED_LIST (if getAcquired has seen such value). While this particular add will fail later on (since we check witness), another concurrent add might then pass, since it sees a value other than CLOSED_LIST (which is supposed to be a terminal state). Also, after consulting with @DougLea and @shipilev - it seems like using volatile semantics is the way to go here. This should fix a spurious (and very rare) failure on TestResourceScope on arm64. ------------- PR: https://git.openjdk.java.net/jdk/pull/5907 From dfuchs at openjdk.java.net Fri Oct 15 17:24:53 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 15 Oct 2021 17:24:53 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 15:43:24 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: > > - Add @since tags to new API classes > - Add checks and test for empty stream resolver results test/jdk/java/net/spi/InetAddressResolverProvider/providers/recursive/recursive.init.provider/impl/InetAddressUsageInGetProviderImpl.java line 38: > 36: String localHostName; > 37: try { > 38: localHostName = InetAddress.getLocalHost().getHostName(); Try to call InetAddress.getLocalHost().getHostName(); twice here. test/lib/jdk/test/lib/net/IPSupport.java line 88: > 86: } catch (SocketException se2) { > 87: return false; > 88: } The implementation of this method now conflicts with its name. Maybe we should pass a `Class` as parameter, and construct the loopback address from there. IIRC the issue with the original implementation was that it would say that IPv6 was not supported if IPv6 had only been disabled on the loopback interface - and that caused trouble because the native implementation of the built-in resolver had a different view of the situation - and saw that an IPv6 stack was available on the machine. Maybe this would deserve a comment too - so that future maintainers can figure out what we are trying to do here. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From msheppar at openjdk.java.net Sat Oct 16 10:51:48 2021 From: msheppar at openjdk.java.net (Mark Sheppard) Date: Sat, 16 Oct 2021 10:51:48 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 15:43:24 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: > > - Add @since tags to new API classes > - Add checks and test for empty stream resolver results What?s in a name? I find the method names of the InetAddressResolver interface a bit ambiguous. Typically in this DNS problem space one speaks of lookup to resolve a hostname to its associated addresses and reverse lookup to resolve an IP address to a hostname (or names) associated with it. For the method names lookupHostname, and lookupAddresses, and the semantics conveyed in those names, I would expect lookupHostname to resolve a hostname, that is, take a hostname as parameter and the return value the addresses, while lookupAddresses I would expect to resolve an address to its hostname, that is, take an address and return a hostname. However, the current pair of methods names convey the opposite, lookupHostname resolves an address and lookupAddresses resolves a hostname. I would proffer a method name change to use lookup and reverseLookup OR to use resolvesHostname and resolveAddress, to resolve a hostname and address respectively. Thus, lookupHostname should be renamed to reverseLookup and lookupAddresses to lookup OR lookupHostname renamed to resolveAddress and lookupAddresses renamed to resolveHostname. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mcimadamore at openjdk.java.net Sat Oct 16 11:11:59 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Sat, 16 Oct 2021 11:11:59 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v6] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with two additional commits since the last revision: - * use `invokeWithArguments` to simplify new test - Add test for liveness check with high-aririty downcalls (make sure that if an exception occurs in a downcall because of liveness, ref count of other resources are left intact). ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/5ed94c30..a4db81fe Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=05 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=04-05 Stats: 39 lines in 2 files changed: 39 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From msheppar at openjdk.java.net Sat Oct 16 12:33:52 2021 From: msheppar at openjdk.java.net (Mark Sheppard) Date: Sat, 16 Oct 2021 12:33:52 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Tue, 12 Oct 2021 15:43:24 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: > > - Add @since tags to new API classes > - Add checks and test for empty stream resolver results Refactor remove Configuration and simplify interface: In the InetAddressResolver a Configuration abstraction is defined, and this is supplied to a get method of the InetAddressResolverProvider. The objective is to ?inject? some platform configuration into an InetAddressResolver. This consistents of two pieces of platform configuration detail, a builtin resolver reference and the hostname. Why not provide them as parameters to the provider get method and dispense with the Configuration abstraction? Thus simplifying the interface. The hostname is being supplied by the getLocalHostName of an InetAddressImpl. This is essentially a wrapper to the library call gethostname. This could be provided as a static method in InetAddressImpl, called once during loadResolver to provide the hostname parameter String. The hostname is a static piece of system configuration, which requires a system restart if it were to be changed - so need to provide a lambda. So Suggestion is refector remove Configuration to simplify the interface and provide the BULITIN_RESOLVER and hostname as parameters to the InetAddressResolverProvider::get method ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Sun Oct 17 15:58:54 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Sun, 17 Oct 2021 15:58:54 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Sat, 16 Oct 2021 12:30:44 GMT, Mark Sheppard wrote: > So Suggestion is refector remove Configuration to simplify the interface and provide the BULITIN_RESOLVER and hostname as parameters to the InetAddressResolverProvider::get method During work on this JEP we've examined the approach suggested above, and there are few issues with it: - `InetAddressResolverProvider.Configuration` interface API might evolve, e.g. there might be a need to pass additional configuration items. - local hostname is a dynamic information, therefore it cannot be passed as string parameter to `InetAddressResolverProvider::get`. It's been also discussed in the CSR comments [here](https://bugs.openjdk.java.net/browse/JDK-8274558) ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Sun Oct 17 16:36:51 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Sun, 17 Oct 2021 16:36:51 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: <0Xvj7H_JyjEfXTUr1GI3ooLL1cGBuWLDAtrP83WuQV0=.7e172d30-620d-4ce1-9bac-62db6dc19e52@github.com> On Sat, 16 Oct 2021 10:48:32 GMT, Mark Sheppard wrote: > What?s in a name? I find the method names of the InetAddressResolver interface a bit ambiguous. Typically in this DNS problem space one speaks of lookup to resolve a hostname to its associated addresses and reverse lookup to resolve an IP address to a hostname (or names) associated with it. I'm not sure that I see an ambiguity here: Interface has two methods, both are for lookup operations. That is why `lookup` word is used in both names. Then we put a description of a returned result after operation name: `Addresses` and `HostName` are the results. In cases when we want to highlight a parameter type in a method name we can use ?by?/?with? prepositions: for instance, `InetAddress.getByName` `InetAddress.getByAddress` `ScheduledExecutorService.scheduleWithFixedDelay`. We can try and apply this approach to the description of DNS operations above: > lookup to resolve a hostname to its associated addresses operation: `lookup` result: `addresses` -> methodName: `lookupAddresses` > reverse lookup to resolve an IP address to a hostname operation: `lookup` (we've dropped reverse word here) result: `hostname` -> methodName: `lookupHostName` ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From alanb at openjdk.java.net Sun Oct 17 18:35:57 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Sun, 17 Oct 2021 18:35:57 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Sun, 17 Oct 2021 15:55:59 GMT, Aleksei Efimov wrote: > * `InetAddressResolverProvider.Configuration` interface API might evolve, e.g. there might be a need to pass additional configuration items. > * local hostname is a dynamic information, therefore it cannot be passed as string parameter to `InetAddressResolverProvider::get`. Right, I think we've ended up with a good model here that supports the common case, stacking, and can be extended in the future to add new configuration if required. Also if good use-cases come up when Configuration can be changed to be non-sealed. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From msheppar at openjdk.java.net Sun Oct 17 21:06:51 2021 From: msheppar at openjdk.java.net (Mark Sheppard) Date: Sun, 17 Oct 2021 21:06:51 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: <0Xvj7H_JyjEfXTUr1GI3ooLL1cGBuWLDAtrP83WuQV0=.7e172d30-620d-4ce1-9bac-62db6dc19e52@github.com> References: <0Xvj7H_JyjEfXTUr1GI3ooLL1cGBuWLDAtrP83WuQV0=.7e172d30-620d-4ce1-9bac-62db6dc19e52@github.com> Message-ID: On Sun, 17 Oct 2021 16:33:57 GMT, Aleksei Efimov wrote: > > What?s in a name? I find the method names of the InetAddressResolver interface a bit ambiguous. Typically in this DNS problem space one speaks of lookup to resolve a hostname to its associated addresses and reverse lookup to resolve an IP address to a hostname (or names) associated with it. > > I'm not sure that I see an ambiguity here: Interface has two methods, both are for lookup operations. That is why `lookup` word is used in both names. Then we put a description of a returned result after operation name: `Addresses` and `HostName` are the results. In cases when we want to highlight a parameter type in a method name we can use ?by?/?with? prepositions: for instance, `InetAddress.getByName` `InetAddress.getByAddress` `ScheduledExecutorService.scheduleWithFixedDelay`. > > We can try and apply this approach to the description of DNS operations above: > > > lookup to resolve a hostname to its associated addresses > > operation: `lookup` result: `addresses` -> methodName: `lookupAddresses` > > > reverse lookup to resolve an IP address to a hostname > > operation: `lookup` (we've dropped reverse word here) result: `hostname` -> methodName: `lookupHostName` Yes, ambiguity wasn?t quite the word I was looking for. Maybe contradictory or oxymoron might do !! Let me try and clarify the rational behind the suggestion. To re-iterate, the parlance of the DNS domain in context of address resolution is lookup for hostname to IP address resolution and reverse lookup for address to hostname mapping. For me, the natural verb to method translation is lookup and **reverseLookup OR resolveHostname and resolveAddress. The latter names are pretty definitive and unambiguous. It clear and obvious without the need to pursue the full signature of the method, what the semantics of the methods should be. At the java InetAddress API level there is getByName(String host) and getByAddress(byte[] addr). At the native OS level there is gethostbyname, gethostbyaddr and the evolved api getnameinfo and getaddrinfo. getByName requires a hostname lookup and getByAdress requires (eventually - I know the docs says there?s no reverse lookup) an address reverse lookup. Thus, a logical mapping is getByName ?> lookupHostname, and getByAddr ?> lookupAddress, but the opposite will occur getByName --> lookupAddresses and getByAddress --> lookupHostname. Therfore I proffer maps neatly to rename methods to resolveHostname and resolveAddress such that the mapping are getByName --> resolveHostname and getByAddress --> resolveAddress. I will concede that it can be reasonable argued that the native library functions getnameinfo and getaddrinfo may better abstract to lookupHostname and lookupAddresses respectively. But, I have always found these two library calls a bit contorted and the legacy gethostbyname and gethostbyaddress were more logical. In you proposition above: > operation: `lookup` result: `addresses` -> methodName: `lookupAddresses` > operation: `lookup` (we've dropped reverse word here) result: `hostname` -> methodName: `lookupHostName` You are generating the name from the result of the action. I?m arguing that it should be based on the operation on the subject i.e. the parameter being passed. If this was hashmap lookup, then it is an operation of mapping hostname to addresses mapHostnameToAddresses, i.e. looking up a hostname, and mapping an address to a hostname mapAddressToHostname i.e. looking up an address. Of course, it is possible to just **overload** a lookup method, one taking Sting and t?other taking byte adder in the method?s parameters, respectively. Then, you don?t have to concede too much in this argument. But, for me as an ordinary developer, resolveAddress and resolveHostname are crystal clear and unambiguous. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From msheppar at openjdk.java.net Sun Oct 17 21:41:49 2021 From: msheppar at openjdk.java.net (Mark Sheppard) Date: Sun, 17 Oct 2021 21:41:49 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: <-8BcYWYlwGxmsmAY7JBT2h_Ahae3fONnwgGJxfedrJY=.8826d18f-4e00-496e-b06c-96d44e0eeb6c@github.com> On Sun, 17 Oct 2021 15:55:59 GMT, Aleksei Efimov wrote: > > So Suggestion is refector remove Configuration to simplify the interface and provide the BULITIN_RESOLVER and hostname as parameters to the InetAddressResolverProvider::get method > > During work on this JEP we've examined the approach suggested above, and there are few issues with it: > > * `InetAddressResolverProvider.Configuration` interface API might evolve, e.g. there might be a need to pass additional configuration items. > > * local hostname is a dynamic information, therefore it cannot be passed as string parameter to `InetAddressResolverProvider::get`. > > > It's been also discussed in the CSR comments [here](https://bugs.openjdk.java.net/browse/JDK-8274558) OK grand ... I didn't see the CSR discussion :-( WRT hostname being dynamic and requires a lambda ... is it really dynamic? I know it can be changed, but IIRC most (unix and windows) if not all systems require a restart for such a change change to take effect, and usually requires a dns cache flush also, in which case an application will be restarting also. In the case of working over VPN, VPN software usually changes the hostname dynamically, but that name change is only valid for the duration of the VPN session, and when you exit the VPN, it reverts back to the original hostname. In such cases an application will need to be restarted. There's no seemless working from VPN to non VPN. I think that a hostname is constant while a host is up, but it can be changed, and when changed a host restart is required. I don't think it is quite as dynamic as has been suggested, but I open to correction. It is something that can be investigated. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From ihse at openjdk.java.net Mon Oct 18 09:36:48 2021 From: ihse at openjdk.java.net (Magnus Ihse Bursie) Date: Mon, 18 Oct 2021 09:36:48 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. Marked as reviewed by ihse (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From ihse at openjdk.java.net Mon Oct 18 09:36:49 2021 From: ihse at openjdk.java.net (Magnus Ihse Bursie) Date: Mon, 18 Oct 2021 09:36:49 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <6yXAA76EWqiG9yTID2x0gyUYFy4EsM4Veo1QHgRtzFQ=.4397d5c5-fcae-4649-9042-d0670ef0ec94@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> <6yXAA76EWqiG9yTID2x0gyUYFy4EsM4Veo1QHgRtzFQ=.4397d5c5-fcae-4649-9042-d0670ef0ec94@github.com> Message-ID: On Fri, 15 Oct 2021 14:56:23 GMT, Weijun Wang wrote: >> If that means the build will become non-reproducible, then *I* certainly have thoughts about it! ;-) > > The certificate stored in a PKCS12 file has no date associated. Whenever you load a keystore, the creation time is set to the load time. > > In fact, the `VerifyCACerts.java` maintains a SHA-256 hash of the keystore and it will not change unless the certs themselves are changed. > > Here is the actual bytes for one certificate entry inside: > > 0000:1AD48 [] SEQUENCE > 0005:0659 [0] SEQUENCE > 0009:000D [00] OID 1.2.840.113549.1.12.10.1.3 (CertBag) > 0016:05DB [01] cont [0] > 001A:05D7 [010] SEQUENCE > 001E:000C [0100] OID 1.2.840.113549.1.9.22.1 (CertTypeX509) > 002A:05C7 [0101] cont [0] > 002E:05C3 [01010] OCTET STRING (1729119956) > 0000: 30 82 05 BB 30 82 03 A3 A0 03 02 01 02 02 08 57 0...0..........W > 0010: 0A 11 97 42 C4 E3 CC 30 0D 06 09 2A 86 48 86 F7 ...B...0...*.H.. > 0020: 0D 01 01 0B 05 00 30 6B 31 0B 30 09 06 03 55 04 ......0k1.0...U. (1471 bytes) > 05F1:006D [02] SET > 05F3:0053 [020] SEQUENCE > 05F5:000B [0200] OID 1.2.840.113549.1.9.20 (FriendlyName) > 0600:0046 [0201] SET > 0602:0044 [02010] STRING "actalisauthenticationrootca [jdk]" > 0646:0018 [021] SEQUENCE > 0648:000E [0210] OID 2.16.840.1.113894.746875.1.1 (ORACLE_TrustedKeyUsage) > 0656:0008 [0211] SET > 0658:0006 [02110] OID 2.5.29.37.0 (anyExtendedKeyUsage) As long as the file content is not date dependent, I'm happy :) ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From mullan at openjdk.java.net Mon Oct 18 13:19:48 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 18 Oct 2021 13:19:48 GMT Subject: RFR: 8274721: UnixSystem fails to provide uid, gid or groups if no username is available In-Reply-To: References: Message-ID: On Mon, 4 Oct 2021 17:40:22 GMT, Weijun Wang wrote: > Two changes: > > 1. Calculation of groups is put in a separate block. > 2. Add fallback for uid and gid > > No regression test. Hard to reproduce bud reporter's environment in jtreg. Marked as reviewed by mullan (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5808 From weijun at openjdk.java.net Mon Oct 18 13:28:58 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 18 Oct 2021 13:28:58 GMT Subject: Integrated: 8274721: UnixSystem fails to provide uid, gid or groups if no username is available In-Reply-To: References: Message-ID: On Mon, 4 Oct 2021 17:40:22 GMT, Weijun Wang wrote: > Two changes: > > 1. Calculation of groups is put in a separate block. > 2. Add fallback for uid and gid > > No regression test. Hard to reproduce bud reporter's environment in jtreg. This pull request has now been integrated. Changeset: a619f890 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/a619f8909bb074712db22746e785f7485795a8f5 Stats: 47 lines in 1 file changed: 15 ins; 6 del; 26 mod 8274721: UnixSystem fails to provide uid, gid or groups if no username is available Reviewed-by: mullan ------------- PR: https://git.openjdk.java.net/jdk/pull/5808 From hchao at openjdk.java.net Tue Oct 19 01:09:26 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 01:09:26 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v2] In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Fix -version in jarsigner and update tests ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5954/files - new: https://git.openjdk.java.net/jdk/pull/5954/files/1d43fe2f..4593b7a8 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=00-01 Stats: 117 lines in 4 files changed: 99 ins; 16 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5954.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954 PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 01:09:37 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 01:09:37 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v2] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Fri, 15 Oct 2021 13:34:48 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Fix -version in jarsigner and update tests > > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 348: > >> 346: } >> 347: doPrintVersion(); >> 348: } > > What happens if `-version` appears elsewhere? > > I tried some other commands. When both `-version` and other arguments are provided, `java` ignores the others and prints out version info. `javac` prints out the version info and compiles as well. > > It's possible that user writes a script or alias that always run the tool with some options (Ex: `-keystore`, `-storepass`, `-verbose`). Maybe we should not fail if `-version` is used with other options (no matter at the beginning or the end). Fixed so `-version` can be used with other options in jarsigner. > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 600: > >> 598: } >> 599: >> 600: static void usageTooManyArg() { > > Since the method is only for `-version` and the printed message also mentions "version", maybe it's better to choose a specific name. Removed this method after the change for the comment as above. > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 602: > >> 600: static void usageTooManyArg() { >> 601: System.out.println(rb.getString( >> 602: "Option.should.not.be.specified.for.version")); > > Neither arguments not options should be specified here. Method was removed. > test/jdk/sun/security/tools/jarsigner/VersionTest.java line 40: > >> 38: .shouldHaveExitValue(0); >> 39: >> 40: SecurityTools.jarsigner("-version -extraopt") > > You might want to use some legal arguments here, for example, `-version -help`. Otherwise, the error might be because the extra option is not supported. Or, you can check if an expected error message is printed out. Updated the test as suggested. > test/jdk/sun/security/tools/keytool/VersionTest.java line 40: > >> 38: .shouldHaveExitValue(0); >> 39: >> 40: SecurityTools.keytool("-version -extraopt") > > Same comment as above. Done. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 01:15:50 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 01:15:50 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: <_oY75ropGVymMKy59ztW82A-oE9kIBrtJyJoeUoSGak=.d124f20f-d38e-4149-a16b-06095519cbf6@github.com> On Fri, 15 Oct 2021 13:49:27 GMT, Weijun Wang wrote: >> It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. >> >> CSR review: >> https://bugs.openjdk.java.net/browse/JDK-8275174 > > For the CSR, is it necessary to list the `-help` output change? @wangweij Thanks for your review! Regarding your CSR comment if it is necessary to list the `-help` output change, as the current keytool manage lists its commands [1], and then I?ve added an entry for `-version` at the end of the list in the CSR. The jarsigner manpage lists the options [2], and I also added an entry for `-version` to its list. Are you suggesting we should add a new output for `-help` in keytool and jarsigner manpages? [1] https://docs.oracle.com/en/java/javase/17/docs/specs/man/keytool.html#synopsis [2] https://docs.oracle.com/en/java/javase/17/docs/specs/man/jarsigner.html#synopsis ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From dholmes at openjdk.java.net Tue Oct 19 02:27:48 2021 From: dholmes at openjdk.java.net (David Holmes) Date: Tue, 19 Oct 2021 02:27:48 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v6] In-Reply-To: References: Message-ID: On Sat, 16 Oct 2021 11:11:59 GMT, Maurizio Cimadamore wrote: >> This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. >> >> [1] - https://openjdk.java.net/jeps/419 > > Maurizio Cimadamore has updated the pull request incrementally with two additional commits since the last revision: > > - * use `invokeWithArguments` to simplify new test > - Add test for liveness check with high-aririty downcalls > (make sure that if an exception occurs in a downcall because of liveness, > ref count of other resources are left intact). Hotspot changes seem fine. Thanks, David ------------- PR: https://git.openjdk.java.net/jdk/pull/5907 From weijun at openjdk.java.net Tue Oct 19 03:43:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 03:43:50 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v2] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Tue, 19 Oct 2021 01:09:26 GMT, Hai-May Chao wrote: >> It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. >> >> CSR review: >> https://bugs.openjdk.java.net/browse/JDK-8275174 > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Fix -version in jarsigner and update tests src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 314: > 312: if (version) { > 313: doPrintVersion(); > 314: } So if both `-version` and `file.jar` are provided, jarsigner will both sign the jar and print the version. This is probably OK but I prefer the `java` style that only prints the version. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 06:16:20 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 06:16:20 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v3] In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: jarsigner only prints version and ignores other options ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5954/files - new: https://git.openjdk.java.net/jdk/pull/5954/files/4593b7a8..c0a71608 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=01-02 Stats: 13 lines in 2 files changed: 4 ins; 5 del; 4 mod Patch: https://git.openjdk.java.net/jdk/pull/5954.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954 PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 06:16:26 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 06:16:26 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v2] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: <6DCQOsqAtohBJIFQGJSJVQCfookU78FyVmcY2i-IRr0=.af62c09a-4c75-482a-9339-b554f601fa96@github.com> On Tue, 19 Oct 2021 03:40:55 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Fix -version in jarsigner and update tests > > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 314: > >> 312: if (version) { >> 313: doPrintVersion(); >> 314: } > > So if both `-version` and `file.jar` are provided, jarsigner will both sign the jar and print the version. This is probably OK but I prefer the `java` style that only prints the version. Ok, change made to have jarsigner to only print the version and ignore other options. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 06:26:17 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 06:26:17 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v4] In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated comment in test ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5954/files - new: https://git.openjdk.java.net/jdk/pull/5954/files/c0a71608..e801c6a2 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=02-03 Stats: 8 lines in 1 file changed: 6 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5954.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954 PR: https://git.openjdk.java.net/jdk/pull/5954 From weijun at openjdk.java.net Tue Oct 19 13:09:58 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 13:09:58 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v4] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Tue, 19 Oct 2021 06:26:17 GMT, Hai-May Chao wrote: >> It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. >> >> CSR review: >> https://bugs.openjdk.java.net/browse/JDK-8275174 > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Updated comment in test Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From weijun at openjdk.java.net Tue Oct 19 13:12:52 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 13:12:52 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v4] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Tue, 19 Oct 2021 06:26:17 GMT, Hai-May Chao wrote: >> It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. >> >> CSR review: >> https://bugs.openjdk.java.net/browse/JDK-8275174 > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Updated comment in test Approved the PR. Thanks. I have a small comment on the CSR. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From aefimov at openjdk.java.net Tue Oct 19 13:28:26 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 19 Oct 2021 13:28:26 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v4] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with four additional commits since the last revision: - Remove no longer used import from IPSupport - Rename IPSupport.hasAddress and update it to use SocketChannel.open - Address review comments: javadoc + code cleanup - Address resolver bootstraping issue ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/d302a49a..ac0d2184 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=02-03 Stats: 245 lines in 5 files changed: 180 ins; 35 del; 30 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 19 13:28:36 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 19 Oct 2021 13:28:36 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: <-JuSgJLSkme6YraHYehOdUah6GSER-EUo3Mq4TVjXKU=.f700cbe6-021a-43c4-a5ae-c0dc7b42d313@github.com> References: <-JuSgJLSkme6YraHYehOdUah6GSER-EUo3Mq4TVjXKU=.f700cbe6-021a-43c4-a5ae-c0dc7b42d313@github.com> Message-ID: On Fri, 15 Oct 2021 14:25:02 GMT, Daniel Fuchs wrote: >> Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: >> >> - Add @since tags to new API classes >> - Add checks and test for empty stream resolver results > > src/java.base/share/classes/java/net/InetAddress.java line 231: > >> 229: * The first provider found will be used to instantiate the {@link InetAddressResolver InetAddressResolver} >> 230: * by invoking the {@link InetAddressResolverProvider#get(InetAddressResolverProvider.Configuration)} >> 231: * method. The instantiated {@code InetAddressResolver} will be installed as the system-wide > > Maybe "... method. The **returned** {@code InetAddressResolver} will be installed ..." Changed as suggested in 648e65b8e6ae9687f7164ea3e81c51ab2b5e2dfe. > src/java.base/share/classes/java/net/InetAddress.java line 486: > >> 484: return cns; >> 485: } finally { >> 486: bootstrapResolver = null; > > This is incorrect. This will set bootstrapResolver to null in the case where you return it at line 468 - which means that a second call will then find it null. I believe you want to set it to null in the finally clause only if you reached line 470. You could achieve this by declaring a local variable - e.g `InetAddressResolver tempResolver = null;` before entering the try-finally then set that variable at line 470 `return tempResolver = bootstrapResolver;` and in finally do `if (tempResolver == null) bootsrapResolver = null;` > > To test this you could try to call e.g. `InetAddress.getByName` twice in succession in your test: I believe it will fail with the code as it stands, but will succeed with my proposed changes... Good catch, thank you Daniel. Added a test for that and fixed it in cd19ecd63838d3c2b713ed66d41107fe01a2d3e6. Now the `bootstrapResolver` field is set back to `null` in finally block only if a call to `InetAddress.resolver()` entered a resolver initialization part. > src/java.base/share/classes/java/net/InetAddress.java line 860: > >> 858: return host; >> 859: } >> 860: } catch (RuntimeException | UnknownHostException e) { > > This may deserve a comment: resolver.lookUpHostName and InetAddress.getAllbyName0 delegate to the system-wide resolver, which could be custom, and we treat any unexpected RuntimeException thrown by the provider at that point as we would treat an UnknownHostException or an unmatched host name. Agree - comment added as part of 648e65b8e6ae9687f7164ea3e81c51ab2b5e2dfe. > src/java.base/share/classes/java/net/InetAddress.java line 1063: > >> 1061: public Stream lookupAddresses(String host, LookupPolicy policy) >> 1062: throws UnknownHostException { >> 1063: Objects.requireNonNull(host); > > Should we also double check that `policy` is not null? Or maybe assert it? Yes, we should since custom resolvers might call the built-in one with `null` - added non-null check in 648e65b . > src/java.base/share/classes/java/net/InetAddress.java line 1203: > >> 1201: + " as hosts file " + hostsFile + " not found "); >> 1202: } >> 1203: // Check number of found addresses: > > I wonder if the logic here could be simplified by first checking whether only IPv4 addresses are requested, and then if only IPv6 addresses are requested. > > That is - evacuate the simple cases first and then only deal with the more complex case where you have to combine the two lists... Tried to simplify it in 648e65b8e6ae9687f7164ea3e81c51ab2b5e2dfe ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 19 13:31:09 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 19 Oct 2021 13:31:09 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Fri, 15 Oct 2021 17:09:46 GMT, Daniel Fuchs wrote: >> Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: >> >> - Add @since tags to new API classes >> - Add checks and test for empty stream resolver results > > test/jdk/java/net/spi/InetAddressResolverProvider/providers/recursive/recursive.init.provider/impl/InetAddressUsageInGetProviderImpl.java line 38: > >> 36: String localHostName; >> 37: try { >> 38: localHostName = InetAddress.getLocalHost().getHostName(); > > Try to call InetAddress.getLocalHost().getHostName(); twice here. New `BootstrapResolverUsageTest` test is added to trigger the bootstrap resolver problem. `InetAddress.getByName` calls with unique names are used instead of `InetAddress.getLocalHost()` to avoid caching of LHN resolution results. Added in cd19ecd63838d3c2b713ed66d41107fe01a2d3e6. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 19 13:34:50 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 19 Oct 2021 13:34:50 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: Message-ID: On Fri, 15 Oct 2021 17:19:26 GMT, Daniel Fuchs wrote: >> Aleksei Efimov has updated the pull request incrementally with two additional commits since the last revision: >> >> - Add @since tags to new API classes >> - Add checks and test for empty stream resolver results > > test/lib/jdk/test/lib/net/IPSupport.java line 88: > >> 86: } catch (SocketException se2) { >> 87: return false; >> 88: } > > The implementation of this method now conflicts with its name. Maybe we should pass a `Class` as parameter, and construct the loopback address from there. IIRC the issue with the original implementation was that it would say that IPv6 was not supported if IPv6 had only been disabled on the loopback interface - and that caused trouble because the native implementation of the built-in resolver had a different view of the situation - and saw that an IPv6 stack was available on the machine. Maybe this would deserve a comment too - so that future maintainers can figure out what we are trying to do here. Thanks for a good suggestion: renamed to `isSupported`, changed parameter type to `Class addressType` and updated it to use `SocketChannel.open(ProtocolFamily pf)` [API](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/channels/SocketChannel.html#open(java.net.ProtocolFamily)) added in `15` to check if the plafrom supports addresses of specified address type. Pushed as 95a21e57fbe8be147d23e6a6901ae307e8237cbb. All new tests (especially `LookupPolicyMappingTest`) pass in environment with `IPv6` addresses disabled. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 19 13:56:50 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 19 Oct 2021 13:56:50 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: <-8BcYWYlwGxmsmAY7JBT2h_Ahae3fONnwgGJxfedrJY=.8826d18f-4e00-496e-b06c-96d44e0eeb6c@github.com> References: <-8BcYWYlwGxmsmAY7JBT2h_Ahae3fONnwgGJxfedrJY=.8826d18f-4e00-496e-b06c-96d44e0eeb6c@github.com> Message-ID: On Sun, 17 Oct 2021 21:39:06 GMT, Mark Sheppard wrote: > I think that a hostname is constant while a host is up, but it can be changed, and when changed a host restart is required. I don't think it is quite as dynamic as has been suggested, but I open to correction. It is possible to change a host name without host restart. What has been tested: - Checked O/S type - Linux - `hostnamectl` cmd was used to change a host name - In output below there is only one `jshell` instance running. jshell> InetAddress.getLocalHost() $1 ==> test-host-name/192.168.0.155 $ hostnamectl set-hostname 'test-host-name-changed' # Need to sleep for 5 seconds since local host # is cached for 5 seconds since last resolution $ sleep 5 jshell> InetAddress.getLocalHost() $2 ==> test-host-name-changed/192.168.0.155 I believe it proves that we need to treat a host name as dynamically changing information. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From weijun at openjdk.java.net Tue Oct 19 14:57:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 14:57:50 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Wed, 13 Oct 2021 13:42:25 GMT, Sean Mullan wrote: > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the canonical algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 48: > 46: "SHA-384", "SHA384", "SHA-512", "SHA512", "SHA-512/224", > 47: "SHA512/224", "SHA-512/256", "SHA512/256"); > 48: Do you want to support the "SHA" -> "SHA1" mapping? src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 196: > 194: static String canonicalName(String algorithm) { > 195: return CANONICAL_NAME.getOrDefault(algorithm, algorithm); > 196: } I'm not sure if `canonicalName` is good. Normally, we say "SHA-1" is the standard name but this method changes it to "SHA1". ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From mullan at openjdk.java.net Tue Oct 19 15:52:52 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 19 Oct 2021 15:52:52 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 14:34:25 GMT, Weijun Wang wrote: >> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: >> >> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. >> >> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. >> >> - AlgorithmDecomposer now stores the canonical algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. > > src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 48: > >> 46: "SHA-384", "SHA384", "SHA-512", "SHA512", "SHA-512/224", >> 47: "SHA512/224", "SHA-512/256", "SHA512/256"); >> 48: > > Do you want to support the "SHA" -> "SHA1" mapping? These should be standard digest names as specified by the disabled algorithm security property syntax. SHA is an alias. > src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 196: > >> 194: static String canonicalName(String algorithm) { >> 195: return CANONICAL_NAME.getOrDefault(algorithm, algorithm); >> 196: } > > I'm not sure if `canonicalName` is good. Normally, we say "SHA-1" is the standard name but this method changes it to "SHA1". Right, it's really just about using consistent message digest names so that it can match for example, "SHA-1" and also "SHA1withRSA". I'll change the name to something else. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Tue Oct 19 16:16:50 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 16:16:50 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 15:26:52 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 48: >> >>> 46: "SHA-384", "SHA384", "SHA-512", "SHA512", "SHA-512/224", >>> 47: "SHA512/224", "SHA-512/256", "SHA512/256"); >>> 48: >> >> Do you want to support the "SHA" -> "SHA1" mapping? > > These should be standard digest names as specified by the disabled algorithm security property syntax. SHA is an alias. OK, I saw the default in `CANONICAL_NAME.getOrDefault(algorithm, algorithm)` and thought non-standard names are also allowed. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Tue Oct 19 16:28:14 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 16:28:14 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs Message-ID: New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. ------------- Commit messages: - deprecate doAs, use new APIs in src and test - Merge branch 'master' into 8267108 - old untouched. new same as old by default, or use TL when a sys prop is set - multiple implementations - 8267108: Alternate Subject.getSubject API that does not depend on Security Manager APIs Changes: https://git.openjdk.java.net/jdk/pull/5024/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8267108 Stats: 653 lines in 20 files changed: 452 ins; 92 del; 109 mod Patch: https://git.openjdk.java.net/jdk/pull/5024.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5024/head:pull/5024 PR: https://git.openjdk.java.net/jdk/pull/5024 From mullan at openjdk.java.net Tue Oct 19 16:28:17 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 19 Oct 2021 16:28:17 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs In-Reply-To: References: Message-ID: On Thu, 5 Aug 2021 20:10:44 GMT, Weijun Wang wrote: > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. Max, I am thinking now that we don't need to make the new `Subject.callAs` method call `Subject.doAs` if an SM is not disallowed, and instead just use the TL solution. However, we still want `Subject.current` to support both the SM and TL case as that would be typically called by library code. My reasoning is that applications that are calling `doAs` and depending on the SM will need to find another solution anyway, or stay on the older releases. We probably don't want them to transition to the new `callAs` method (which is not deprecated) and then suddenly it stops working when the SM is removed. src/java.base/share/classes/javax/security/auth/Subject.java line 334: > 332: > 333: private static enum SubjectStorage { > 334: ACC, THREAD_LOCAL, SCOPE_LOCAL I would leave out SCOPE_LOCAL for now. src/java.base/share/classes/javax/security/auth/Subject.java line 352: > 350: }; > 351: > 352: /** Some initial comments below. I think this will take a few iterations to refine the text. src/java.base/share/classes/javax/security/auth/Subject.java line 353: > 351: > 352: /** > 353: * Return the current installed subject. Nit. I know other accessor methods in Subject use the word "Return", but I think "Returns" is more grammatically correct and reads better when describing what this method does. Also just say "Returns the current subject." src/java.base/share/classes/javax/security/auth/Subject.java line 355: > 353: * Return the current installed subject. > 354: *

> 355: * The current installed subject is installed by the {@link #call} s/The current installed subject/The current subject/ I am not sure "installed" is the best term to use, as I equate that most commonly with installing software on your disk. Maybe "set" or "registered"? src/java.base/share/classes/javax/security/auth/Subject.java line 357: > 355: * The current installed subject is installed by the {@link #call} > 356: * or {@link #run} method. When either {@code call(subject, action)} or > 357: * {@code run(subject, action)} is called, {@code action} is executed Should this be `callAs` or `doAs`? src/java.base/share/classes/javax/security/auth/Subject.java line 359: > 357: * {@code run(subject, action)} is called, {@code action} is executed > 358: * with {@code subject} as its current installed subject which can be > 359: * retrieved by this method. After {@code action} is finished, the current Just say "current subject" instead of "current installed subject" throughout. Once you explain how the current subject is installed (or registered), there is no need to repeat that term. src/java.base/share/classes/javax/security/auth/Subject.java line 361: > 359: * retrieved by this method. After {@code action} is finished, the current > 360: * installed subject is reset to its previous value. The current installed > 361: * subject is {@code null} before the first call of {@code call()} It is also null if there are no active `call` or `doAs` methods, right? src/java.base/share/classes/javax/security/auth/Subject.java line 369: > 367: * > 368: * @implNote > 369: * In this implementation, if a {@code SecurityManager} is allowed, We should probably link "allowed" to the section in the `SecurityManager` API that describes the behavior. Perhaps we could see if we could add a hyperlink. src/java.base/share/classes/javax/security/auth/Subject.java line 373: > 371: * {@code getSubject(AccessController.getContext())}. Otherwise, the current > 372: * installed subject is stored in an inheritable {@code ThreadLocal}. > 373: * Also, each of the various {@code doAs(subject, action)} and It's not clear if the "Also ..." sentence is only for the non-SM case. I think you could just use one sentence here, replace "Also, each" with "and each ...". src/java.base/share/classes/javax/security/auth/Subject.java line 482: > 480: * @since 18 > 481: */ > 482: public static T getAs(final Subject subject, Would prefer if we just have one `callAs` method. It might be less of an issue now if we don't need to support the SM case. src/java.base/share/classes/jdk/internal/access/JavaLangAccess.java line 406: > 404: > 405: /** > 406: * When a security manager is allowed. This is true if the system Suggest rewording as: "Returns true if a security manager is allowed. This method returns true ..." src/java.base/share/classes/jdk/internal/access/JavaLangAccess.java line 407: > 405: /** > 406: * When a security manager is allowed. This is true if the system > 407: * property java.security.manager is set to any value other than "disabled". s/disabled/disallow/ src/java.base/share/classes/jdk/internal/access/JavaLangAccess.java line 408: > 406: * When a security manager is allowed. This is true if the system > 407: * property java.security.manager is set to any value other than "disabled". > 408: * @return Probably don't need `@return` as it is an internal method. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Tue Oct 19 16:28:28 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 16:28:28 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs In-Reply-To: References: Message-ID: <8gog1eBq00z6B4roNVe-QZEvqW0NbASJSj7RR6JLC6I=.56ada86d-e235-41ac-871f-e95b7a0f20b9@github.com> On Wed, 18 Aug 2021 15:01:12 GMT, Sean Mullan wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > src/java.base/share/classes/javax/security/auth/Subject.java line 353: > >> 351: >> 352: /** >> 353: * Return the current installed subject. > > Nit. I know other accessor methods in Subject use the word "Return", but I think "Returns" is more grammatically correct and reads better when describing what this method does. Also just say "Returns the current subject." I'll use "returns". > src/java.base/share/classes/javax/security/auth/Subject.java line 355: > >> 353: * Return the current installed subject. >> 354: *

>> 355: * The current installed subject is installed by the {@link #call} > > s/The current installed subject/The current subject/ > > I am not sure "installed" is the best term to use, as I equate that most commonly with installing software on your disk. Maybe "set" or "registered"? I thought about "associated" but cannot precisely describe what it it is associated to. The "install" word actually comes from "install a SecurityManager with the `System::setSecurityManager` method". I'll use "current object". > src/java.base/share/classes/javax/security/auth/Subject.java line 357: > >> 355: * The current installed subject is installed by the {@link #call} >> 356: * or {@link #run} method. When either {@code call(subject, action)} or >> 357: * {@code run(subject, action)} is called, {@code action} is executed > > Should this be `callAs` or `doAs`? Correct, it should be `callAs` and `getAs`. > src/java.base/share/classes/javax/security/auth/Subject.java line 359: > >> 357: * {@code run(subject, action)} is called, {@code action} is executed >> 358: * with {@code subject} as its current installed subject which can be >> 359: * retrieved by this method. After {@code action} is finished, the current > > Just say "current subject" instead of "current installed subject" throughout. Once you explain how the current subject is installed (or registered), there is no need to repeat that term. I see what you mean, it's only "current subject", but we can use a verb to describe how it's set. > src/java.base/share/classes/javax/security/auth/Subject.java line 361: > >> 359: * retrieved by this method. After {@code action} is finished, the current >> 360: * installed subject is reset to its previous value. The current installed >> 361: * subject is {@code null} before the first call of {@code call()} > > It is also null if there are no active `call` or `doAs` methods, right? Yes, is this implied by "reset to its previous value"? > src/java.base/share/classes/javax/security/auth/Subject.java line 369: > >> 367: * >> 368: * @implNote >> 369: * In this implementation, if a {@code SecurityManager} is allowed, > > We should probably link "allowed" to the section in the `SecurityManager` API that describes the behavior. Perhaps we could see if we could add a hyperlink. Precisely, this "allowed" covers "-Djava.security.manager" set to "allow", "", and a class name. I should probably be more precise. > src/java.base/share/classes/javax/security/auth/Subject.java line 373: > >> 371: * {@code getSubject(AccessController.getContext())}. Otherwise, the current >> 372: * installed subject is stored in an inheritable {@code ThreadLocal}. >> 373: * Also, each of the various {@code doAs(subject, action)} and > > It's not clear if the "Also ..." sentence is only for the non-SM case. I think you could just use one sentence here, replace "Also, each" with "and each ...". Oops, I think I made a mistake here. No matter if there's SM, `current` and `getSubject` returns the same thing. I should have said "the current subject" is stored inside "current AccessControlContext" if SM is on or a `ThreadLocal` is not. I'll rephrase. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Tue Oct 19 16:28:31 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 16:28:31 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs In-Reply-To: References: Message-ID: On Thu, 5 Aug 2021 20:10:44 GMT, Weijun Wang wrote: > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. test/jdk/javax/security/auth/Subject/FromACC.java line 9: > 7: * published by the Free Software Foundation. Oracle designates this > 8: * particular file as subject to the "Classpath" exception as provided > 9: * by Oracle in the LICENSE file that accompanied this code. Oops, no Classpath exception for this test. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From hchao at openjdk.java.net Tue Oct 19 16:31:18 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 16:31:18 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v5] In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: fullusage test change ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5954/files - new: https://git.openjdk.java.net/jdk/pull/5954/files/e801c6a2..e6b360e7 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5954&range=03-04 Stats: 8 lines in 2 files changed: 8 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5954.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5954/head:pull/5954 PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 16:31:18 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 16:31:18 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v4] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: <8h1AyuqCxNuuVRL9VJUMsbYo4twWR2bW-llldL0aCpA=.2596d0ed-b909-4aac-bbed-7a968cc07592@github.com> On Tue, 19 Oct 2021 13:10:15 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Updated comment in test > > Approved the PR. Thanks. I have a small comment on the CSR. @wangweij Thanks for reviewing the CSR and code changes. ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From hchao at openjdk.java.net Tue Oct 19 16:49:53 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 19 Oct 2021 16:49:53 GMT Subject: RFR: 8272163: Add -version option to keytool and jarsigner [v4] In-Reply-To: References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Tue, 19 Oct 2021 13:10:15 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Updated comment in test > > Approved the PR. Thanks. I have a small comment on the CSR. @wangweij Updated the CSR with your comment. Thanks! ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From dfuchs at openjdk.java.net Tue Oct 19 17:05:49 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Tue, 19 Oct 2021 17:05:49 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v4] In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 13:28:26 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with four additional commits since the last revision: > > - Remove no longer used import from IPSupport > - Rename IPSupport.hasAddress and update it to use SocketChannel.open > - Address review comments: javadoc + code cleanup > - Address resolver bootstraping issue Changes look good to me. ------------- Marked as reviewed by dfuchs (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5822 From ascarpino at openjdk.java.net Tue Oct 19 17:18:55 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Tue, 19 Oct 2021 17:18:55 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 15:48:57 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 196: >> >>> 194: static String canonicalName(String algorithm) { >>> 195: return CANONICAL_NAME.getOrDefault(algorithm, algorithm); >>> 196: } >> >> I'm not sure if `canonicalName` is good. Normally, we say "SHA-1" is the standard name but this method changes it to "SHA1". > > Right, it's really just about using consistent message digest names so that it can match for example, "SHA-1" and also "SHA1withRSA". I'll change the name to something else. Was the reason for this change that hashName("RSASSA-PSS") was returning an RSASSAPSS? ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From mullan at openjdk.java.net Tue Oct 19 17:18:55 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 19 Oct 2021 17:18:55 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 17:15:48 GMT, Anthony Scarpino wrote: >> Right, it's really just about using consistent message digest names so that it can match for example, "SHA-1" and also "SHA1withRSA". I'll change the name to something else. > > Was the reason for this change that hashName("RSASSA-PSS") was returning an RSASSAPSS? Yes. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From valeriep at openjdk.java.net Tue Oct 19 20:21:01 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Tue, 19 Oct 2021 20:21:01 GMT Subject: RFR: 8275003: Suppress warnings on non-serializable non-transient instance fields in windows mscapi In-Reply-To: References: Message-ID: On Sat, 9 Oct 2021 19:41:51 GMT, Joe Darcy wrote: > Analogous to other recent cleanups like JDK-8274393, suppress warnings for serialization-related issues in the windows mscapi code. Looks fine. Thanks! ------------- Marked as reviewed by valeriep (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5879 From weijun at openjdk.java.net Tue Oct 19 20:20:49 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 20:20:49 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2] In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: use a standard name ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5948/files - new: https://git.openjdk.java.net/jdk/pull/5948/files/0ee2c53c..285ed1b3 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5948&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5948&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5948.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5948/head:pull/5948 PR: https://git.openjdk.java.net/jdk/pull/5948 From mullan at openjdk.java.net Tue Oct 19 20:20:59 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 19 Oct 2021 20:20:59 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2] In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Tue, 19 Oct 2021 19:48:23 GMT, Weijun Wang wrote: >> The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > use a standard name Marked as reviewed by mullan (Reviewer). make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 54: > 52: public static void store(String dir, OutputStream stream) throws Exception { > 53: > 54: CertificateFactory cf = CertificateFactory.getInstance("X509"); Nit: better to use the standard name here: "X.509". ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From weijun at openjdk.java.net Tue Oct 19 20:21:23 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 20:21:23 GMT Subject: RFR: 8275252: Migrate cacerts from JKS to password-less PKCS12 [v2] In-Reply-To: References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Tue, 19 Oct 2021 18:49:11 GMT, Sean Mullan wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> use a standard name > > make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java line 54: > >> 52: public static void store(String dir, OutputStream stream) throws Exception { >> 53: >> 54: CertificateFactory cf = CertificateFactory.getInstance("X509"); > > Nit: better to use the standard name here: "X.509". OK. ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From mullan at openjdk.java.net Tue Oct 19 20:32:21 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 19 Oct 2021 20:32:21 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v2] In-Reply-To: References: Message-ID: > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the canonical algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: - Changed names of AlgorithmDecomposer.canonicalName and decomposeOneHashName methods. - Changed other code in AlgorithmDecomposer to use DECOMPOSED_DIGEST_NAMES Map instead of hardcoding algorithm names. - Changed AlgorithmChecker.trySetTrustAnchor to set trustedPubKey field so that constraints on the key algorithm and size are checked in the check() method if the constraints are an instanceof DisabledAlgorithmConstraints. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5928/files - new: https://git.openjdk.java.net/jdk/pull/5928/files/27045940..cf5a4d7f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=00-01 Stats: 73 lines in 3 files changed: 12 ins; 32 del; 29 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Tue Oct 19 20:52:43 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 19 Oct 2021 20:52:43 GMT Subject: Integrated: 8275252: Migrate cacerts from JKS to password-less PKCS12 In-Reply-To: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> References: <7q9fxhBWZ5VtDVN12jeqRPjTXAmgT6-gQmP1Mtut0pg=.3996d7a7-01ea-4829-8c13-a089ed7c5b49@github.com> Message-ID: On Thu, 14 Oct 2021 13:36:19 GMT, Weijun Wang wrote: > The cacerts file is now a password-less PKCS12 file. This make sure old code that uses a JKS KeyStore object can continuously load it using a null password (in fact, any password) and see all certificates inside. This pull request has now been integrated. Changeset: bd2b41dd Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/bd2b41dd7062c50f3aaebec2137d5fdd9546c120 Stats: 82 lines in 3 files changed: 2 ins; 69 del; 11 mod 8275252: Migrate cacerts from JKS to password-less PKCS12 Reviewed-by: erikj, ihse, mullan ------------- PR: https://git.openjdk.java.net/jdk/pull/5948 From valeriep at openjdk.java.net Tue Oct 19 20:55:40 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Tue, 19 Oct 2021 20:55:40 GMT Subject: Integrated: 8264849: Add KW and KWP support to PKCS11 provider In-Reply-To: References: Message-ID: On Fri, 17 Sep 2021 23:22:21 GMT, Valerie Peng wrote: > Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider? > > The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. > > The rest are minor code refactoring and updates for the PKCS11 Exception class. > The new regression tests are adapted from existing key wrap regression tests for SunJCE provider. > > Thanks, > Valerie This pull request has now been integrated. Changeset: e63c1486 Author: Valerie Peng URL: https://git.openjdk.java.net/jdk/commit/e63c1486dc00ee64dea1a76b5a44e34f06eb144f Stats: 2135 lines in 17 files changed: 2036 ins; 46 del; 53 mod 8264849: Add KW and KWP support to PKCS11 provider Reviewed-by: ascarpino ------------- PR: https://git.openjdk.java.net/jdk/pull/5569 From darcy at openjdk.java.net Tue Oct 19 20:57:09 2021 From: darcy at openjdk.java.net (Joe Darcy) Date: Tue, 19 Oct 2021 20:57:09 GMT Subject: Integrated: 8275003: Suppress warnings on non-serializable non-transient instance fields in windows mscapi In-Reply-To: References: Message-ID: On Sat, 9 Oct 2021 19:41:51 GMT, Joe Darcy wrote: > Analogous to other recent cleanups like JDK-8274393, suppress warnings for serialization-related issues in the windows mscapi code. This pull request has now been integrated. Changeset: 926966be Author: Joe Darcy URL: https://git.openjdk.java.net/jdk/commit/926966be7ad91d2b4a750583c78721b2cdb26981 Stats: 5 lines in 2 files changed: 2 ins; 0 del; 3 mod 8275003: Suppress warnings on non-serializable non-transient instance fields in windows mscapi Reviewed-by: valeriep ------------- PR: https://git.openjdk.java.net/jdk/pull/5879 From weijun at openjdk.java.net Wed Oct 20 02:16:30 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 20 Oct 2021 02:16:30 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method Message-ID: Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password. ------------- Commit messages: - 8225181: KeyStore should have a getAttributes method Changes: https://git.openjdk.java.net/jdk/pull/6026/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8225181 Stats: 152 lines in 6 files changed: 150 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/6026.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026 PR: https://git.openjdk.java.net/jdk/pull/6026 From ascarpino at openjdk.java.net Wed Oct 20 03:28:07 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Wed, 20 Oct 2021 03:28:07 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v2] In-Reply-To: References: Message-ID: On Tue, 19 Oct 2021 20:32:21 GMT, Sean Mullan wrote: >> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: >> >> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. >> >> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. >> >> - AlgorithmDecomposer now stores the canonical algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. > > Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: > > - Changed names of AlgorithmDecomposer.canonicalName and decomposeOneHashName > methods. > - Changed other code in AlgorithmDecomposer to use DECOMPOSED_DIGEST_NAMES > Map instead of hardcoding algorithm names. > - Changed AlgorithmChecker.trySetTrustAnchor to set trustedPubKey field so that > constraints on the key algorithm and size are checked in the check() method if > the constraints are an instanceof DisabledAlgorithmConstraints. src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 106: > 104: // "SHA-256" and "SHA256" to make the right constraint checking. > 105: > 106: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { If you're going to change this code, you can save me a PR if you surround this by "if (algorithm.contains("SHA") { ... }" Its a perf change to eliminate the unnecessary map lookups when SHA isn't in the algorithm string src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 158: > 156: Set elements = decomposeImpl(algorithm); > 157: > 158: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { Same "if (algorithm.contains("SHA") { ... }" comment as above src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 159: > 157: > 158: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { > 159: hasLoop(elements, e.getKey(), e.getValue()); I think it's worth merging the contents of hasLoop() into this for loop. This is the only method calling hasLoop() and the extra method calls are not useful. Your addition DECOMPOSED_DIGEST_NAMES makes a merger a more reasonable solution now than before. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From michael.osipov at siemens.com Wed Oct 20 08:03:37 2021 From: michael.osipov at siemens.com (Osipov, Michael (LDA IT PLM)) Date: Wed, 20 Oct 2021 10:03:37 +0200 Subject: Java ignores/errors canonicalized principals (NT-PRINCIPAL) from Active Directory Message-ID: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> Hi folks, we have recently noticed the following with Java's kinit (tested with Zulu 8 and 13, code is identical in 18 as well): > C:\Users\osipovmi>kinit osipovmi at ad001.siemens.net I have intentionally written the realm in lowercase to rely on canonicalization of the AD KDC. krb5.conf contains "canonicalize = true" as well. Wireshark shows me in the AS-REQ: as-req/req-body/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): krbtgt and ad001.siemens.net AS-REP: as-rep/ticket/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): krbtgt and AD001.SIEMENS.NET Hence, the KDC has properly canonicalized the sname. Java gives me: > Exception: krb_error 41 Message stream modified (41) Message stream modified > KrbException: Message stream modified (41) > at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:55) > at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) > at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) > at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:312) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) > at sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248) > at sun.security.krb5.internal.tools.Kinit.(Kinit.java:134) > at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96) Referrals aren't involved here, same realm. The failing code block is from: * https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/9a751dc19fae78ce58fb0eb176522070c992fb6f/jdk/src/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 * https://github.com/AdoptOpenJDK/openjdk-jdk/blob/ff4997014fe5462dca2b313f3f483400ffee5b62/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 > // sname change in TGS-REP is allowed only if client > // sent CANONICALIZE and new sname is a referral of > // the form krbtgt/TO-REALM.COM at FROM-REALM.COM. > if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) { > String[] snameStrings = rep.encKDCRepPart.sname.getNameStrings(); > if (isAsReq || !req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) || > snameStrings == null || snameStrings.length != 2 || > !snameStrings[0].equals(PrincipalName.TGS_DEFAULT_SRV_NAME) || > !rep.encKDCRepPart.sname.getRealmString().equals( > req.reqBody.sname.getRealmString())) { > rep.encKDCRepPart.key.destroy(); > throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); > } > } So it either fails for > isAsReq or > !rep.encKDCRepPart.sname.getRealmString().equals( >> req.reqBody.sname.getRealmString()) Here is MIT Kerberos: > $ kinit OSIPOVMI at ad001.siemens.net > Passwort f?r OSIPOVMI at ad001.siemens.net: > $ klist > Ticketzwischenspeicher: FILE:/tmp/krb5cc_722 > Standard-Principal: osipovmi at AD001.SIEMENS.NET > > Valid starting Expires Service principal > 20.10.2021 10:02:14 20.10.2021 20:02:14 krbtgt/AD001.SIEMENS.NET at AD001.SIEMENS.NET > erneuern bis 21.10.2021 10:02:10 Works as expected. Can someone explain? Shall I create a bug for this? Michael From mcimadamore at openjdk.java.net Wed Oct 20 11:14:19 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Wed, 20 Oct 2021 11:14:19 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v7] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: Fix failing microbenchmarks. Contributed by @FrauBoes (thanks!) ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/a4db81fe..52189683 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=06 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=05-06 Stats: 39 lines in 9 files changed: 1 ins; 10 del; 28 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From aefimov at openjdk.java.net Wed Oct 20 11:52:38 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Wed, 20 Oct 2021 11:52:38 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: Change InetAddressResolver method names ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/ac0d2184..30226481 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=03-04 Stats: 33 lines in 9 files changed: 0 ins; 0 del; 33 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Wed Oct 20 11:52:40 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Wed, 20 Oct 2021 11:52:40 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v3] In-Reply-To: References: <0Xvj7H_JyjEfXTUr1GI3ooLL1cGBuWLDAtrP83WuQV0=.7e172d30-620d-4ce1-9bac-62db6dc19e52@github.com> Message-ID: On Sun, 17 Oct 2021 21:03:56 GMT, Mark Sheppard wrote: > getByName requires a hostname lookup and getByAdress requires (eventually - I know the docs says there?s no reverse lookup) an address reverse lookup. Thus, a logical mapping is getByName ?> lookupHostname, and getByAddr ?> lookupAddress, but the opposite will occur getByName --> lookupAddresses and getByAddress --> lookupHostname. Therfore I proffer maps neatly to rename methods to resolveHostname and resolveAddress such that the mapping are getByName --> resolveHostname and getByAddress --> resolveAddress. Thank you, Mark, for highlighting the naming contradiction in the `InetAddressResolver` interface method names. It can be solved by making these names symmetrical to `InetAddress` API. In 302264810725f86a4569161754f7b052c78fd826 `InetAddressResolver` method names have been updated to stress input parameters type, which brings them in sync with `InetAddress` API: - `InetAddressResolver.lookupAddresses` is renamed to `InetAddressResolver.lookupByName` - `InetAddressResolver.lookupHostName` is renamed to `InetAddressResolver.lookupByAddress` ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mullan at openjdk.java.net Wed Oct 20 13:42:12 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 20 Oct 2021 13:42:12 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v2] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 02:45:07 GMT, Anthony Scarpino wrote: >> Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: >> >> - Changed names of AlgorithmDecomposer.canonicalName and decomposeOneHashName >> methods. >> - Changed other code in AlgorithmDecomposer to use DECOMPOSED_DIGEST_NAMES >> Map instead of hardcoding algorithm names. >> - Changed AlgorithmChecker.trySetTrustAnchor to set trustedPubKey field so that >> constraints on the key algorithm and size are checked in the check() method if >> the constraints are an instanceof DisabledAlgorithmConstraints. > > src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 106: > >> 104: // "SHA-256" and "SHA256" to make the right constraint checking. >> 105: >> 106: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { > > If you're going to change this code, you can save me a PR if you surround this by "if (algorithm.contains("SHA") { ... }" > Its a perf change to eliminate the unnecessary map lookups when SHA isn't in the algorithm string That's a fine suggestion, although I'll note that your suggested perf improvement also applies to the previous code which did not check the algorithm parameter first to see if it contained `SHA`. Also, another small perf imp: I realized below that in the loop, if the first `if` block gets executed, then the 2nd `if` block will always be false, so I changed it to an if/else. > src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 158: > >> 156: Set elements = decomposeImpl(algorithm); >> 157: >> 158: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { > > Same "if (algorithm.contains("SHA") { ... }" comment as above Ok. Let's hope a new algorithm with "SHA" in the words never gets defined :) > src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 159: > >> 157: >> 158: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { >> 159: hasLoop(elements, e.getKey(), e.getValue()); > > I think it's worth merging the contents of hasLoop() into this for loop. This is the only method calling hasLoop() and the extra method calls are not useful. Your addition DECOMPOSED_DIGEST_NAMES makes a merger a more reasonable solution now than before. Ok. I noticed that this method is different than `decompose` in that it only adds the decomposed `SHA` name to `elements`, and removes the standard `SHA` name from `elements` if it exists, whereas `decompose` adds both. Do you think we should change `decompose` to use the same technique? ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From mcimadamore at openjdk.java.net Wed Oct 20 14:00:30 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Wed, 20 Oct 2021 14:00:30 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v8] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request incrementally with one additional commit since the last revision: Fix copyright header in TestArrayCopy ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/52189683..414952ad Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=07 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=06-07 Stats: 16 lines in 1 file changed: 0 ins; 0 del; 16 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From mullan at openjdk.java.net Wed Oct 20 14:47:31 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 20 Oct 2021 14:47:31 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: References: Message-ID: > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: - Skip digest alg decomposing check for algorithms that don't contain "SHA". - Remove hasLoop method and fold code into decomposeName method. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5928/files - new: https://git.openjdk.java.net/jdk/pull/5928/files/cf5a4d7f..f2031126 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=01-02 Stats: 27 lines in 1 file changed: 15 ins; 10 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928 From dfuchs at openjdk.java.net Wed Oct 20 15:45:08 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Wed, 20 Oct 2021 15:45:08 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 11:52:38 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Change InetAddressResolver method names Marked as reviewed by dfuchs (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From ascarpino at openjdk.java.net Wed Oct 20 16:21:02 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Wed, 20 Oct 2021 16:21:02 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v2] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 13:34:44 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 106: >> >>> 104: // "SHA-256" and "SHA256" to make the right constraint checking. >>> 105: >>> 106: for (Map.Entry e : DECOMPOSED_DIGEST_NAMES.entrySet()) { >> >> If you're going to change this code, you can save me a PR if you surround this by "if (algorithm.contains("SHA") { ... }" >> Its a perf change to eliminate the unnecessary map lookups when SHA isn't in the algorithm string > > That's a fine suggestion, although I'll note that your suggested perf improvement also applies to the previous code which did not check the algorithm parameter first to see if it contained `SHA`. > Also, another small perf imp: I realized below that in the loop, if the first `if` block gets executed, then the 2nd `if` block will always be false, so I changed it to an if/else. Yes, I was about to submit a PR to change the previous code, since you changed this code it makes more sense to ask you to do it at the same time. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From xuelei at openjdk.java.net Wed Oct 20 17:26:06 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Wed, 20 Oct 2021 17:26:06 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key In-Reply-To: References: Message-ID: On Fri, 23 Jul 2021 10:33:14 GMT, Alexey Bakhtin wrote: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey It's a good catch. Thank you for the fix. src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 248: > 246: crtKey.getCrtCoefficient().signum() == 0 || > 247: crtKey.getPublicExponent().signum() == 0 )))) || > 248: (rsaKey instanceof RSAPublicKey rsaPubKey && Mixing the public key and private key together in one method may be not straightforward enough to logics like this update. What do you think it we have two isvalid() method, one for private key and one for public key? src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 250: > 248: (rsaKey instanceof RSAPublicKey rsaPubKey && > 249: rsaPubKey.getPublicExponent().signum() == 0)) { > 250: throw new InvalidKeyException("Invalid key attributes"); The exception description may be confusing to users. I'm not sure if the checking could be simplified and make this exception message better matching the problems. src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 251: > 249: rsaPubKey.getPublicExponent().signum() == 0)) { > 250: throw new InvalidKeyException("Invalid key attributes"); > 251: } What's the motivation to check the signum? ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From weijun at openjdk.java.net Wed Oct 20 18:02:24 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 20 Oct 2021 18:02:24 GMT Subject: RFR: 8185844: MSCAPI doesn't list aliases correctly Message-ID: If a entry is overwritten by another one using the same alias, make sure the old one is removed. ------------- Commit messages: - 8185844: MSCAPI doesn't list aliases correctly Changes: https://git.openjdk.java.net/jdk/pull/6047/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6047&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8185844 Stats: 174 lines in 2 files changed: 123 ins; 34 del; 17 mod Patch: https://git.openjdk.java.net/jdk/pull/6047.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6047/head:pull/6047 PR: https://git.openjdk.java.net/jdk/pull/6047 From weijun at openjdk.java.net Wed Oct 20 18:14:27 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 20 Oct 2021 18:14:27 GMT Subject: RFR: 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails Message-ID: Support Cipher operations on CNG keys. ------------- Depends on: https://git.openjdk.java.net/jdk/pull/6047 Commit messages: - 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails Changes: https://git.openjdk.java.net/jdk/pull/6049/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6049&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8251134 Stats: 210 lines in 4 files changed: 201 ins; 0 del; 9 mod Patch: https://git.openjdk.java.net/jdk/pull/6049.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6049/head:pull/6049 PR: https://git.openjdk.java.net/jdk/pull/6049 From alanb at openjdk.java.net Wed Oct 20 18:36:20 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Wed, 20 Oct 2021 18:36:20 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: <1v6OpqkyZp6XBq9lXQfahKEEgtBIdPjNWydqJ9Cwipc=.959e01c2-1e2d-4540-8ed5-41198dd71c2b@github.com> On Wed, 20 Oct 2021 11:52:38 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Change InetAddressResolver method names src/java.base/share/classes/java/net/InetAddress.java line 340: > 338: > 339: /* Used to store the system-wide resolver */ > 340: private static volatile InetAddressResolver resolver; Can this be @Stable? src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 34: > 32: > 33: /** > 34: * This interface defines operations for looking-up host names and IP addresses. I think change "looking-up" to "looking up". src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 102: > 100: > 101: /** > 102: * Specifies if IPv4 addresses need to be queried during lookup. It might be better to change this to "Characteristic value signifying ..." rather than "Specifies". src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 186: > 184: > 185: /** > 186: * Returns an integer value which specifies lookup operation characteristics. I think I'd change the first line here to something like "Returns a set of characteristics of this lookup policy". src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 35: > 33: /** > 34: * A resolver provider class is a factory for custom implementations of {@linkplain > 35: * InetAddressResolver resolvers} which define operations for looking-up (resolving) host names This reads "custom implementations of resolvers". It might be better to start with "Service-provider class for InetAddress resolvers". src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 52: > 50: /** > 51: * Initialise and return the {@link InetAddressResolver} provided by > 52: * this provider. This method is called by {@link InetAddress} when "the InetAddressResolver" suggests there is just one instance. That is probably the case but I don't think you want to be restricted to that. src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 88: > 86: * {@code RuntimePermission("inetAddressResolverProvider")}. > 87: * @implNote It is recommended that an {@code InetAddressResolverProvider} service > 88: * implementation does not perform any heavy initialization in its "heavy initialization" is probably not the best phrase here. Maybe it should say that the initialisation should be as simple as possible to avoid recursive initialisation issues. src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 110: > 108: /** > 109: * A {@code Configuration} interface is supplied to the > 110: * {@link InetAddressResolverProvider#get(Configuration)} method when installing a I think this should be "Configuration object" rather than "interface" here. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From alanb at openjdk.java.net Wed Oct 20 18:50:08 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Wed, 20 Oct 2021 18:50:08 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 11:52:38 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Change InetAddressResolver method names src/java.base/share/classes/java/net/InetAddress.java line 244: > 242: * @implNote > 243: * For any lookup operation that might occur before the VM is fully booted the built-in > 244: * resolver will be used. I think we will need decide if InetAddress class description is the right place for this or whether some/most of it should move to InetAddressResolverProvider. It might be that we update the existing "Host Name Resolution" section with some basic/readable text to make the reader aware that there is a provider mechanism with a link to InetAddressResolverProvider with the details. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mbalao at openjdk.java.net Wed Oct 20 20:16:03 2021 From: mbalao at openjdk.java.net (Martin Balao) Date: Wed, 20 Oct 2021 20:16:03 GMT Subject: RFR: 8271566: DSA signature length value is not accurate in P11Signature [v2] In-Reply-To: References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com> Message-ID: On Fri, 13 Aug 2021 17:11:45 GMT, Martin Balao wrote: >> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4. >> >> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed. >> >> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey. >> >> -- >> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566 > > Martin Balao has updated the pull request incrementally with one additional commit since the last revision: > > P11Key static inner classes refactorings. Hi Valerie, Apologies for the delay; I've intention to resume this work if you can. I had a look at your Webrev.00 but I'm not really convinced, at least when comparing it to the Fetcher approach. I'll share my comments below: * Changing P11PrivateKey::getFormat to return 'PKCS#8' and not overriding this method on opaque/sensitive private key classes will be an observable change, and it does not match what's specified in Key::getFormat: 'Returns the name of the primary encoding format of this key, or null if this key does not support encoding.'. My thinking here is that an opaque key does not support encoding because its value is not even accessible. * P11PrivateKeyRSA and P11RSAPrivateKey class names look confusing to me (where 'RSA' is located does not say anything about the class to me at least). The 'Opaque' suffix for the one that is package-private might be a better choice. I used the suffice 'Internal' before but now I like 'Opaque' more. * P11PrivateKeyRSA::of duplicates the attributes retrieval logic (session.token.p11::C_GetAttributeValue call), which is there and in P11Key::fetchAttributes. Sensitive RSA keys get the attributes from one place and non-sensitive from the other. This does not look to me an advantage when compared to the Fetcher, which does the same for RSA and uses P11Key::fetchAttributes for the others. However, having all the RSA-related logic in P11RSAAttributesFetcher::doFetchValues makes it a bit easier for me to reason about the 4 different scenarios to get the data: CRT + sensitive, non-CRT + sensitive, CRT + non-sensitive and non-CRT + non-sensitive. * By eliminating P11RSAPrivateKey::getModulus, looks to me that P11PrivateKeyRSA::getModulus and P11PrivateKeyRSA::fetchValues are now called, leading to an unnecessary call to the native library as the modulus was already received on P11RSAPrivateKey constructor. This happens to P11RSAPrivateNonCRTKey as well. * P11PrivateKeyRSA does not make the CRT/non-CRT distinction for sensitive keys, so the public exponent is not obtained when it could be. This is a bit less functionality than what the Fetcher provides, and would require a few changes to fit it into the design. >From comment #Aug 17: "(...) and you just cover it up with different wrapper classes which seems algorithm specific but yet do not contain any algorithm specific fields and the logic is all inside the corresponding Fetcher" * In my view, it's true that the Fetcher has the logic to get and hold the data. But the classes that use it are not just wrapper classes covering it up: they implement different interfaces and override/implement methods differently. In example, P11RSAPrivateNonCRTKey implements RSAPrivateKey and decides not to provide an implementation of methods such as getPublicExponent, getPrimeP, getPrimeQ, etc. On the other hand, having the logic for the different RSA data-availability scenarios in a single place (CRT sensitive, non-CRT sensitive, CRT non-sensitive and non-CRT non-sensitive) makes it a bit easier to reason about. Otherwise, this is scattered all over the place. If you still want to take the non-fetcher approach and address the issues mentioned above, I can have a look. Kind regards, Martin.- ------------- PR: https://git.openjdk.java.net/jdk/pull/4961 From ascarpino at openjdk.java.net Wed Oct 20 20:51:04 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Wed, 20 Oct 2021 20:51:04 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: References: Message-ID: <4gHZE0xcs7ttK5lQWqQk6ubujej03RPL0YuC08PdHQY=.672dfa96-70a7-4170-a2b6-4d6446829717@github.com> On Wed, 20 Oct 2021 14:47:31 GMT, Sean Mullan wrote: >> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: >> >> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. >> >> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. >> >> - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. > > Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: > > - Skip digest alg decomposing check for algorithms that don't contain "SHA". > - Remove hasLoop method and fold code into decomposeName method. looks good to me ------------- Marked as reviewed by ascarpino (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5928 From xuelei at openjdk.java.net Wed Oct 20 21:53:07 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Wed, 20 Oct 2021 21:53:07 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: On Sat, 2 Oct 2021 05:45:47 GMT, Clive Verghese wrote: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback Changes requested by xuelei (Reviewer). It looks like a good idea to make less computation for each handshake context. Thanks for that. I have some concerns for the update, and see the comments above. src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 57: > 55: AlgorithmConstraints userSpecifiedAlgorithmConstraints; > 56: List enabledProtocols; > 57: List enabledCipherSuites; What's the motivation to change enabledProtocols/CipherSuites to private? src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 278: > 276: this.enabledCipherSuites, this.algorithmConstraints); > 277: this.activeCipherSuites = getActiveCipherSuites(this.activeProtocols, > 278: this.enabledCipherSuites, this.algorithmConstraints); Maybe a lazy set of activeProtocols could be better as setSSLParameters() may be called multiple times in practice. src/java.base/share/classes/sun/security/ssl/SSLSocketFactoryImpl.java line 47: > 45: > 46: private final SSLContextImpl context; > 47: private final SSLConfiguration configuration; Share the mutable configuration within the instances created by the factory may be not a good idea. src/java.base/share/classes/sun/security/ssl/SSLSocketFactoryImpl.java line 173: > 171: { > 172: return new SSLSocketImpl(context, address, port, > 173: clientAddress, clientPort, configuration); Note that the configuration is used and shared for among socket instances, which may be not the expected behavior. src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java line 174: > 172: HandshakeHash handshakeHash = new HandshakeHash(); > 173: this.conContext = new TransportContext(sslContext, this, > 174: sslConfiguration, Sharing the mutable sslConfiguration for individual sockets may be not a good idea. ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From cverghese at openjdk.java.net Wed Oct 20 22:12:01 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Wed, 20 Oct 2021 22:12:01 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: <_VshJLodLgjqe4Szme5SiosJHhLQ-dFNQXIBrhJNqTE=.cc9761f3-3a93-4f17-b3f3-bdf9ae01aa39@github.com> On Sat, 2 Oct 2021 05:45:47 GMT, Clive Verghese wrote: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback Thank you for the feedback. Based on the feedback provided here, I am working on moving this to a cache within HandshakeContext. I will be updating the PR with that implementation soon for your feedback. ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From weijun at openjdk.java.net Thu Oct 21 02:35:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 21 Oct 2021 02:35:13 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 14:47:31 GMT, Sean Mullan wrote: >> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: >> >> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. >> >> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. >> >> - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. > > Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: > > - Skip digest alg decomposing check for algorithms that don't contain "SHA". > - Remove hasLoop method and fold code into decomposeName method. src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 80: > 78: private final Date date; > 79: private PublicKey prevPubKey; > 80: private final String variant; You can group fields to final and non-final ones. src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 174: > 172: } > 173: > 174: @Override In the `init()` method below, just write `prevPubKey = trustedPubKey` no matter if `trustedPubKey` is null or not. src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 318: > 316: prevPubKey = currPubKey; > 317: return; > 318: } I find it more natural to enclose the block below in a `if (prevPubKey != null)` block, and you only need to call one `prevPubKey = currPubKey` at the end. src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 362: > 360: // Don't bother if the check has started or trust anchor has already > 361: // been specified. > 362: if (this.prevPubKey == null) { Maybe it's cleaner to write `if (this.trustedPubKey == null)` above. Anyway, after `init()` they are the same. src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 363: > 361: // been specified. > 362: if (this.prevPubKey == null) { > 363: if (anchor == null) { This won't happen. Or, you can ignore it. This makes it possible to call this method in the constructor. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From mullan at openjdk.java.net Thu Oct 21 12:36:33 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 21 Oct 2021 12:36:33 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v4] In-Reply-To: References: Message-ID: <-qG-w6Uy3e-tHNZt9ucTG4NXp_lvse9oK-2Bn2pRsDc=.56993be7-5744-4ee3-b495-3cb9cc92037c@github.com> > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Address Max' comments. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5928/files - new: https://git.openjdk.java.net/jdk/pull/5928/files/f2031126..052c28f5 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=02-03 Stats: 44 lines in 1 file changed: 4 ins; 16 del; 24 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928 From mullan at openjdk.java.net Thu Oct 21 12:36:44 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 21 Oct 2021 12:36:44 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: References: Message-ID: <6nMyhWHdD0FkArkzWOTQnkP553PSOPBWsOzSBBCA2pw=.6dee2c3f-bd22-48ae-ae1d-47a67c2cc1a8@github.com> On Thu, 21 Oct 2021 02:22:18 GMT, Weijun Wang wrote: >> Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: >> >> - Skip digest alg decomposing check for algorithms that don't contain "SHA". >> - Remove hasLoop method and fold code into decomposeName method. > > src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 80: > >> 78: private final Date date; >> 79: private PublicKey prevPubKey; >> 80: private final String variant; > > You can group fields to final and non-final ones. Ok. > src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 174: > >> 172: } >> 173: >> 174: @Override > > In the `init()` method below, just write `prevPubKey = trustedPubKey` no matter if `trustedPubKey` is null or not. Yes. > src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 318: > >> 316: prevPubKey = currPubKey; >> 317: return; >> 318: } > > I find it more natural to enclose the block below in a `if (prevPubKey != null)` block, and you only need to call one `prevPubKey = currPubKey` at the end. Ok. > src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 362: > >> 360: // Don't bother if the check has started or trust anchor has already >> 361: // been specified. >> 362: if (this.prevPubKey == null) { > > Maybe it's cleaner to write `if (this.trustedPubKey == null)` above. Anyway, after `init()` they are the same. Agree. > src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 363: > >> 361: // been specified. >> 362: if (this.prevPubKey == null) { >> 363: if (anchor == null) { > > This won't happen. Or, you can ignore it. > > This makes it possible to call this method in the constructor. Ok, will remove. But I will keep this method separate since, unlike the ctor it needs to check if `trustedPubKey` is `null` before setting the `prevPubKey`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From abakhtin at openjdk.java.net Thu Oct 21 12:59:35 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Thu, 21 Oct 2021 12:59:35 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v2] In-Reply-To: References: Message-ID: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: Refactoring isValid() for private and public keys ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/4887/files - new: https://git.openjdk.java.net/jdk/pull/4887/files/d2b371d5..b336e36e Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=00-01 Stats: 105 lines in 2 files changed: 68 ins; 32 del; 5 mod Patch: https://git.openjdk.java.net/jdk/pull/4887.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/4887/head:pull/4887 PR: https://git.openjdk.java.net/jdk/pull/4887 From abakhtin at openjdk.java.net Thu Oct 21 13:02:07 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Thu, 21 Oct 2021 13:02:07 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v2] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 17:22:38 GMT, Xue-Lei Andrew Fan wrote: >> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: >> >> Refactoring isValid() for private and public keys > > It's a good catch. Thank you for the fix. Hi @XueleiFan ! Thank you for review and comments. I've used signum as it is the most lightweight method in the BigInteger. Now I have refactored the patch to reuse key verification methods from other classes. isValid() is split out into two methods as you suggested and exception messages are updated. sun/security/rsa tests are passed ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From weijun at openjdk.java.net Thu Oct 21 13:06:09 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 21 Oct 2021 13:06:09 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: <6nMyhWHdD0FkArkzWOTQnkP553PSOPBWsOzSBBCA2pw=.6dee2c3f-bd22-48ae-ae1d-47a67c2cc1a8@github.com> References: <6nMyhWHdD0FkArkzWOTQnkP553PSOPBWsOzSBBCA2pw=.6dee2c3f-bd22-48ae-ae1d-47a67c2cc1a8@github.com> Message-ID: <__1Ca6qv9LmhJdnRMrWzHl1q_TG_de60HzpNa55ggoI=.b3c9942a-02cc-4ea2-8706-cc42f66eb2ed@github.com> On Thu, 21 Oct 2021 12:06:39 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java line 363: >> >>> 361: // been specified. >>> 362: if (this.prevPubKey == null) { >>> 363: if (anchor == null) { >> >> This won't happen. Or, you can ignore it. >> >> This makes it possible to call this method in the constructor. > > Ok, will remove. But I will keep this method separate since, unlike the ctor it needs to check if `trustedPubKey` is `null` before setting the `prevPubKey`. OK, but in the ctor `trustedPubKey` is also null. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From mullan at openjdk.java.net Thu Oct 21 13:50:12 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 21 Oct 2021 13:50:12 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: <__1Ca6qv9LmhJdnRMrWzHl1q_TG_de60HzpNa55ggoI=.b3c9942a-02cc-4ea2-8706-cc42f66eb2ed@github.com> References: <6nMyhWHdD0FkArkzWOTQnkP553PSOPBWsOzSBBCA2pw=.6dee2c3f-bd22-48ae-ae1d-47a67c2cc1a8@github.com> <__1Ca6qv9LmhJdnRMrWzHl1q_TG_de60HzpNa55ggoI=.b3c9942a-02cc-4ea2-8706-cc42f66eb2ed@github.com> Message-ID: <0dcepjdJepzUR0uVuf7dDfNivpTyvZ_BwwFZbeKBVvk=.f4d893c6-c20a-499b-bff0-db4ccaf44c9b@github.com> On Thu, 21 Oct 2021 13:03:04 GMT, Weijun Wang wrote: >> Ok, will remove. But I will keep this method separate since, unlike the ctor it needs to check if `trustedPubKey` is `null` before setting the `prevPubKey`. > > OK, but in the ctor `trustedPubKey` is also null. True, but that's because none of the fields are set yet, so it feels odd for the ctor to check if the field is null when it is always true, even if it is a different method. What if I create a separate method `setTrustAnchor(TrustAnchor)` which the ctor calls, and then change `trySetTrustAnchor` to: if (this.trustedPubKey == null) { setTrustAnchor(anchor); } ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Thu Oct 21 13:50:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 21 Oct 2021 13:50:12 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v3] In-Reply-To: <0dcepjdJepzUR0uVuf7dDfNivpTyvZ_BwwFZbeKBVvk=.f4d893c6-c20a-499b-bff0-db4ccaf44c9b@github.com> References: <6nMyhWHdD0FkArkzWOTQnkP553PSOPBWsOzSBBCA2pw=.6dee2c3f-bd22-48ae-ae1d-47a67c2cc1a8@github.com> <__1Ca6qv9LmhJdnRMrWzHl1q_TG_de60HzpNa55ggoI=.b3c9942a-02cc-4ea2-8706-cc42f66eb2ed@github.com> <0dcepjdJepzUR0uVuf7dDfNivpTyvZ_BwwFZbeKBVvk=.f4d893c6-c20a-499b-bff0-db4ccaf44c9b@github.com> Message-ID: On Thu, 21 Oct 2021 13:43:40 GMT, Sean Mullan wrote: >> OK, but in the ctor `trustedPubKey` is also null. > > True, but that's because none of the fields are set yet, so it feels odd for the ctor to check if the field is null when it is always true, even if it is a different method. What if I create a separate method `setTrustAnchor(TrustAnchor)` which the ctor calls, and then change `trySetTrustAnchor` to: > > if (this.trustedPubKey == null) { > setTrustAnchor(anchor); > } Sounds good. ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From weijun at openjdk.java.net Thu Oct 21 14:08:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 21 Oct 2021 14:08:12 GMT Subject: Integrated: 8270380: Change the default value of the java.security.manager system property to disallow In-Reply-To: References: Message-ID: On Fri, 20 Aug 2021 22:44:34 GMT, Weijun Wang wrote: > This change modifies the default value of the `java.security.manager` system property from "allow" to "disallow". This means unless it's explicitly set to "allow", any call to `System.setSecurityManager()` would throw an UOE. > > This change was previously announced on the [jdk-dev alias](https://mail.openjdk.java.net/pipermail/jdk-dev/2021-May/005616.html) and is documented in [JEP 411](https://openjdk.java.net/jeps/411#Description). > > The `AllowSecurityManager.java` and `SecurityManagerWarnings.java` tests are updated to confirm this behavior change. Two other tests are updated because they were added after JDK-8267184 and do not have `-Djava.security.manager=allow` on its `@run` line even it they need to install a `SecurityManager` at runtime. This pull request has now been integrated. Changeset: d589b664 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/d589b664cc809aea39ec094e99b1898df1bf3c19 Stats: 30 lines in 6 files changed: 5 ins; 8 del; 17 mod 8270380: Change the default value of the java.security.manager system property to disallow Reviewed-by: lancea, mullan, rriggs ------------- PR: https://git.openjdk.java.net/jdk/pull/5204 From mullan at openjdk.java.net Thu Oct 21 14:40:37 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 21 Oct 2021 14:40:37 GMT Subject: RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v5] In-Reply-To: References: Message-ID: <1FhUCl3kL7qsw_VKpkqIFQUEdC87ddBiGTb99FXwAvA=.8a34ced7-26ed-438f-9c5d-a99a961b036a@github.com> > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Add setTrustAnchorAndKeys method and change ctor and trySetTrustAnchor to call it. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5928/files - new: https://git.openjdk.java.net/jdk/pull/5928/files/052c28f5..d163b5b1 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=03-04 Stats: 32 lines in 1 file changed: 14 ins; 15 del; 3 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928 From mcimadamore at openjdk.java.net Thu Oct 21 15:20:16 2021 From: mcimadamore at openjdk.java.net (Maurizio Cimadamore) Date: Thu, 21 Oct 2021 15:20:16 GMT Subject: RFR: 8275063: Implementation of Foreign Function & Memory API (Second incubator) [v9] In-Reply-To: References: Message-ID: > This PR contains the API and implementation changes for JEP-419 [1]. A more detailed description of such changes, to avoid repetitions during the review process, is included as a separate comment. > > [1] - https://openjdk.java.net/jeps/419 Maurizio Cimadamore has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision: - Fix regression in VaList treatment on AArch64 (contributed by @nick-arm) - Merge branch 'master' into JEP-419 - Fix copyright header in TestArrayCopy - Fix failing microbenchmarks. Contributed by @FrauBoes (thanks!) - * use `invokeWithArguments` to simplify new test - Add test for liveness check with high-aririty downcalls (make sure that if an exception occurs in a downcall because of liveness, ref count of other resources are left intact). - * Fix javadoc issue in VaList * Fix bug in concurrent logic for shared scope acquire - Address review comments - Apply suggestions from code review Co-authored-by: Paul Sandoz - Fix TestLinkToNativeRBP test - ... and 5 more: https://git.openjdk.java.net/jdk/compare/aeabb3df...5c69eabf ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5907/files - new: https://git.openjdk.java.net/jdk/pull/5907/files/414952ad..5c69eabf Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=08 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5907&range=07-08 Stats: 25202 lines in 587 files changed: 18962 ins; 4240 del; 2000 mod Patch: https://git.openjdk.java.net/jdk/pull/5907.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5907/head:pull/5907 PR: https://git.openjdk.java.net/jdk/pull/5907 From xuelei at openjdk.java.net Thu Oct 21 16:52:07 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Thu, 21 Oct 2021 16:52:07 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v2] In-Reply-To: References: Message-ID: <7trjyOjADPF016uWdR3ROr0Ovc8YZHkPUWXEDxuyKtI=.ee339194-96b4-43f5-b429-fc6fcfa99f34@github.com> On Thu, 21 Oct 2021 12:59:35 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Refactoring isValid() for private and public keys Changes requested by xuelei (Reviewer). src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 127: > 125: throws InvalidKeyException { > 126: if (publicKey instanceof RSAPublicKey rsaPubKey) { > 127: this.pubKey = (RSAPublicKey) isPublicKeyValid(rsaPubKey); Is it possible to have the isPublicKeyValid() returning RSAPublicKey, or void, so as to avoid the casting? Same comment for the isValid() method and the isPrivateKeyValid() method. src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java line 96: > 94: try { > 95: return isValid(key); > 96: } catch (InvalidKeyException ikEx) { It might be an uncommon use of the exception. Exception creation and catching are expensive. It is not good for performance to recover from exception. I know there are a lot of code recovering from exception. But if it is possible, we may want to try avoid it in new code. Maybe, the isValid() could return a boolean value instead. ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From mullan at openjdk.java.net Thu Oct 21 17:32:15 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 21 Oct 2021 17:32:15 GMT Subject: Integrated: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key In-Reply-To: References: Message-ID: On Wed, 13 Oct 2021 13:42:25 GMT, Sean Mullan wrote: > This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done. > > - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that. > > - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly. This pull request has now been integrated. Changeset: 49f9d803 Author: Sean Mullan URL: https://git.openjdk.java.net/jdk/commit/49f9d8031e9c678e20dcfc1ba06758b511a26b07 Stats: 327 lines in 8 files changed: 103 ins; 122 del; 102 mod 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key Reviewed-by: ascarpino ------------- PR: https://git.openjdk.java.net/jdk/pull/5928 From aefimov at openjdk.java.net Thu Oct 21 18:21:50 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Thu, 21 Oct 2021 18:21:50 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v6] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: Review updates + move resolver docs to the provider class (CSR update to follow) ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/30226481..2a554c91 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=05 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=04-05 Stats: 123 lines in 3 files changed: 49 ins; 40 del; 34 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Thu Oct 21 18:21:54 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Thu, 21 Oct 2021 18:21:54 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 18:47:32 GMT, Alan Bateman wrote: >> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: >> >> Change InetAddressResolver method names > > src/java.base/share/classes/java/net/InetAddress.java line 244: > >> 242: * @implNote >> 243: * For any lookup operation that might occur before the VM is fully booted the built-in >> 244: * resolver will be used. > > I think we will need decide if InetAddress class description is the right place for this or whether some/most of it should move to InetAddressResolverProvider. It might be that we update the existing "Host Name Resolution" section with some basic/readable text to make the reader aware that there is a provider mechanism with a link to InetAddressResolverProvider with the details. Thanks for a good suggestion, Alan. It looks better now (2a554c91864e3b42a0ea315b0a671782fe341927) with some basic text for provider mechanism added to `Host Name Resolution`, and `InetAddress Resolver Providers` section moved to `InetAddressResolverProvider`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From dfuchs at openjdk.java.net Thu Oct 21 19:12:09 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Thu, 21 Oct 2021 19:12:09 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v6] In-Reply-To: References: Message-ID: On Thu, 21 Oct 2021 18:21:50 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Review updates + move resolver docs to the provider class (CSR update to follow) src/java.base/share/classes/java/net/InetAddress.java line 152: > 150: * > 151: *

Host Name Resolution

> 152: * Host name-to-IP address resolution is accomplished through the use maybe you need a `

` there even though it's the first paragaph under the header. src/java.base/share/classes/java/net/InetAddress.java line 159: > 157: * by > 158: * deploying an {@link InetAddressResolverProvider}. > 159: *

The built-in resolver implementation is used by did you double check that anchors defined with `

` actually work in the generated API doc? Also maybe leave a blank line before any opening `` tag... src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 36: > 34: * This interface defines operations for looking-up host names and IP addresses. > 35: * An instance of {@code InetAddressResolver} is > 36: * installed as a Maybe it would be more appropriate to link _system-wide-resolver_ instead (on the next line in the same sentence). src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 37: > 35: * > 36: *

A resolver provider is a factory for custom implementations of {@linkplain > 37: * InetAddressResolver resolvers}. A resolver define operations for looking up ... a resolver define**s** ... ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From abakhtin at openjdk.java.net Thu Oct 21 19:16:34 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Thu, 21 Oct 2021 19:16:34 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: Change exception handling ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/4887/files - new: https://git.openjdk.java.net/jdk/pull/4887/files/b336e36e..df6f212d Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=01-02 Stats: 34 lines in 2 files changed: 9 ins; 7 del; 18 mod Patch: https://git.openjdk.java.net/jdk/pull/4887.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/4887/head:pull/4887 PR: https://git.openjdk.java.net/jdk/pull/4887 From abakhtin at openjdk.java.net Thu Oct 21 19:20:05 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Thu, 21 Oct 2021 19:20:05 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: On Thu, 21 Oct 2021 19:16:34 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Change exception handling Thank you for review. I've changed exception handling and excluded unnecessary casting. ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From weijun.wang at oracle.com Thu Oct 21 19:38:18 2021 From: weijun.wang at oracle.com (Wei-Jun Wang) Date: Thu, 21 Oct 2021 19:38:18 +0000 Subject: Java ignores/errors canonicalized principals (NT-PRINCIPAL) from Active Directory In-Reply-To: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> References: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> Message-ID: <18E063BE-8413-4DAE-9086-7FE72BB33F36@oracle.com> KrbKdcReq throws the exception on line 55, so it is the previous check if (isAsReq && !req.reqBody.cname.equals(rep.cname) && ((!req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) && req.reqBody.cname.getNameType() != PrincipalName.KRB_NT_ENTERPRISE) || !rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP))) { rep.encKDCRepPart.key.destroy(); >>> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); } So maybe it's the cname was changed, but I'm not sure about the flags. Can you send me some packets? Hopefully with a key tab or password so I can look into rep.encKDCRepPart. Thanks, Max > On Oct 20, 2021, at 4:03 AM, Osipov, Michael (LDA IT PLM) wrote: > > Hi folks, > > we have recently noticed the following with Java's kinit (tested with Zulu 8 and 13, code is identical in 18 as well): > >> C:\Users\osipovmi>kinit osipovmi at ad001.siemens.net > > I have intentionally written the realm in lowercase to rely on canonicalization of the AD KDC. krb5.conf contains "canonicalize = true" as well. > > Wireshark shows me in the AS-REQ: > as-req/req-body/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): krbtgt and ad001.siemens.net > > AS-REP: > as-rep/ticket/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): krbtgt and AD001.SIEMENS.NET > > Hence, the KDC has properly canonicalized the sname. Java gives me: > >> Exception: krb_error 41 Message stream modified (41) Message stream modified >> KrbException: Message stream modified (41) >> at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:55) >> at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) >> at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) >> at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:312) >> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) >> at sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248) >> at sun.security.krb5.internal.tools.Kinit.(Kinit.java:134) >> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96) > > Referrals aren't involved here, same realm. > The failing code block is from: > * https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/9a751dc19fae78ce58fb0eb176522070c992fb6f/jdk/src/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 > * https://github.com/AdoptOpenJDK/openjdk-jdk/blob/ff4997014fe5462dca2b313f3f483400ffee5b62/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 > >> // sname change in TGS-REP is allowed only if client >> // sent CANONICALIZE and new sname is a referral of >> // the form krbtgt/TO-REALM.COM at FROM-REALM.COM. >> if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) { >> String[] snameStrings = rep.encKDCRepPart.sname.getNameStrings(); >> if (isAsReq || !req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) || >> snameStrings == null || snameStrings.length != 2 || >> !snameStrings[0].equals(PrincipalName.TGS_DEFAULT_SRV_NAME) || >> !rep.encKDCRepPart.sname.getRealmString().equals( >> req.reqBody.sname.getRealmString())) { >> rep.encKDCRepPart.key.destroy(); >> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); >> } >> } > > So it either fails for >> isAsReq > or >> !rep.encKDCRepPart.sname.getRealmString().equals( >>> req.reqBody.sname.getRealmString()) > > Here is MIT Kerberos: >> $ kinit OSIPOVMI at ad001.siemens.net >> Passwort f?r OSIPOVMI at ad001.siemens.net: >> $ klist >> Ticketzwischenspeicher: FILE:/tmp/krb5cc_722 >> Standard-Principal: osipovmi at AD001.SIEMENS.NET >> Valid starting Expires Service principal >> 20.10.2021 10:02:14 20.10.2021 20:02:14 krbtgt/AD001.SIEMENS.NET at AD001.SIEMENS.NET >> erneuern bis 21.10.2021 10:02:10 > > Works as expected. Can someone explain? Shall I create a bug for this? > > Michael From michael.osipov at siemens.com Fri Oct 22 07:48:06 2021 From: michael.osipov at siemens.com (Osipov, Michael (LDA IT PLM)) Date: Fri, 22 Oct 2021 09:48:06 +0200 Subject: Java ignores/errors canonicalized principals (NT-PRINCIPAL) from Active Directory In-Reply-To: <18E063BE-8413-4DAE-9086-7FE72BB33F36@oracle.com> References: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> <18E063BE-8413-4DAE-9086-7FE72BB33F36@oracle.com> Message-ID: <2e18449d-3609-1b6e-9dec-538cc73bbdc5@siemens.com> Am 2021-10-21 um 21:38 schrieb Wei-Jun Wang: > > KrbKdcReq throws the exception on line 55, so it is the previous check > > if (isAsReq && !req.reqBody.cname.equals(rep.cname) && > ((!req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) && > req.reqBody.cname.getNameType() != > PrincipalName.KRB_NT_ENTERPRISE) || > !rep.encKDCRepPart.flags.get(Krb5.TKT_OPTS_ENC_PA_REP))) { > rep.encKDCRepPart.key.destroy(); >>>> throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); > } > > So maybe it's the cname was changed, but I'm not sure about the flags. > > Can you send me some packets? Hopefully with a key tab or password so I can look into rep.encKDCRepPart. I misread the block, of course it is this one. the crealm is changing an I am not providing an enterprise principal. Sent you the pcap file. If this isn't enough, will prepare with a keytab. Michael From aefimov at openjdk.java.net Fri Oct 22 14:27:41 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Fri, 22 Oct 2021 14:27:41 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v7] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: More javadoc updates to API classes ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/2a554c91..fa655be2 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=06 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=05-06 Stats: 88 lines in 3 files changed: 22 ins; 8 del; 58 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From djelinski1 at gmail.com Fri Oct 22 15:14:31 2021 From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=) Date: Fri, 22 Oct 2021 17:14:31 +0200 Subject: Bug / performance problem in changeCipherSuite Message-ID: Hi all, During routine examination of thread dumps I noticed a stack trace you may find interesting. Relevant part: java.lang.Thread.State: RUNNABLE ... at java.lang.IllegalStateException.(java.base at 11.0.11/Unknown Source) at javax.crypto.Cipher.checkCipherState(java.base at 11.0.11/Unknown Source) at javax.crypto.Cipher.doFinal(java.base at 11.0.11/Unknown Source) at sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.dispose(java.base at 11.0.11/Unknown Source) at sun.security.ssl.InputRecord.changeReadCiphers(java.base at 11.0.11/Unknown Source) at sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecConsumer.consume(java.base at 11.0.11/Unknown Source) ... All handshakes that negotiate GCM ciphers throw and catch an exception, because the newly created cipher is disposed before use. I believe this is caused by this line of code: https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/InputRecord.java#L125 I think it should read as follows: this.readCipher.dispose(); I can file a PR, just need help with JBS ID. Regards, Daniel From aefimov at openjdk.java.net Fri Oct 22 15:17:04 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Fri, 22 Oct 2021 15:17:04 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 15:41:35 GMT, Daniel Fuchs wrote: >> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: >> >> Change InetAddressResolver method names > > Marked as reviewed by dfuchs (Reviewer). @dfuch @AlanBateman fa655be2bb0a402b70916567d34cc29a7898f938 and 2a554c91864e3b42a0ea315b0a671782fe341927 contain reworked `InetAddress`/`InetAddressResolverProvider`/`InetAddressResolver` specs with the following changes: - `InetAddress Resolver Providers` InetAddress section was modified and moved to `InetAddressResolverProvider`. - `Host Name Resolution` InetAddress section was updated to reference new InetAddress resolver SPI. - Changes for previous review comments. - javadoc formatting clean-up ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From michael.osipov at siemens.com Fri Oct 22 16:25:31 2021 From: michael.osipov at siemens.com (Osipov, Michael (LDA IT PLM)) Date: Fri, 22 Oct 2021 18:25:31 +0200 Subject: Java ignores/errors canonicalized principals (NT-PRINCIPAL) from Active Directory In-Reply-To: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> References: <0b9c7c31-bf21-03f0-9cae-a16f27f3f29b@siemens.com> Message-ID: <613ac829-50c7-555e-244f-173c63674077@siemens.com> Apoligies, the Java kinit run was not performed with the correct krb5.conf. I have now repeated with the proper one and the stacktrace fits the code and my analysis now: > C:\Users\osipovmi>kinit osipovmi at ad001.siemens.net > Picked up _JAVA_OPTIONS: -Dsun.security.krb5.debug=false -Djava.security.krb5.conf=C:\Config\Kerberos\krb5.conf > Password for osipovmi at ad001.siemens.net: > Exception: krb_error 41 Message stream modified (41) Message stream modified > KrbException: Message stream modified (41) > at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:69) > at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) > at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) > at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:312) > at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) > at sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248) > at sun.security.krb5.internal.tools.Kinit.(Kinit.java:134) > at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96) I am pretty confident that the sname realm string is the cause here. Michael Am 2021-10-20 um 10:03 schrieb Osipov, Michael (LDA IT PLM): > Hi folks, > > we have recently noticed the following with Java's kinit (tested with > Zulu 8 and 13, code is identical in 18 as well): > >> C:\Users\osipovmi>kinit osipovmi at ad001.siemens.net > > I have intentionally written the realm in lowercase to rely on > canonicalization of the AD KDC. krb5.conf contains "canonicalize = true" > as well. > > Wireshark shows me in the AS-REQ: > as-req/req-body/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): > krbtgt and ad001.siemens.net > > AS-REP: > as-rep/ticket/sname: name-type KRB5-NT-SRV-INST (2), sname-string (2): > krbtgt and AD001.SIEMENS.NET > > Hence, the KDC has properly canonicalized the sname. Java gives me: > >> Exception: krb_error 41 Message stream modified (41) Message stream >> modified >> KrbException: Message stream modified (41) >> ??????? at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:55) >> ??????? at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159) >> ??????? at >> sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) >> ??????? at >> sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:312) >> ??????? at >> sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:498) >> ??????? at sun.security.krb5.internal.tools.Kinit.acquire(Kinit.java:248) >> ??????? at sun.security.krb5.internal.tools.Kinit.(Kinit.java:134) >> ??????? at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:96) > > Referrals aren't involved here, same realm. > The failing code block is from: > * > https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/9a751dc19fae78ce58fb0eb176522070c992fb6f/jdk/src/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 > > * > https://github.com/AdoptOpenJDK/openjdk-jdk/blob/ff4997014fe5462dca2b313f3f483400ffee5b62/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java#L58-L71 > > >> ??????? // sname change in TGS-REP is allowed only if client >> ??????? // sent CANONICALIZE and new sname is a referral of >> ??????? // the form krbtgt/TO-REALM.COM at FROM-REALM.COM. >> ??????? if (!req.reqBody.sname.equals(rep.encKDCRepPart.sname)) { >> ??????????? String[] snameStrings = >> rep.encKDCRepPart.sname.getNameStrings(); >> ??????????? if (isAsReq || >> !req.reqBody.kdcOptions.get(KDCOptions.CANONICALIZE) || >> ??????????????????? snameStrings == null || snameStrings.length != 2 || >> >> !snameStrings[0].equals(PrincipalName.TGS_DEFAULT_SRV_NAME) || >> ??????????????????? !rep.encKDCRepPart.sname.getRealmString().equals( >> ??????????????????????????? req.reqBody.sname.getRealmString())) { >> ??????????????? rep.encKDCRepPart.key.destroy(); >> ??????????????? throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED); >> ??????????? } >> ??????? } > > So it either fails for >> isAsReq > or >> !rep.encKDCRepPart.sname.getRealmString().equals( >>> ??????????????????????????? req.reqBody.sname.getRealmString()) > > Here is MIT Kerberos: >> $ kinit OSIPOVMI at ad001.siemens.net >> Passwort f?r OSIPOVMI at ad001.siemens.net: >> $ klist >> Ticketzwischenspeicher: FILE:/tmp/krb5cc_722 >> Standard-Principal: osipovmi at AD001.SIEMENS.NET >> >> Valid starting?????? Expires????????????? Service principal >> 20.10.2021 10:02:14? 20.10.2021 20:02:14 >> krbtgt/AD001.SIEMENS.NET at AD001.SIEMENS.NET >> ??????? erneuern bis 21.10.2021 10:02:10 > > Works as expected. Can someone explain? Shall I create a bug for this? > > Michael From valeriep at openjdk.java.net Fri Oct 22 17:28:09 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Fri, 22 Oct 2021 17:28:09 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: On Thu, 21 Oct 2021 19:16:34 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Change exception handling Changes look fine. Have you run through all security regression tests besides those under sun/security/rsa? ------------- Marked as reviewed by valeriep (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/4887 From xuelei.fan at oracle.com Fri Oct 22 17:28:51 2021 From: xuelei.fan at oracle.com (Xuelei Fan) Date: Fri, 22 Oct 2021 17:28:51 +0000 Subject: Bug / performance problem in changeCipherSuite In-Reply-To: References: Message-ID: <0E7C2CA8-DF7D-4E64-BB02-7E0BA73846D4@oracle.com> Hi Daniel, Thank you for the nice catch! I filed a JBS bug: https://bugs.openjdk.java.net/browse/JDK-8275811 It would be nice if you could also update similar issues in (DTLS)OutRecord files. Thanks, Xuelei On Oct 22, 2021, at 8:14 AM, Daniel Jeli?ski > wrote: Hi all, During routine examination of thread dumps I noticed a stack trace you may find interesting. Relevant part: java.lang.Thread.State: RUNNABLE ... at java.lang.IllegalStateException.(java.base at 11.0.11/Unknown Source) at javax.crypto.Cipher.checkCipherState(java.base at 11.0.11/Unknown Source) at javax.crypto.Cipher.doFinal(java.base at 11.0.11/Unknown Source) at sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.dispose(java.base at 11.0.11/Unknown Source) at sun.security.ssl.InputRecord.changeReadCiphers(java.base at 11.0.11/Unknown Source) at sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecConsumer.consume(java.base at 11.0.11/Unknown Source) ... All handshakes that negotiate GCM ciphers throw and catch an exception, because the newly created cipher is disposed before use. I believe this is caused by this line of code: https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/InputRecord.java#L125 I think it should read as follows: this.readCipher.dispose(); I can file a PR, just need help with JBS ID. Regards, Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: From mkoncek at redhat.com Fri Oct 22 07:50:38 2021 From: mkoncek at redhat.com (=?UTF-8?B?TWFyacOhbiBLb27EjWVr?=) Date: Fri, 22 Oct 2021 09:50:38 +0200 Subject: Openjdk build failure in slowdebug mode Message-ID: <98b023b5-05f6-4da3-928d-9e1038299dc5@redhat.com> I would like to point your attention to this issue https://github.com/openjdk/jdk/pull/5123 Simple 2 compiler warnings / errors because -Werror when building openjdk in slowdebug mode and a simple fix. -- Mari?n Kon?ek From xuelei at openjdk.java.net Fri Oct 22 18:01:10 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Fri, 22 Oct 2021 18:01:10 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: On Thu, 21 Oct 2021 19:16:34 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Change exception handling Changes requested by xuelei (Reviewer). src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 212: > 210: */ > 211: private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { > 212: InvalidKeyException ikException = null; If I read the code correct, by define a local variable, it looks like you are trying to avoid to re-throw the exception in the catch clause. But this style adds additional effort to read the code. Exception re-throw should be fine as if the exception has been generated and will be thrown in the end of the method. src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 220: > 218: crtKey.getPublicExponent()); > 219: } else { > 220: ikException = new InvalidKeyException( See above comment, I will just throw the exception, rather than cache it. ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From duke at openjdk.java.net Fri Oct 22 18:39:20 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Fri, 22 Oct 2021 18:39:20 GMT Subject: RFR: 8275811 Incorrect instance to dispose Message-ID: The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) ------------- Commit messages: - Dispose correct cipher Changes: https://git.openjdk.java.net/jdk/pull/6084/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6084&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275811 Stats: 2 lines in 2 files changed: 0 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/6084.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6084/head:pull/6084 PR: https://git.openjdk.java.net/jdk/pull/6084 From djelinski1 at gmail.com Fri Oct 22 18:40:19 2021 From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=) Date: Fri, 22 Oct 2021 20:40:19 +0200 Subject: Bug / performance problem in changeCipherSuite In-Reply-To: <0E7C2CA8-DF7D-4E64-BB02-7E0BA73846D4@oracle.com> References: <0E7C2CA8-DF7D-4E64-BB02-7E0BA73846D4@oracle.com> Message-ID: Thanks Xuelei for the JBS ticket and the hint. PR is on its way. Regards, Daniel pt., 22 pa? 2021 o 19:28 Xuelei Fan napisa?(a): > > Hi Daniel, > > Thank you for the nice catch! I filed a JBS bug: > https://bugs.openjdk.java.net/browse/JDK-8275811 > > It would be nice if you could also update similar issues in (DTLS)OutRecord files. > > Thanks, > Xuelei > > On Oct 22, 2021, at 8:14 AM, Daniel Jeli?ski wrote: > > Hi all, > During routine examination of thread dumps I noticed a stack trace you > may find interesting. Relevant part: > > java.lang.Thread.State: RUNNABLE > ... > at java.lang.IllegalStateException.(java.base at 11.0.11/Unknown Source) > at javax.crypto.Cipher.checkCipherState(java.base at 11.0.11/Unknown Source) > at javax.crypto.Cipher.doFinal(java.base at 11.0.11/Unknown Source) > at sun.security.ssl.SSLCipher$T12GcmReadCipherGenerator$GcmReadCipher.dispose(java.base at 11.0.11/Unknown > Source) > at sun.security.ssl.InputRecord.changeReadCiphers(java.base at 11.0.11/Unknown > Source) > at sun.security.ssl.ChangeCipherSpec$T10ChangeCipherSpecConsumer.consume(java.base at 11.0.11/Unknown > Source) > ... > > All handshakes that negotiate GCM ciphers throw and catch an > exception, because the newly created cipher is disposed before use. > > I believe this is caused by this line of code: > https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/InputRecord.java#L125 > > I think it should read as follows: > this.readCipher.dispose(); > > I can file a PR, just need help with JBS ID. > Regards, > Daniel > > From abakhtin at openjdk.java.net Fri Oct 22 18:45:31 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 22 Oct 2021 18:45:31 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v4] In-Reply-To: References: Message-ID: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: Simplified isPrivateKeyValid ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/4887/files - new: https://git.openjdk.java.net/jdk/pull/4887/files/df6f212d..ede6436f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=4887&range=02-03 Stats: 5 lines in 1 file changed: 0 ins; 3 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/4887.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/4887/head:pull/4887 PR: https://git.openjdk.java.net/jdk/pull/4887 From abakhtin at openjdk.java.net Fri Oct 22 18:45:33 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 22 Oct 2021 18:45:33 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: <_28mhYijASDHGOsRZZG6xVDHuDAnGol5Dvc3wsnjKQ8=.2b49952d-6f55-41f3-847f-d0d29e756ba5@github.com> On Thu, 21 Oct 2021 19:16:34 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Change exception handling Agree, It looks less readable. Just tried to avoid rethrowing the exception. Reverted back to the original version. ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From xuelei at openjdk.java.net Fri Oct 22 18:48:06 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Fri, 22 Oct 2021 18:48:06 GMT Subject: RFR: 8275811 Incorrect instance to dispose In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 18:24:22 GMT, Daniel Jeli?ski wrote: > The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. > > DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) Did you want to cover the update for line 222 at OutputRecord.java as well? ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From xuelei at openjdk.java.net Fri Oct 22 18:51:05 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Fri, 22 Oct 2021 18:51:05 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v4] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 18:45:31 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Simplified isPrivateKeyValid It looks good to me. Please make sure to run all security regression tests. Thank you! ------------- Marked as reviewed by xuelei (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/4887 From abakhtin at openjdk.java.net Fri Oct 22 18:51:06 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 22 Oct 2021 18:51:06 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v3] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 17:24:36 GMT, Valerie Peng wrote: > Changes look fine. Have you run through all security regression tests besides those under sun/security/rsa? Hi @valeriepeng, Yes, I've run this code with all security tests. Passed successfully. ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From duke at openjdk.java.net Fri Oct 22 19:25:38 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Fri, 22 Oct 2021 19:25:38 GMT Subject: RFR: 8275811 Incorrect instance to dispose [v2] In-Reply-To: References: Message-ID: <9OawC5SQCKWnVma0bpKEE1JO80H985cFsYgvo8mjXWg=.b2848966-63da-4429-aba4-b675f1ede751@github.com> > The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. > > DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision: Fix one more case ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6084/files - new: https://git.openjdk.java.net/jdk/pull/6084/files/773c073c..1ee99ae4 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6084&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6084&range=00-01 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/6084.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6084/head:pull/6084 PR: https://git.openjdk.java.net/jdk/pull/6084 From duke at openjdk.java.net Fri Oct 22 19:25:40 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Fri, 22 Oct 2021 19:25:40 GMT Subject: RFR: 8275811 Incorrect instance to dispose In-Reply-To: References: Message-ID: <_7twUFuhtlhhnd-l2913fJrjMj5aynKKrEjAuCWSN8Y=.79eb255e-7f1a-4c21-9c38-9243eada0b16@github.com> On Fri, 22 Oct 2021 18:24:22 GMT, Daniel Jeli?ski wrote: > The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. > > DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) Ah, missed that one. Fixed. ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From xuelei at openjdk.java.net Fri Oct 22 20:03:09 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Fri, 22 Oct 2021 20:03:09 GMT Subject: RFR: 8275811 Incorrect instance to dispose [v2] In-Reply-To: <9OawC5SQCKWnVma0bpKEE1JO80H985cFsYgvo8mjXWg=.b2848966-63da-4429-aba4-b675f1ede751@github.com> References: <9OawC5SQCKWnVma0bpKEE1JO80H985cFsYgvo8mjXWg=.b2848966-63da-4429-aba4-b675f1ede751@github.com> Message-ID: On Fri, 22 Oct 2021 19:25:38 GMT, Daniel Jeli?ski wrote: >> The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. >> >> DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) > > Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision: > > Fix one more case Looks good to me. Thank you! ------------- Marked as reviewed by xuelei (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/6084 From duke at openjdk.java.net Fri Oct 22 20:22:06 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Fri, 22 Oct 2021 20:22:06 GMT Subject: RFR: 8275811 Incorrect instance to dispose In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 18:45:31 GMT, Xue-Lei Andrew Fan wrote: >> The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. >> >> DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) > > Did you want to cover the update for line 222 at OutputRecord.java as well? Thanks @XueleiFan , but I guess this needs a bit more love. Just finished running jdk_security tests, and a few tests failed, apparently related: javax/net/ssl/SSLEngine/NoAuthClientAuth.java javax/net/ssl/TLSv1/TLSRehandshakeTest.java javax/net/ssl/TLSv1/TLSRehandshakeWithCipherChangeTest.java javax/net/ssl/TLSv1/TLSRehandshakeWithDataExTest.java javax/net/ssl/TLSv11/TLSRehandshakeTest.java javax/net/ssl/TLSv11/TLSRehandshakeWithDataExTest.java I'll see if I can figure this out. ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From abakhtin at openjdk.java.net Fri Oct 22 20:30:10 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Fri, 22 Oct 2021 20:30:10 GMT Subject: RFR: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key [v4] In-Reply-To: References: Message-ID: <7pOLnQ7qUU83EhbzDOvtDZupqAsUjix3ZQkxuQk3_QQ=.8dac2c68-72a8-4a10-bb79-7d45985a7429@github.com> On Fri, 22 Oct 2021 18:45:31 GMT, Alexey Bakhtin wrote: >> Hello, >> >> Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key >> >> I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. >> If not applied, implementation can try to select signer from other providers >> >> Regards >> Alexey > > Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision: > > Simplified isPrivateKeyValid Thank you all. :jdk_security tests passed without regression ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From hchao at openjdk.java.net Fri Oct 22 20:57:16 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Fri, 22 Oct 2021 20:57:16 GMT Subject: Integrated: 8272163: Add -version option to keytool and jarsigner In-Reply-To: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> References: <09nuObEA1zfkqsqe4YoypKcdexK1L5zdRjtXUKHLt_g=.676c0c70-e861-460d-b28e-bdada92a5136@github.com> Message-ID: On Thu, 14 Oct 2021 16:04:08 GMT, Hai-May Chao wrote: > It'd be useful to have a -version option for keytool and jarsigner. Many other JDK tools already have a -version option. This is to add -version option to keytool and jarsigner like jar command does. > > CSR review: > https://bugs.openjdk.java.net/browse/JDK-8275174 This pull request has now been integrated. Changeset: fec470f2 Author: Hai-May Chao URL: https://git.openjdk.java.net/jdk/commit/fec470f262d1df581f2a5fc2f0bdfea66757a8ad Stats: 213 lines in 6 files changed: 212 ins; 0 del; 1 mod 8272163: Add -version option to keytool and jarsigner Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/5954 From mullan at openjdk.java.net Fri Oct 22 21:18:07 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 22 Oct 2021 21:18:07 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs In-Reply-To: References: Message-ID: On Thu, 5 Aug 2021 20:10:44 GMT, Weijun Wang wrote: > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. Still reviewing but here are some initial minor comments. src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java line 67: > 65: > 66: @SuppressWarnings("removal") > 67: Subject accSubj = Subject.current(); Change variable name to `currentSubj` or `currSubj`? src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java line 68: > 66: @SuppressWarnings("removal") AccessControlContext acc) throws LoginException { > 67: > 68: // Try to get ticket from acc's Subject Is this comment still helpful? Maybe just change it to `// Try to get ticket from current Subject` test/jdk/java/security/AccessController/PreserveCombiner.java line 46: > 44: > 45: // get subject from current ACC - this always worked > 46: Subject doAsSubject = Subject.current(); Nit: change variable name to `callAsSubject`. test/jdk/sun/security/krb5/auto/Context.java line 114: > 112: } > 113: }); > 114: } catch (CompletionException pae) { Maybe rename the variable to `ce`. Same comment below. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Fri Oct 22 22:10:02 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Fri, 22 Oct 2021 22:10:02 GMT Subject: RFR: 8275811 Incorrect instance to dispose [v2] In-Reply-To: <9OawC5SQCKWnVma0bpKEE1JO80H985cFsYgvo8mjXWg=.b2848966-63da-4429-aba4-b675f1ede751@github.com> References: <9OawC5SQCKWnVma0bpKEE1JO80H985cFsYgvo8mjXWg=.b2848966-63da-4429-aba4-b675f1ede751@github.com> Message-ID: On Fri, 22 Oct 2021 19:25:38 GMT, Daniel Jeli?ski wrote: >> The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. >> >> DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) > > Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision: > > Fix one more case The problem is with SSLEngine; we create the ChangeCipherSpec message in a delegated task, then encrypt it later using memoized cipher: at java.base/sun.security.ssl.SSLCipher$T10BlockWriteCipherGenerator$BlockWriteCipher.encrypt(SSLCipher.java:1206) at java.base/sun.security.ssl.OutputRecord.t10Encrypt(OutputRecord.java:441) at java.base/sun.security.ssl.OutputRecord.encrypt(OutputRecord.java:345) at java.base/sun.security.ssl.SSLEngineOutputRecord$HandshakeFragment.acquireCiphertext(SSLEngineOutputRecord.java:518) at java.base/sun.security.ssl.SSLEngineOutputRecord.acquireCiphertext(SSLEngineOutputRecord.java:346) at java.base/sun.security.ssl.SSLEngineOutputRecord.encode(SSLEngineOutputRecord.java:198) (line numbers may be off a bit) If the memoized cipher is disposed, the operation produces incorrect output. This happens only when ChangeCipherSpec or KeyUpdate is encrypted and we're using SSLEngine. Looks like we can move writeCipher disposal to the relevant OutputRecord subclasses. Will look into it. ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From ascarpino at openjdk.java.net Sat Oct 23 00:00:14 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Sat, 23 Oct 2021 00:00:14 GMT Subject: RFR: 8158689: java.security.KeyPair should implement Destroyable Message-ID: Hi, I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. The bug includes a CSR and Release Notes CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 RN: https://bugs.openjdk.java.net/browse/JDK-8275826 ------------- Commit messages: - initial fix Changes: https://git.openjdk.java.net/jdk/pull/6089/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6089&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8158689 Stats: 62 lines in 2 files changed: 55 ins; 0 del; 7 mod Patch: https://git.openjdk.java.net/jdk/pull/6089.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6089/head:pull/6089 PR: https://git.openjdk.java.net/jdk/pull/6089 From weijun at openjdk.java.net Sat Oct 23 00:40:39 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Sat, 23 Oct 2021 00:40:39 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: renames ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5024/files - new: https://git.openjdk.java.net/jdk/pull/5024/files/7c99d9b7..2f862e02 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=00-01 Stats: 28 lines in 6 files changed: 0 ins; 0 del; 28 mod Patch: https://git.openjdk.java.net/jdk/pull/5024.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5024/head:pull/5024 PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Sat Oct 23 00:43:04 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Sat, 23 Oct 2021 00:43:04 GMT Subject: RFR: 8158689: java.security.KeyPair should implement Destroyable In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 23:50:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. > > The bug includes a CSR and Release Notes > CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 > RN: https://bugs.openjdk.java.net/browse/JDK-8275826 `KeyPair::getPrivateKey` returns the private key inside (i.e. not a clone). Why can't we just destroy it? ------------- PR: https://git.openjdk.java.net/jdk/pull/6089 From ascarpino at openjdk.java.net Sat Oct 23 00:53:59 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Sat, 23 Oct 2021 00:53:59 GMT Subject: RFR: 8158689: java.security.KeyPair should implement Destroyable In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 23:50:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. > > The bug includes a CSR and Release Notes > CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 > RN: https://bugs.openjdk.java.net/browse/JDK-8275826 You can, it's just a multi-step process that should have been available from KeyPair in a single step process ------------- PR: https://git.openjdk.java.net/jdk/pull/6089 From ascarpino at openjdk.java.net Sat Oct 23 01:02:03 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Sat, 23 Oct 2021 01:02:03 GMT Subject: RFR: 8158689: java.security.KeyPair should implement Destroyable In-Reply-To: References: Message-ID: <-Y_uusQyoW6BGMjl79wCuYK02Qbk-KCdgrwlPUD_f5c=.153b529b-a10c-46e6-814b-70342d4144f1@github.com> On Fri, 22 Oct 2021 23:50:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. > > The bug includes a CSR and Release Notes > CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 > RN: https://bugs.openjdk.java.net/browse/JDK-8275826 Even though it has been the only option for a long time, calling `keyPair.getPrivateKey().destory()` is not clean and one should not have had to go into a class's objects to cleanup. It's reminiscent of free memory in C. ------------- PR: https://git.openjdk.java.net/jdk/pull/6089 From weijun at openjdk.java.net Sat Oct 23 01:15:05 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Sat, 23 Oct 2021 01:15:05 GMT Subject: RFR: 8158689: java.security.KeyPair should implement Destroyable In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 23:50:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. > > The bug includes a CSR and Release Notes > CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 > RN: https://bugs.openjdk.java.net/browse/JDK-8275826 I just think this is not worth doing. Plus, there are conventions for `Destroyable` that need to be followed. For example, after one call `destroy()` on a `KeyPair`, can `getPrivateKey()` still be called? Should it throw an `IllegalStateException`? Also, `PrivateKey` has implemented `Destroyable `for quite some time and it looks like none of its implementations inside JDK has actually implemented this method. This seems a more valuable thing to do. There are other interfaces like `KeySpec` (or some of its children) that should also implement `Destroyable`. ------------- PR: https://git.openjdk.java.net/jdk/pull/6089 From duke at openjdk.java.net Sat Oct 23 01:55:05 2021 From: duke at openjdk.java.net (Bernd) Date: Sat, 23 Oct 2021 01:55:05 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Sat, 23 Oct 2021 00:40:39 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > renames Hello, overall I think the new api is really need. Just wonder if it needs a way to restrict subject changes in called sections (to replace security manager) and also if the test cases should all run for both environment settings for SubjectTL. src/java.base/share/classes/javax/security/auth/Subject.java line 325: > 323: > 324: // Store the current subject to a ThreadLocal when a system property is set. > 325: private static final boolean USE_TL = "true".equalsIgnoreCase( Can you use GetBooleanAction.privilegedGetProperty instead? src/java.base/share/classes/javax/security/auth/Subject.java line 349: > 347: * the one of its parent thread, and will not change even if > 348: * its parent thread's current subject is changed to another value. > 349: * Should it say something about installing or unsettling the subject in a nested execution (if it can be restricted)? src/java.base/share/classes/javax/security/auth/Subject.java line 393: > 391: * always be retrievable by the {@link #current} method. > 392: * > 393: * @param subject the intended current subject for {@code action}. The ?current? could be removed to make it less complex to read? (Especially if the next parameter still uses the ?current? term. src/java.base/share/classes/javax/security/auth/Subject.java line 475: > 473: * call {@link #callAs} to perform the same work, which is based on > 474: * {@link #doAs(Subject, PrivilegedExceptionAction)} > 475: * by default in this implementation. Should it also mention that unless you define the TL system property it will still affect the new current() call? (Just to introduce the concept by repetition). src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java line 708: > 706: @SuppressWarnings("removal") > 707: final Subject subject = > 708: AccessController.doPrivilegedWithCombiner( Is this actually needed and correct to wrap this into a priveledged action? src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java line 107: > 105: */ > 106: public static ServiceCreds getServiceCreds(GSSCaller caller, > 107: String serverPrincipal) throws LoginException { What would be the new way to pass an authentication context on, passing the subject directly? (In case of Krb5AcceptCredential acc is actually the current one) test/jdk/javax/security/auth/Subject/DoAs.java line 44: > 42: final int index = i; > 43: Subject.callAs(subject, () -> { > 44: Subject s = Subject.current(); Should it Test old and new method to retrieve subject? test/jdk/sun/security/krb5/KrbCredSubKey.java line 34: > 32: > 33: import java.io.FileOutputStream; > 34: import java.util.concurrent.Callable; Should those tests run with both permutations of the system property? ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Sat Oct 23 01:55:06 2021 From: duke at openjdk.java.net (Bernd) Date: Sat, 23 Oct 2021 01:55:06 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 22:00:57 GMT, Bernd wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java line 107: > >> 105: */ >> 106: public static ServiceCreds getServiceCreds(GSSCaller caller, >> 107: String serverPrincipal) throws LoginException { > > What would be the new way to pass an authentication context on, passing the subject directly? (In case of Krb5AcceptCredential acc is actually the current one) What about the Kerberos cipher suite callsite mentioned in the comment? If no longer used, can this be made not Public (and remove the comment) ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Sat Oct 23 05:30:07 2021 From: duke at openjdk.java.net (duke) Date: Sat, 23 Oct 2021 05:30:07 GMT Subject: Withdrawn: 6859027: Duplicate communications to KDC in GSSManager.createCredential(usage) In-Reply-To: References: Message-ID: On Fri, 27 Aug 2021 19:47:30 GMT, Weijun Wang wrote: > A one slot ccache is added to avoid multiple authentication from the same principal. This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.java.net/jdk/pull/5286 From duke at openjdk.java.net Sat Oct 23 06:57:33 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Sat, 23 Oct 2021 06:57:33 GMT Subject: RFR: 8275811 Incorrect instance to dispose [v3] In-Reply-To: References: Message-ID: > The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. > > DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision: Do not dispose writeCipher in changeCipherSpec - we may still need it ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6084/files - new: https://git.openjdk.java.net/jdk/pull/6084/files/1ee99ae4..dfc1a9ee Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6084&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6084&range=01-02 Stats: 13 lines in 1 file changed: 0 ins; 13 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/6084.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6084/head:pull/6084 PR: https://git.openjdk.java.net/jdk/pull/6084 From alanb at openjdk.java.net Sat Oct 23 07:04:05 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Sat, 23 Oct 2021 07:04:05 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v7] In-Reply-To: References: Message-ID: <8edQIj95FsYJ3_gmv98KEIVAwFvNxduvXIgrkY96vSk=.6d3f216f-c956-4906-8b81-5f57a79d00d9@github.com> On Fri, 22 Oct 2021 14:27:41 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > More javadoc updates to API classes I've done another pass over the API. Overall it's looking very good and my comments are just to improve the javadoc in a few places to make it clearer. src/java.base/share/classes/java/net/InetAddress.java line 169: > 167: * Access Protocol (LDAP). > 168: * The particular naming services that the built-in resolver uses by default > 169: * depend on the configuration of the local machine. depend -> depends src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 38: > 36: * deployed as a > 37: * system-wide resolver. {@link InetAddress} delegates all lookup requests to > 38: * the deployed system-wide resolver instance. I think the class description would be a bit clearer if we drop sentence 2 because it overlaps with paragraph 2. I think we can adjust sentence 3 to "InetAddress delegates all lookup operations to the system-wide resolver" and it will all flow nicely. src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 88: > 86: * to a valid IP address length > 87: */ > 88: String lookupByAddress(byte[] addr) throws UnknownHostException; I assume this throws NPE if addr is null. src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 137: > 135: /** > 136: * This factory method creates {@link LookupPolicy LookupPolicy} instance with a provided > 137: * {@code characteristics} value. This should be "This factory method creates a LookupPolicy ...". src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 45: > 43: * system-wide resolver instance, which is used by > 44: * > 45: * InetAddress. I think we should prune some some of the text from the class description to avoid repetition. Here's a suggestion: 1. Add the following immediately after the sentence "A given innovation ..." "It is set after the VM is fully initialized and when an invocation of a method in InetAddress class triggers the first lookup operation. 2. Replace the text in L47-65 with: "A resolver provider is located and loaded by InetAddress to create the systwm-wide resolver as follows: 3. Replace the remaining three usages of "install" with "set". ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From alanb at openjdk.java.net Sat Oct 23 07:04:06 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Sat, 23 Oct 2021 07:04:06 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: <1v6OpqkyZp6XBq9lXQfahKEEgtBIdPjNWydqJ9Cwipc=.959e01c2-1e2d-4540-8ed5-41198dd71c2b@github.com> References: <1v6OpqkyZp6XBq9lXQfahKEEgtBIdPjNWydqJ9Cwipc=.959e01c2-1e2d-4540-8ed5-41198dd71c2b@github.com> Message-ID: On Wed, 20 Oct 2021 18:25:24 GMT, Alan Bateman wrote: >> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: >> >> Change InetAddressResolver method names > > src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 52: > >> 50: /** >> 51: * Initialise and return the {@link InetAddressResolver} provided by >> 52: * this provider. This method is called by {@link InetAddress} when > > "the InetAddressResolver" suggests there is just one instance. That is probably the case but I don't think you want to be restricted to that. Initialise -> Initialize to be consistent with other usages that use US spelling. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From duke at openjdk.java.net Sat Oct 23 07:10:02 2021 From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=) Date: Sat, 23 Oct 2021 07:10:02 GMT Subject: RFR: 8275811 Incorrect instance to dispose In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 18:45:31 GMT, Xue-Lei Andrew Fan wrote: >> The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. >> >> DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) > > Did you want to cover the update for line 222 at OutputRecord.java as well? After reviewing the scope of changes to fix writeCipher disposal I decided to remove it entirely. It would probably be a nice follow-up enhancement, but I'm not confident I'd implement it correctly on the first try, so I'd rather not introduce it in a bugfix PR. @XueleiFan is that acceptable to you? On a side note, I had another look at [DTLSOutputRecord](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106). It looks like we keep a reference to `prevWriteCipher` only to call `dispose()` during the next cipher change. I admit I don't know how often DTLS changes ciphers, but I think GC would have collected that cipher earlier if we didn't keep it. ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From xuelei at openjdk.java.net Sun Oct 24 05:03:06 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Sun, 24 Oct 2021 05:03:06 GMT Subject: RFR: 8275811 Incorrect instance to dispose In-Reply-To: References: Message-ID: <7PLZHlwJz9x2vSwKzSRqnqotW9KJOytFVbGRUgVwomA=.1ab389ec-728e-4451-bba4-779d97c685bd@github.com> On Fri, 22 Oct 2021 18:45:31 GMT, Xue-Lei Andrew Fan wrote: >> The current code that changes cipher suites disposes the new suite instead of the old one, which usually silently fails. This patch fixes the code to dispose the old instance instead. >> >> DTLS appears to be unaffected: DTLSOutputRecord keeps 2 ciphers and correctly [disposes the old one](https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java#L106), and DTLSInputRecord [doesn't dispose anything](https://github.com/openjdk/jdk/blob/4b9303b77b43d890ebacbec38b4ac5db7e171886/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java#L57) > > Did you want to cover the update for line 222 at OutputRecord.java as well? > After reviewing the scope of changes to fix writeCipher disposal I decided to remove it entirely. It would probably be a nice follow-up enhancement, but I'm not confident I'd implement it correctly on the first try, so I'd rather not introduce it in a bugfix PR. @XueleiFan is that acceptable to you? > I'm not sure of the removal. Please hold on the integration, and I will have a further look if I have cycles. ------------- PR: https://git.openjdk.java.net/jdk/pull/6084 From abakhtin at openjdk.java.net Mon Oct 25 08:04:16 2021 From: abakhtin at openjdk.java.net (Alexey Bakhtin) Date: Mon, 25 Oct 2021 08:04:16 GMT Subject: Integrated: 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key In-Reply-To: References: Message-ID: On Fri, 23 Jul 2021 10:33:14 GMT, Alexey Bakhtin wrote: > Hello, > > Could you please review the small patch for the issue described in JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key > > I suggest updating the RSAPSSSignature.isValid() method to verify if provided key components can be applied to SunRSASign implementation. > If not applied, implementation can try to select signer from other providers > > Regards > Alexey This pull request has now been integrated. Changeset: f6232982 Author: Alexey Bakhtin Committer: Yuri Nesterenko URL: https://git.openjdk.java.net/jdk/commit/f6232982b91cb2314e96ddbde3984836a810a556 Stats: 89 lines in 2 files changed: 69 ins; 14 del; 6 mod 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key Reviewed-by: xuelei, valeriep ------------- PR: https://git.openjdk.java.net/jdk/pull/4887 From mullan at openjdk.java.net Mon Oct 25 13:30:45 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 13:30:45 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable Message-ID: The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. This fix changes the behavior to comply with the specification. CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 ------------- Commit messages: - Remove trailing whitespace. - 8251468: X509Certificate.get{Subject,Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable Changes: https://git.openjdk.java.net/jdk/pull/6106/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6106&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8251468 Stats: 199 lines in 4 files changed: 157 ins; 33 del; 9 mod Patch: https://git.openjdk.java.net/jdk/pull/6106.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6106/head:pull/6106 PR: https://git.openjdk.java.net/jdk/pull/6106 From weijun at openjdk.java.net Mon Oct 25 14:23:08 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 14:23:08 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 12:53:43 GMT, Sean Mullan wrote: > The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. > > This fix changes the behavior to comply with the specification. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 How about other `X509Certificate` methods that get info of an extension? src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618: > 1616: } > 1617: SubjectAlternativeNameExtension subjectAltNameExt = > 1618: getSubjectAlternativeNameExtension(); Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places? src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1691: > 1689: } > 1690: IssuerAlternativeNameExtension issuerAltNameExt = > 1691: getIssuerAlternativeNameExtension(); Same comment as above, but this method seems to be only called once in src. test/jdk/java/security/cert/GetSubjectAlternativeNames/NullRFC822Name.java line 37: > 35: */ > 36: public class NullRFC822Name { > 37: Adding a comment showing the ASN.1 fields would be a relief for the reader. OpenSSL shows: // 430:d=4 hl=2 l= 11 cons: SEQUENCE // 432:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name // 437:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:30028100 ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From mullan at openjdk.java.net Mon Oct 25 14:40:11 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 14:40:11 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 02:08:24 GMT, Weijun Wang wrote: > Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password. src/java.base/share/classes/java/security/KeyStore.java line 1035: > 1033: * not extractable (For example, if the attributes is encrypted > 1034: * in a private key entry or a secret key entry). > 1035: * I think this would read better if you broke it up into multiple sentences, ex: "an unmodifiable {@code Set} of attributes. The set may be empty if the given alias does not exist, or the alias does exist but there are no attributes associated with it or the attributes are not extractable (for example, the attributes may not be extractable if they are encrypted in a private key or secret key entry)." You may also want to add a sentence to try the `KeyStore$Entry::getAttributes` method if there are no attributes. Did you consider throwing a KeyStoreException if they are not extractable? It would be useful to distinguish that case from an alias that has no attributes. src/java.base/share/classes/java/security/KeyStore.java line 1038: > 1036: * @throws KeyStoreException if the keystore has not been initialized > 1037: * (loaded). > 1038: * throw NPE if alias is null? src/java.base/share/classes/java/security/KeyStoreSpi.java line 450: > 448: /** > 449: * Retrieves the attributes associated with the given alias. > 450: * You should also document the default implementation. src/java.base/share/classes/java/security/KeyStoreSpi.java line 457: > 455: */ > 456: public Set engineGetAttributes(String alias) { > 457: return Collections.emptySet(); Would `Set.of()` be better here? ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From mullan at openjdk.java.net Mon Oct 25 15:10:10 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 15:10:10 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 14:20:08 GMT, Weijun Wang wrote: > How about other `X509Certificate` methods that get info of an extension? Good question. There are 3: `getBasicConstraints`, `getKeyUsage` and `getExtendedKeyUsage`. The first two methods are not specified to throw an Exception, so that seems like a more significant change and I'm not sure it is worth it. Also, if they are marked critical, then an exception will be thrown when the X509Certificate is parsed. As for `getExtendedKeyUsage`, it is specified to throw a `CertificateParsingException` but it looks like it also has the same problem as the altnames, so I will change the impl to comply with the spec. ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From mullan at openjdk.java.net Mon Oct 25 15:16:09 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 15:16:09 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 14:17:56 GMT, Weijun Wang wrote: >> The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. >> >> This fix changes the behavior to comply with the specification. >> >> CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 > > src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618: > >> 1616: } >> 1617: SubjectAlternativeNameExtension subjectAltNameExt = >> 1618: getSubjectAlternativeNameExtension(); > > Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places? To clarify, do you mean this code in `getExtension(ObjectIdentifier)` that swallows the exception?: } catch (IOException ioe) { return null; } ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From weijun at openjdk.java.net Mon Oct 25 18:06:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:06:13 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: <4yomLmh_dnLfLEjGEKMd8dkdhmyYOCrAIrxrJk7LNCg=.4bb1d786-d986-445c-be56-c2455d5a46d0@github.com> On Fri, 22 Oct 2021 21:45:25 GMT, Bernd wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > src/java.base/share/classes/javax/security/auth/Subject.java line 325: > >> 323: >> 324: // Store the current subject to a ThreadLocal when a system property is set. >> 325: private static final boolean USE_TL = "true".equalsIgnoreCase( > > Can you use GetBooleanAction.privilegedGetProperty instead? Sure, I can. I was testing the default value to "false" at some time and found `"true".equals` and `!"false".equals` symmetric and good-looking. :-) > src/java.base/share/classes/javax/security/auth/Subject.java line 349: > >> 347: * the one of its parent thread, and will not change even if >> 348: * its parent thread's current subject is changed to another value. >> 349: * > > Should it say something about installing or unsettling the subject in a nested execution (if it can be restricted)? I said "After {@code action} is finished, the current subject is reset to its previous value". Is that what you meant? > src/java.base/share/classes/javax/security/auth/Subject.java line 393: > >> 391: * always be retrievable by the {@link #current} method. >> 392: * >> 393: * @param subject the intended current subject for {@code action}. > > The ?current? could be removed to make it less complex to read? (Especially if the next parameter still uses the ?current? term. OK, I can choose the existing `doAs` style. `the {@code Subject} that the specified {@code action} will run as`. I admit I specified this "current subject" too much. I even wanted to invent an acronym for it. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Mon Oct 25 18:11:07 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:11:07 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 21:53:30 GMT, Bernd wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > src/java.base/share/classes/javax/security/auth/Subject.java line 475: > >> 473: * call {@link #callAs} to perform the same work, which is based on >> 474: * {@link #doAs(Subject, PrivilegedExceptionAction)} >> 475: * by default in this implementation. > > Should it also mention that unless you define the TL system property it will still affect the new current() call? (Just to introduce the concept by repetition). I just don't want to touch existing spec. Even for `doAs`, I only said "callAs is based on doAs by default" and didn't went out explaining what is NOT by default. Is that OK? > src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java line 708: > >> 706: @SuppressWarnings("removal") >> 707: final Subject subject = >> 708: AccessController.doPrivilegedWithCombiner( > > Is this actually needed and correct to wrap this into a priveledged action? Oh, it's needed. Otherwise the `AccessController.getContext()` call (which is inside `current()`) will also be called in a clean privileged context and there is no subject associated with it. On the other hand, it still needs to in some sort of doPriv. I don't want to ignore `AuthPermission("getSubject")`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Mon Oct 25 18:30:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:30:11 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 22:13:51 GMT, Bernd wrote: >> src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java line 107: >> >>> 105: */ >>> 106: public static ServiceCreds getServiceCreds(GSSCaller caller, >>> 107: String serverPrincipal) throws LoginException { >> >> What would be the new way to pass an authentication context on, passing the subject directly? (In case of Krb5AcceptCredential acc is actually the current one) > > What about the Kerberos cipher suite callsite mentioned in the comment? If no longer used, can this be made not Public (and remove the comment) Yes, it's better to pass the subject directly. Whoever wants their code to continue working after the SecurityManager is completely removed should not use AccessControlContext anymore. Yes, the JSSE comment is useless now. I thought it was still used by older TLS versions. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Mon Oct 25 18:30:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:30:13 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 22:07:50 GMT, Bernd wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > test/jdk/javax/security/auth/Subject/DoAs.java line 44: > >> 42: final int index = i; >> 43: Subject.callAs(subject, () -> { >> 44: Subject s = Subject.current(); > > Should it Test old and new method to retrieve subject? I did it in `CurrentSubject.java` when test=both (checking `cas != accs` in `check()`). All changes to existing tests are just to avoid calling deprecated methods. > test/jdk/sun/security/krb5/KrbCredSubKey.java line 34: > >> 32: >> 33: import java.io.FileOutputStream; >> 34: import java.util.concurrent.Callable; > > Should those tests run with both permutations of the system property? I did ran it but not sure if it's good to add an extra `@run` to all tests. I'll select a few. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Mon Oct 25 18:30:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:30:13 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 18:24:36 GMT, Weijun Wang wrote: >> test/jdk/sun/security/krb5/KrbCredSubKey.java line 34: >> >>> 32: >>> 33: import java.io.FileOutputStream; >>> 34: import java.util.concurrent.Callable; >> >> Should those tests run with both permutations of the system property? > > I did ran it but not sure if it's good to add an extra `@run` to all tests. I'll select a few. Hi Bernd, thanks a huge lot for all your comments. I'm really glad you care about the next steps of JEP 411 in such details. There are quite some other things we need to do in the next few releases. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Mon Oct 25 18:33:04 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 18:33:04 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 15:13:25 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/x509/X509CertImpl.java line 1618: >> >>> 1616: } >>> 1617: SubjectAlternativeNameExtension subjectAltNameExt = >>> 1618: getSubjectAlternativeNameExtension(); >> >> Does it make sense to let the line above throwing an exception? I see the method is called in several places (`X509CertSelector`, `Builder`, etc). What is the correct behavior in those places? > > To clarify, do you mean this code in `getExtension(ObjectIdentifier)` that swallows the exception?: > > > } catch (IOException ioe) { > return null; > } That's probably a little deeper and changing it will have a mass effect. What about at the `getIssuerAlternativeNameExtension` level? ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From duke at openjdk.java.net Mon Oct 25 19:58:11 2021 From: duke at openjdk.java.net (Bernd) Date: Mon, 25 Oct 2021 19:58:11 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: <4yomLmh_dnLfLEjGEKMd8dkdhmyYOCrAIrxrJk7LNCg=.4bb1d786-d986-445c-be56-c2455d5a46d0@github.com> References: <4yomLmh_dnLfLEjGEKMd8dkdhmyYOCrAIrxrJk7LNCg=.4bb1d786-d986-445c-be56-c2455d5a46d0@github.com> Message-ID: On Mon, 25 Oct 2021 17:58:15 GMT, Weijun Wang wrote: >> src/java.base/share/classes/javax/security/auth/Subject.java line 325: >> >>> 323: >>> 324: // Store the current subject to a ThreadLocal when a system property is set. >>> 325: private static final boolean USE_TL = "true".equalsIgnoreCase( >> >> Can you use GetBooleanAction.privilegedGetProperty instead? > > Sure, I can. I was testing the default value to "false" at some time and found `"true".equals` and `!"false".equals` symmetric and good-looking. :-) It probably doesn?t matter to have the Logic centralized, just looked a bit hardcoded (who knows if yes/no/1/0 is wanted as well ,). >> src/java.base/share/classes/javax/security/auth/Subject.java line 349: >> >>> 347: * the one of its parent thread, and will not change even if >>> 348: * its parent thread's current subject is changed to another value. >>> 349: * >> >> Should it say something about installing or unsettling the subject in a nested execution (if it can be restricted)? > > I said "After {@code action} is finished, the current subject is reset to its previous value". Is that what you meant? My question was more along the line of Post-Security-manager. Will you always be able to call Subject.doAs - especially with null? And if this can already be speced if it might be rejected or not? (the ?after finished? is well documented) >> src/java.base/share/classes/javax/security/auth/Subject.java line 475: >> >>> 473: * call {@link #callAs} to perform the same work, which is based on >>> 474: * {@link #doAs(Subject, PrivilegedExceptionAction)} >>> 475: * by default in this implementation. >> >> Should it also mention that unless you define the TL system property it will still affect the new current() call? (Just to introduce the concept by repetition). > > I just don't want to touch existing spec. Even for `doAs`, I only said "callAs is based on doAs by default" and didn't went out explaining what is NOT by default. Is that OK? Yes good reason not to change it. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Mon Oct 25 20:07:08 2021 From: duke at openjdk.java.net (Bernd) Date: Mon, 25 Oct 2021 20:07:08 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 18:08:19 GMT, Weijun Wang wrote: >> src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java line 708: >> >>> 706: @SuppressWarnings("removal") >>> 707: final Subject subject = >>> 708: AccessController.doPrivilegedWithCombiner( >> >> Is this actually needed and correct to wrap this into a priveledged action? > > Oh, it's needed. Otherwise the `AccessController.getContext()` call (which is inside `current()`) will also be called in a clean privileged context and there is no subject associated with it. > > On the other hand, it still needs to in some sort of doPriv. I don't want to ignore `AuthPermission("getSubject")`. Hm yes i see why ?withacombiner? would be needed, just not sure why doPriveledged() is needed (especially since current() does it as well). But I admit i don?t see through that part, so ignore me if I don?t make sense. >> test/jdk/javax/security/auth/Subject/DoAs.java line 44: >> >>> 42: final int index = i; >>> 43: Subject.callAs(subject, () -> { >>> 44: Subject s = Subject.current(); >> >> Should it Test old and new method to retrieve subject? > > I did it in `CurrentSubject.java` when test=both (checking `cas != accs` in `check()`). All changes to existing tests are just to avoid calling deprecated methods. Yes, probably not worth it in all tests (but would be maybe a good one time exercise?) ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From mullan at openjdk.java.net Mon Oct 25 20:20:04 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 20:20:04 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: <-a24YMG24rA6exgdmd9zSi7gNIjHbqNUk8bZqIwxXDA=.58bfc552-a975-478a-b108-7bfcd9cce702@github.com> On Mon, 25 Oct 2021 18:29:34 GMT, Weijun Wang wrote: >> To clarify, do you mean this code in `getExtension(ObjectIdentifier)` that swallows the exception?: >> >> >> } catch (IOException ioe) { >> return null; >> } > > That's probably a little deeper and changing it will have a mass effect. What about at the `getIssuerAlternativeNameExtension` level? Unless I am misunderstanding your comment, I don't think this is an issue in practice. The code inside the `X509CertImpl.getExtension` method only throws an Exception if invalid OIDs or attribute names are passed to the internal `get` methods of `X509CertInfo` and `CertificateExtensions`, which isn't possible when you are passing in known values/attributes. I think this is why the code swallows the exceptions and returns null, but it would be nice to have a comment explaining that. ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From mullan at openjdk.java.net Mon Oct 25 20:49:06 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Mon, 25 Oct 2021 20:49:06 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore In-Reply-To: References: Message-ID: On Thu, 14 Oct 2021 14:43:32 GMT, Weijun Wang wrote: > You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. > > Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. test/jdk/sun/security/pkcs12/EmptyPassword.java line 27: > 25: * @test > 26: * @bug 8202299 8231107 > 27: * @modules java.base/sun.security.tools.keytool Can you add an @summary? test/jdk/sun/security/pkcs12/EmptyPassword.java line 57: > 55: }); > 56: > 57: // 8202299: interop before new char[0] and new char[1] Can you make this comment more descriptive? Not sure what "before" means. Is this just making sure you can store a keystore and key entry with "\0" as the password and load it back with ""? Should you also try to load it back with "\0" too? ------------- PR: https://git.openjdk.java.net/jdk/pull/5950 From valeriep at openjdk.java.net Mon Oct 25 23:11:16 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Mon, 25 Oct 2021 23:11:16 GMT Subject: RFR: 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 18:06:39 GMT, Weijun Wang wrote: > Support Cipher operations on CNG keys. Changes look good~ ------------- Marked as reviewed by valeriep (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/6049 From weijun at openjdk.java.net Mon Oct 25 23:44:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 23:44:13 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 17:02:10 GMT, Sean Mullan wrote: >> You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. >> >> Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. > > test/jdk/sun/security/pkcs12/EmptyPassword.java line 57: > >> 55: }); >> 56: >> 57: // 8202299: interop before new char[0] and new char[1] > > Can you make this comment more descriptive? Not sure what "before" means. Is this just making sure you can store a keystore and key entry with "\0" as the password and load it back with ""? Should you also try to load it back with "\0" too? Typo: s/before/between/. I'll add one with "\0". That should always work since it's the same password used in load() and store(). ------------- PR: https://git.openjdk.java.net/jdk/pull/5950 From weijun at openjdk.java.net Mon Oct 25 23:47:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 23:47:12 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 17:05:58 GMT, Sean Mullan wrote: >> You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. >> >> Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. > > test/jdk/sun/security/pkcs12/EmptyPassword.java line 27: > >> 25: * @test >> 26: * @bug 8202299 8231107 >> 27: * @modules java.base/sun.security.tools.keytool > > Can you add an @summary? I'll update the existing summary to `@summary Testing empty (null, "", "\0") password behaviors`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5950 From weijun at openjdk.java.net Mon Oct 25 23:51:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Mon, 25 Oct 2021 23:51:13 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: <-a24YMG24rA6exgdmd9zSi7gNIjHbqNUk8bZqIwxXDA=.58bfc552-a975-478a-b108-7bfcd9cce702@github.com> References: <-a24YMG24rA6exgdmd9zSi7gNIjHbqNUk8bZqIwxXDA=.58bfc552-a975-478a-b108-7bfcd9cce702@github.com> Message-ID: <8q0feoy-rGHzNQFLGkjLWrEFZ4ORSUyWWWXZnCp3mgs=.33f5f72e-0521-474d-979c-5bb3aa5e7b05@github.com> On Mon, 25 Oct 2021 20:17:17 GMT, Sean Mullan wrote: >> That's probably a little deeper and changing it will have a mass effect. What about at the `getIssuerAlternativeNameExtension` level? > > Unless I am misunderstanding your comment, I don't think this is an issue in practice. The code inside the `X509CertImpl.getExtension` method only throws an Exception if invalid OIDs or attribute names are passed to the internal `get` methods of `X509CertInfo` and `CertificateExtensions`, which isn't possible when you are passing in known values/attributes. I think this is why the code swallows the exceptions and returns null, but it would be nice to have a comment explaining that. I was asking if `getIssuerAlternativeNameExtension` can throw the exception is IAE exists but not parseable. ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From valeriep at openjdk.java.net Tue Oct 26 01:19:12 2021 From: valeriep at openjdk.java.net (Valerie Peng) Date: Tue, 26 Oct 2021 01:19:12 GMT Subject: RFR: 8185844: MSCAPI doesn't list aliases correctly In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 17:54:50 GMT, Weijun Wang wrote: > If a entry is overwritten by another one using the same alias, make sure the old one is removed. Changes look good. Thanks! ------------- Marked as reviewed by valeriep (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/6047 From weijun at openjdk.java.net Tue Oct 26 02:42:23 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 02:42:23 GMT Subject: Integrated: 8185844: MSCAPI doesn't list aliases correctly In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 17:54:50 GMT, Weijun Wang wrote: > If a entry is overwritten by another one using the same alias, make sure the old one is removed. This pull request has now been integrated. Changeset: 43619458 Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/43619458d183bbbaec745887314ddcf7a8aa4136 Stats: 174 lines in 2 files changed: 123 ins; 34 del; 17 mod 8185844: MSCAPI doesn't list aliases correctly Reviewed-by: valeriep ------------- PR: https://git.openjdk.java.net/jdk/pull/6047 From weijun at openjdk.java.net Tue Oct 26 02:48:57 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 02:48:57 GMT Subject: RFR: 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails [v2] In-Reply-To: References: Message-ID: > Support Cipher operations on CNG keys. Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6049/files - new: https://git.openjdk.java.net/jdk/pull/6049/files/2612797b..2612797b Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6049&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6049&range=00-01 Stats: 0 lines in 0 files changed: 0 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/6049.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6049/head:pull/6049 PR: https://git.openjdk.java.net/jdk/pull/6049 From duke at openjdk.java.net Tue Oct 26 02:48:58 2021 From: duke at openjdk.java.net (openjdk-notifier[bot]) Date: Tue, 26 Oct 2021 02:48:58 GMT Subject: RFR: 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 18:06:39 GMT, Weijun Wang wrote: > Support Cipher operations on CNG keys. The dependent pull request has now been integrated, and the target branch of this pull request has been updated. This means that changes from the dependent pull request can start to show up as belonging to this pull request, which may be confusing for reviewers. To remedy this situation, simply merge the latest changes from the new target branch into this pull request by running commands similar to these in the local repository for your personal fork: git checkout 8185844 git fetch https://git.openjdk.java.net/jdk master git merge FETCH_HEAD # if there are conflicts, follow the instructions given by git merge git commit -m "Merge master" git push ------------- PR: https://git.openjdk.java.net/jdk/pull/6049 From weijun at openjdk.java.net Tue Oct 26 02:49:00 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 02:49:00 GMT Subject: Integrated: 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails In-Reply-To: References: Message-ID: On Wed, 20 Oct 2021 18:06:39 GMT, Weijun Wang wrote: > Support Cipher operations on CNG keys. This pull request has now been integrated. Changeset: 10e1610f Author: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/10e1610f7b99f42f834478528df7ecfb4320aec1 Stats: 210 lines in 4 files changed: 201 ins; 0 del; 9 mod 8251134: Unwrapping a key with a Private Key generated by Microsoft CNG fails Reviewed-by: valeriep ------------- PR: https://git.openjdk.java.net/jdk/pull/6049 From duke at openjdk.java.net Tue Oct 26 12:20:27 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Tue, 26 Oct 2021 12:20:27 GMT Subject: RFR: 8275918: Remove unused local variables in java.base security code Message-ID: Cleanup unused local variables. Looks like they are leftovers after refactoring. ------------- Commit messages: - [PATCH] Remove unused local variables in java.base security code Changes: https://git.openjdk.java.net/jdk/pull/6092/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6092&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275918 Stats: 31 lines in 13 files changed: 0 ins; 16 del; 15 mod Patch: https://git.openjdk.java.net/jdk/pull/6092.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6092/head:pull/6092 PR: https://git.openjdk.java.net/jdk/pull/6092 From aefimov at openjdk.java.net Tue Oct 26 12:52:58 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 12:52:58 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v8] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 14 additional commits since the last revision: - Changes to address review comments - Update tests to address SM deprecation - Merge branch 'master' into JDK-8244202_JEP418_impl - More javadoc updates to API classes - Review updates + move resolver docs to the provider class (CSR update to follow) - Change InetAddressResolver method names - Remove no longer used import from IPSupport - Rename IPSupport.hasAddress and update it to use SocketChannel.open - Address review comments: javadoc + code cleanup - Address resolver bootstraping issue - ... and 4 more: https://git.openjdk.java.net/jdk/compare/a8495826...1378686b ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/fa655be2..1378686b Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=07 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=06-07 Stats: 32082 lines in 838 files changed: 22928 ins; 6060 del; 3094 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 26 12:53:06 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 12:53:06 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v7] In-Reply-To: <8edQIj95FsYJ3_gmv98KEIVAwFvNxduvXIgrkY96vSk=.6d3f216f-c956-4906-8b81-5f57a79d00d9@github.com> References: <8edQIj95FsYJ3_gmv98KEIVAwFvNxduvXIgrkY96vSk=.6d3f216f-c956-4906-8b81-5f57a79d00d9@github.com> Message-ID: On Sat, 23 Oct 2021 06:19:46 GMT, Alan Bateman wrote: >> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: >> >> More javadoc updates to API classes > > src/java.base/share/classes/java/net/InetAddress.java line 169: > >> 167: * Access Protocol (LDAP). >> 168: * The particular naming services that the built-in resolver uses by default >> 169: * depend on the configuration of the local machine. > > depend -> depends Thanks, changed in 1378686becfcbf18793556de8381b5ebcd79698d > src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 38: > >> 36: * deployed as a >> 37: * system-wide resolver. {@link InetAddress} delegates all lookup requests to >> 38: * the deployed system-wide resolver instance. > > I think the class description would be a bit clearer if we drop sentence 2 because it overlaps with paragraph 2. I think we can adjust sentence 3 to "InetAddress delegates all lookup operations to the system-wide resolver" and it will all flow nicely. Thanks, changed as suggested in 1378686becfcbf18793556de8381b5ebcd79698d > src/java.base/share/classes/java/net/spi/InetAddressResolver.java line 88: > >> 86: * to a valid IP address length >> 87: */ >> 88: String lookupByAddress(byte[] addr) throws UnknownHostException; > > I assume this throws NPE if addr is null. 1378686becfcbf18793556de8381b5ebcd79698d: added @ throws NPE javadoc, also added additional checks for `null` parameter values into the built-in and hosts file resolver implementations. > src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 45: > >> 43: * system-wide resolver instance, which is used by >> 44: * >> 45: * InetAddress. > > I think we should prune some some of the text from the class description to avoid repetition. Here's a suggestion: > > 1. Add the following immediately after the sentence "A given innovation ..." > "It is set after the VM is fully initialized and when an invocation of a method in InetAddress class triggers the first lookup operation. > > 2. Replace the text in L47-65 with: > "A resolver provider is located and loaded by InetAddress to create the systwm-wide resolver as follows: > > 3. Replace the remaining three usages of "install" with "set". Thanks, changed as suggested: 1378686becfcbf18793556de8381b5ebcd79698d ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 26 12:53:09 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 12:53:09 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v5] In-Reply-To: References: <1v6OpqkyZp6XBq9lXQfahKEEgtBIdPjNWydqJ9Cwipc=.959e01c2-1e2d-4540-8ed5-41198dd71c2b@github.com> Message-ID: On Sat, 23 Oct 2021 06:33:52 GMT, Alan Bateman wrote: >> src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 52: >> >>> 50: /** >>> 51: * Initialise and return the {@link InetAddressResolver} provided by >>> 52: * this provider. This method is called by {@link InetAddress} when >> >> "the InetAddressResolver" suggests there is just one instance. That is probably the case but I don't think you want to be restricted to that. > > Initialise -> Initialize to be consistent with other usages that use US spelling. Thanks, changed in 1378686becfcbf18793556de8381b5ebcd79698d ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 26 12:55:11 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 12:55:11 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v7] In-Reply-To: References: <8edQIj95FsYJ3_gmv98KEIVAwFvNxduvXIgrkY96vSk=.6d3f216f-c956-4906-8b81-5f57a79d00d9@github.com> Message-ID: On Tue, 26 Oct 2021 12:49:30 GMT, Aleksei Efimov wrote: >> src/java.base/share/classes/java/net/spi/InetAddressResolverProvider.java line 45: >> >>> 43: * system-wide resolver instance, which is used by >>> 44: * >>> 45: * InetAddress. >> >> I think we should prune some some of the text from the class description to avoid repetition. Here's a suggestion: >> >> 1. Add the following immediately after the sentence "A given innovation ..." >> "It is set after the VM is fully initialized and when an invocation of a method in InetAddress class triggers the first lookup operation. >> >> 2. Replace the text in L47-65 with: >> "A resolver provider is located and loaded by InetAddress to create the systwm-wide resolver as follows: >> >> 3. Replace the remaining three usages of "install" with "set". > > Thanks, changed as suggested: 1378686becfcbf18793556de8381b5ebcd79698d Pruned `InetAddressResolverProvider` class-level doc as suggested: 1378686becfcbf18793556de8381b5ebcd79698d ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From alanb at openjdk.java.net Tue Oct 26 13:11:21 2021 From: alanb at openjdk.java.net (Alan Bateman) Date: Tue, 26 Oct 2021 13:11:21 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v8] In-Reply-To: References: Message-ID: <1ocUc2kRrpqHA-uWpjWrTtByfCvRoXWV-tbDJCEjmbs=.1149b134-96fc-45c3-81e3-1cee89b8d3aa@github.com> On Tue, 26 Oct 2021 12:52:58 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 14 additional commits since the last revision: > > - Changes to address review comments > - Update tests to address SM deprecation > - Merge branch 'master' into JDK-8244202_JEP418_impl > - More javadoc updates to API classes > - Review updates + move resolver docs to the provider class (CSR update to follow) > - Change InetAddressResolver method names > - Remove no longer used import from IPSupport > - Rename IPSupport.hasAddress and update it to use SocketChannel.open > - Address review comments: javadoc + code cleanup > - Address resolver bootstraping issue > - ... and 4 more: https://git.openjdk.java.net/jdk/compare/c2db4e04...1378686b Thanks for the updates to the API docs, you've addressed all my comments. ------------- Marked as reviewed by alanb (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5822 From dfuchs at openjdk.java.net Tue Oct 26 15:10:24 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Tue, 26 Oct 2021 15:10:24 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v8] In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 12:52:58 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 14 additional commits since the last revision: > > - Changes to address review comments > - Update tests to address SM deprecation > - Merge branch 'master' into JDK-8244202_JEP418_impl > - More javadoc updates to API classes > - Review updates + move resolver docs to the provider class (CSR update to follow) > - Change InetAddressResolver method names > - Remove no longer used import from IPSupport > - Rename IPSupport.hasAddress and update it to use SocketChannel.open > - Address review comments: javadoc + code cleanup > - Address resolver bootstraping issue > - ... and 4 more: https://git.openjdk.java.net/jdk/compare/10094444...1378686b Marked as reviewed by dfuchs (Reviewer). src/java.base/share/classes/java/net/InetAddress.java line 1151: > 1149: > 1150: Objects.requireNonNull(host); > 1151: Objects.requireNonNull(lookupPolicy); for consistency we could add `@throws NullPointerException` to the API doc of that method - since it seems to have everything else... ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From weijun at openjdk.java.net Tue Oct 26 15:22:15 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 15:22:15 GMT Subject: RFR: 8275918: Remove unused local variables in java.base security code In-Reply-To: References: Message-ID: On Sat, 23 Oct 2021 14:04:07 GMT, Andrey Turbanov wrote: > Cleanup unused local variables. Looks like they are leftovers after refactoring. src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 211: > 209: AlgorithmParameterSpec keyParams = rsaKey.getParams(); > 210: // validate key parameters > 211: if (!isCompatible(keyParams, this.sigParams)) { Why not remove the assignment on line 209? This is more consistent with your fix this time. ------------- PR: https://git.openjdk.java.net/jdk/pull/6092 From duke at openjdk.java.net Tue Oct 26 15:28:22 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Tue, 26 Oct 2021 15:28:22 GMT Subject: Integrated: 8273299: Unnecessary Vector usage in java.security.jgss In-Reply-To: References: Message-ID: <-vINh74tQBSEMPaovBMLeuQfps7z_nrq_6RvuektVxk=.9c747a93-b802-4bf0-a3d5-07c07683793e@github.com> On Thu, 26 Aug 2021 08:09:16 GMT, Andrey Turbanov wrote: > Usage of thread-safe collection Vector is unnecessary. It's recommended to use ArrayList if a thread-safe implementation is not needed. This pull request has now been integrated. Changeset: c9dec2f9 Author: Andrey Turbanov Committer: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/c9dec2f9849f98048f32ccef4e5573ce21204fbb Stats: 106 lines in 12 files changed: 2 ins; 15 del; 89 mod 8273299: Unnecessary Vector usage in java.security.jgss Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/5264 From mullan at openjdk.java.net Tue Oct 26 15:32:13 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 26 Oct 2021 15:32:13 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: <8q0feoy-rGHzNQFLGkjLWrEFZ4ORSUyWWWXZnCp3mgs=.33f5f72e-0521-474d-979c-5bb3aa5e7b05@github.com> References: <-a24YMG24rA6exgdmd9zSi7gNIjHbqNUk8bZqIwxXDA=.58bfc552-a975-478a-b108-7bfcd9cce702@github.com> <8q0feoy-rGHzNQFLGkjLWrEFZ4ORSUyWWWXZnCp3mgs=.33f5f72e-0521-474d-979c-5bb3aa5e7b05@github.com> Message-ID: <_EDWrIj80ppmt70WW5a-TAMoO4xuMkRP71Hhg0oYWqI=.c570569b-1e95-4ce6-885b-601339f8506e@github.com> On Mon, 25 Oct 2021 23:48:35 GMT, Weijun Wang wrote: >> Unless I am misunderstanding your comment, I don't think this is an issue in practice. The code inside the `X509CertImpl.getExtension` method only throws an Exception if invalid OIDs or attribute names are passed to the internal `get` methods of `X509CertInfo` and `CertificateExtensions`, which isn't possible when you are passing in known values/attributes. I think this is why the code swallows the exceptions and returns null, but it would be nice to have a comment explaining that. > > I was asking if `getIssuerAlternativeNameExtension` can throw the exception is IAE exists but not parseable. Ok, I understand your comment now. I'm hesitant to change those methods to throw an exception because to be consistent all the `get*Extension()` methods should then throw an Exception. That might be the right thing to do, but it is a bigger change and more risky. The code that calls these internal methods is used for building certification paths, and if null is returned, it is as if the certificate did not contain the extension. That might be a more reasonable behavior than throwing an Exception, since it allows the code to find other potential certificates or certification paths. Adding certpath debug can always be used to find out more about why certain certificates were not selected. ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From weijun at openjdk.java.net Tue Oct 26 15:39:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 15:39:11 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 14:34:57 GMT, Sean Mullan wrote: >> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password. > > src/java.base/share/classes/java/security/KeyStore.java line 1035: > >> 1033: * not extractable (For example, if the attributes is encrypted >> 1034: * in a private key entry or a secret key entry). >> 1035: * > > I think this would read better if you broke it up into multiple sentences, ex: "an unmodifiable {@code Set} of attributes. The set may be empty if the given alias does not exist, or the alias does exist but there are no attributes associated with it or the attributes are not extractable (for example, the attributes may not be extractable if they are encrypted in a private key or secret key entry)." > > You may also want to add a sentence to try the `KeyStore$Entry::getAttributes` method if there are no attributes. > > Did you consider throwing a KeyStoreException if they are not extractable? It would be useful to distinguish that case from an alias that has no attributes. This is complicated. Theoretically a KeyStore implementation can store some attributes in clear text and some encrypted, and it's probably not possible to know if there exist any encrypted ones before actually decrypting the entry. Maybe I should say "For a PrivateKeyEntry or SecretKeyEntry, some attributes might only be available after the entry is extracted by the getEntry() method. Try calling the entry's getAttributes() method to see if there are any". > src/java.base/share/classes/java/security/KeyStoreSpi.java line 450: > >> 448: /** >> 449: * Retrieves the attributes associated with the given alias. >> 450: * > > You should also document the default implementation. OK. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Tue Oct 26 15:45:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 15:45:13 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 14:36:58 GMT, Sean Mullan wrote: >> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password. > > src/java.base/share/classes/java/security/KeyStore.java line 1038: > >> 1036: * @throws KeyStoreException if the keystore has not been initialized >> 1037: * (loaded). >> 1038: * > > throw NPE if alias is null? OK. > src/java.base/share/classes/java/security/KeyStoreSpi.java line 457: > >> 455: */ >> 456: public Set engineGetAttributes(String alias) { >> 457: return Collections.emptySet(); > > Would `Set.of()` be better here? Both returns an internal constant object and I think they are similar. I was copying the default implementation of `Entry::getAttributes`. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Tue Oct 26 15:50:20 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 15:50:20 GMT Subject: RFR: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames does not throw CertificateParsingException if extension is unparseable In-Reply-To: <_EDWrIj80ppmt70WW5a-TAMoO4xuMkRP71Hhg0oYWqI=.c570569b-1e95-4ce6-885b-601339f8506e@github.com> References: <-a24YMG24rA6exgdmd9zSi7gNIjHbqNUk8bZqIwxXDA=.58bfc552-a975-478a-b108-7bfcd9cce702@github.com> <8q0feoy-rGHzNQFLGkjLWrEFZ4ORSUyWWWXZnCp3mgs=.33f5f72e-0521-474d-979c-5bb3aa5e7b05@github.com> <_EDWrIj80ppmt70WW5a-TAMoO4xuMkRP71Hhg0oYWqI=.c570569b-1e95-4ce6-885b-601339f8506e@github.com> Message-ID: On Tue, 26 Oct 2021 15:28:51 GMT, Sean Mullan wrote: >> I was asking if `getIssuerAlternativeNameExtension` can throw the exception if IAE exists but not parseable. > > Ok, I understand your comment now. I'm hesitant to change those methods to throw an exception because to be consistent all the `get*Extension()` methods should then throw an Exception. That might be the right thing to do, but it is a bigger change and more risky. The code that calls these internal methods is used for building certification paths, and if null is returned, it is as if the certificate did not contain the extension. That might be a more reasonable behavior than throwing an Exception, since it allows the code to find other potential certificates or certification paths. Adding certpath debug can always be used to find out more about why certain certificates were not selected. OK. ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From aefimov at openjdk.java.net Tue Oct 26 16:24:48 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 16:24:48 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v9] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: Add @ throws NPE to hosts file resolver javadoc ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/1378686b..2ca78ba9 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=08 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=07-08 Stats: 2 lines in 1 file changed: 2 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Tue Oct 26 16:24:55 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Tue, 26 Oct 2021 16:24:55 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v8] In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 15:04:54 GMT, Daniel Fuchs wrote: >> Aleksei Efimov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 14 additional commits since the last revision: >> >> - Changes to address review comments >> - Update tests to address SM deprecation >> - Merge branch 'master' into JDK-8244202_JEP418_impl >> - More javadoc updates to API classes >> - Review updates + move resolver docs to the provider class (CSR update to follow) >> - Change InetAddressResolver method names >> - Remove no longer used import from IPSupport >> - Rename IPSupport.hasAddress and update it to use SocketChannel.open >> - Address review comments: javadoc + code cleanup >> - Address resolver bootstraping issue >> - ... and 4 more: https://git.openjdk.java.net/jdk/compare/1bbecc93...1378686b > > src/java.base/share/classes/java/net/InetAddress.java line 1151: > >> 1149: >> 1150: Objects.requireNonNull(host); >> 1151: Objects.requireNonNull(lookupPolicy); > > for consistency we could add `@throws NullPointerException` to the API doc of that method - since it seems to have everything else... Added `@throws NullPointerException` to the hosts file resolver API docs: 2ca78ba98dc81cd6cc44b53dc7d56a6ae42c2736 ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From dfuchs at openjdk.java.net Tue Oct 26 16:30:16 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Tue, 26 Oct 2021 16:30:16 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v9] In-Reply-To: References: Message-ID: <0mvmoo3ws7YZ_Wf_9bZmvjDHZZ5PQFaOCBhpn4x-q30=.08ef6e7a-f8b1-4b3f-9a1f-2d91e44d2598@github.com> On Tue, 26 Oct 2021 16:24:48 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Add @ throws NPE to hosts file resolver javadoc Marked as reviewed by dfuchs (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mullan at openjdk.java.net Tue Oct 26 16:43:09 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 26 Oct 2021 16:43:09 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore In-Reply-To: References: Message-ID: On Thu, 14 Oct 2021 14:43:32 GMT, Weijun Wang wrote: > You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. > > Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. Marked as reviewed by mullan (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5950 From mullan at openjdk.java.net Tue Oct 26 16:43:10 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 26 Oct 2021 16:43:10 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 23:44:18 GMT, Weijun Wang wrote: >> test/jdk/sun/security/pkcs12/EmptyPassword.java line 27: >> >>> 25: * @test >>> 26: * @bug 8202299 8231107 >>> 27: * @modules java.base/sun.security.tools.keytool >> >> Can you add an @summary? > > I'll update the existing summary to `@summary Testing empty (null, "", "\0") password behaviors`. Ok. >> test/jdk/sun/security/pkcs12/EmptyPassword.java line 57: >> >>> 55: }); >>> 56: >>> 57: // 8202299: interop before new char[0] and new char[1] >> >> Can you make this comment more descriptive? Not sure what "before" means. Is this just making sure you can store a keystore and key entry with "\0" as the password and load it back with ""? Should you also try to load it back with "\0" too? > > Typo: s/before/between/. > > I'll add one with "\0". That should always work since it's the same password used in load() and store(). Ok. ------------- PR: https://git.openjdk.java.net/jdk/pull/5950 From duke at openjdk.java.net Tue Oct 26 16:45:21 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Tue, 26 Oct 2021 16:45:21 GMT Subject: Integrated: 8275079: Remove unnecessary conversion to String in java.net.http In-Reply-To: References: Message-ID: <44HAVmWJFcyu-AdhRRsJeF7mOszcfse1fl27XS0hiFM=.ba08b56a-8d4c-41f3-9370-2821310ca088@github.com> On Sat, 2 Oct 2021 20:05:37 GMT, Andrey Turbanov wrote: > Cleanup unnecessary String.valueOf calls (and similar) when conversion will happen implicitly anyway This pull request has now been integrated. Changeset: 19f76c21 Author: Andrey Turbanov Committer: Daniel Fuchs URL: https://git.openjdk.java.net/jdk/commit/19f76c215dbe9528dde10acd744be54618ea5e4c Stats: 34 lines in 13 files changed: 0 ins; 3 del; 31 mod 8275079: Remove unnecessary conversion to String in java.net.http Reviewed-by: dfuchs ------------- PR: https://git.openjdk.java.net/jdk/pull/5795 From weijun at openjdk.java.net Tue Oct 26 17:53:32 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 17:53:32 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore [v2] In-Reply-To: References: Message-ID: <8L1Dv8kXUsQEOurFjZsyRMM98mnGg3NEsNU_b6Uazec=.c9f1db8c-0f37-4e87-a9b8-0efe9d026c97@github.com> > You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. > > Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: test update ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5950/files - new: https://git.openjdk.java.net/jdk/pull/5950/files/7d789775..aae1b0c1 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5950&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5950&range=00-01 Stats: 6 lines in 1 file changed: 4 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5950.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5950/head:pull/5950 PR: https://git.openjdk.java.net/jdk/pull/5950 From mullan at openjdk.java.net Tue Oct 26 19:18:46 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 26 Oct 2021 19:18:46 GMT Subject: RFR: X509Certificate.get{Subject,Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable [v2] In-Reply-To: References: Message-ID: > The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. > > This fix changes the behavior to comply with the specification. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: - Modified getExtendedKeyUsage to also throw exception if extension is unparseable. - Renamed and enhanced test to check cert with badly encoded extensions. - Added comments to test describing which fields are badly encoded. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6106/files - new: https://git.openjdk.java.net/jdk/pull/6106/files/e380c45a..10172038 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6106&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6106&range=00-01 Stats: 210 lines in 3 files changed: 107 ins; 94 del; 9 mod Patch: https://git.openjdk.java.net/jdk/pull/6106.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6106/head:pull/6106 PR: https://git.openjdk.java.net/jdk/pull/6106 From mullan at openjdk.java.net Tue Oct 26 19:35:42 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Tue, 26 Oct 2021 19:35:42 GMT Subject: RFR: X509Certificate.get{Subject,Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable [v3] In-Reply-To: References: Message-ID: > The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. > > This fix changes the behavior to comply with the specification. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: Fix NPE. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6106/files - new: https://git.openjdk.java.net/jdk/pull/6106/files/10172038..371a384d Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6106&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6106&range=01-02 Stats: 9 lines in 1 file changed: 9 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/6106.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6106/head:pull/6106 PR: https://git.openjdk.java.net/jdk/pull/6106 From weijun at openjdk.java.net Tue Oct 26 19:57:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 19:57:11 GMT Subject: RFR: X509Certificate.get{Subject,Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable [v3] In-Reply-To: References: Message-ID: <23aqcypPD1455XO_dQVZt648fqlK2r1ELk0kR5IslRk=.2861fe76-4351-4516-a15a-ba35773ccd2d@github.com> On Tue, 26 Oct 2021 19:35:42 GMT, Sean Mullan wrote: >> The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. >> >> This fix changes the behavior to comply with the specification. >> >> CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 > > Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: > > Fix NPE. Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From hchao at openjdk.java.net Tue Oct 26 22:43:36 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Tue, 26 Oct 2021 22:43:36 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output Message-ID: This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. ------------- Commit messages: - 8257722: Improve "keytool -printcert -jarfile" output Changes: https://git.openjdk.java.net/jdk/pull/6126/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8257722 Stats: 81 lines in 3 files changed: 75 ins; 2 del; 4 mod Patch: https://git.openjdk.java.net/jdk/pull/6126.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6126/head:pull/6126 PR: https://git.openjdk.java.net/jdk/pull/6126 From weijun at openjdk.java.net Tue Oct 26 23:30:10 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Tue, 26 Oct 2021 23:30:10 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 22:37:02 GMT, Hai-May Chao wrote: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2878: > 2876: out.println(); > 2877: out.println(); > 2878: out.println(rb.getString("Signature.")); Please remove a newline as well. There needn't be 3 `println()` calls. src/java.base/share/classes/sun/security/tools/keytool/Resources.java line 469: > 467: {"one.in.many", "%1$s #%2$d of %3$d"}, > 468: {"one.in.many1", "%1$s of signer #%2$d"}, > 469: {"one.in.many2", "%1$s #%2$d of %3$d of signer #%4$d"}, `certificate #1 of 2 of signer #1` is a little too complicated. The second number is not really necessary. I think `certificate #1 of signer #1` is enough. ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From duke at openjdk.java.net Wed Oct 27 12:56:41 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 12:56:41 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v2] In-Reply-To: References: Message-ID: <742YBdq43C8WhbvB3wMLO-baw6u469KM2fnGEI597wY=.131523b0-e39d-4725-bb79-77d3ae9fb785@github.com> > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: 1. Address JCK failure 2.Address review notes ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/026a41c4..0b181a3b Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=00-01 Stats: 47 lines in 3 files changed: 21 ins; 17 del; 9 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Wed Oct 27 13:06:54 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 13:06:54 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v3] In-Reply-To: References: Message-ID: <3tZoXWAI_1yKbtZ3XL19PWb7ohSXy9xpUvJc3zg6KdY=.7de919ad-1b52-4b85-a138-2821b47ab702@github.com> > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: Corrected trailing whitespaces ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/0b181a3b..fbe99ed7 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=01-02 Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Wed Oct 27 13:06:57 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 13:06:57 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v2] In-Reply-To: <742YBdq43C8WhbvB3wMLO-baw6u469KM2fnGEI597wY=.131523b0-e39d-4725-bb79-77d3ae9fb785@github.com> References: <742YBdq43C8WhbvB3wMLO-baw6u469KM2fnGEI597wY=.131523b0-e39d-4725-bb79-77d3ae9fb785@github.com> Message-ID: On Wed, 27 Oct 2021 12:56:41 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > 1. Address JCK failure 2.Address review notes @wangweij With the new commit, I've moved filling ServiceProviders cache filling to login() method. And addressed your notice about correction for spi/Loader.java test. Could you please take a look when you have a chance? Thank you. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From mullan at openjdk.java.net Wed Oct 27 13:48:27 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 27 Oct 2021 13:48:27 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Sat, 23 Oct 2021 00:40:39 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > renames src/java.base/share/classes/javax/security/auth/Subject.java line 296: > 294: * which is equivalent to > 295: * {@code Subject.getSubject(AccessController.getContext())} > 296: * by default in this implementation. I don't think you need the words "by default". src/java.base/share/classes/javax/security/auth/Subject.java line 324: > 322: } > 323: > 324: // Store the current subject to a ThreadLocal when a system property is set. nit: "... in a ThreadLocal ..." src/java.base/share/classes/javax/security/auth/Subject.java line 357: > 355: * is set to {@code true}, it will be retrieved from an inheritable > 356: * {@code ThreadLocal} object. This behavior is subject to change in a > 357: * future version. Suggest rewording this to: "By default, this method returns the same value as {@code Subject.getSubject(AccessController.getContext())}. This preserves compatibility with code that may still be calling {@code doAs} which installs the subject in an {@code AccessControlContext}. However, if the system property {@systemProperty jdk.security.auth.subject.useTL} is set to {@code true}, the subject is retrieved from an inheritable {@code ThreadLocal} object. This implementation behavior is subject to change in a future version." src/java.base/share/classes/javax/security/auth/Subject.java line 360: > 358: *

> 359: * No matter what storage is chosen, the current subject will > 360: * always be installed by the {@link #callAs} method. I'm not really sure if this sentence is necessary. It seems like it doesn't need to be in the specification to me. The first sentence is clear enough to me: "The current subject is installed by the {@link #callAs} method." src/java.base/share/classes/javax/security/auth/Subject.java line 362: > 360: * always be installed by the {@link #callAs} method. > 361: * > 362: * @return the current subject. The return value can be Suggest to combine this into one sentence: the current subject, or {@code null} if a current subject is not installed or the current subject is set to {@code null}." src/java.base/share/classes/javax/security/auth/Subject.java line 381: > 379: * @implNote > 380: * By default, this method calls {@link #doAs(Subject, PrivilegedExceptionAction) > 381: * Subject.doAs(subject, altAction)} to store the subject into s/to store/which stores/ s/into/in/ src/java.base/share/classes/javax/security/auth/Subject.java line 386: > 384: * modified to match the specification of this method. > 385: * If the system property {@code jdk.security.auth.subject.useTL} > 386: * is set to {@code true}, it will be stored in an inheritable s/it/the subject/ src/java.base/share/classes/javax/security/auth/Subject.java line 387: > 385: * If the system property {@code jdk.security.auth.subject.useTL} > 386: * is set to {@code true}, it will be stored in an inheritable > 387: * {@code ThreadLocal} object. The behavior is subject to change in a s/The/This/ src/java.base/share/classes/javax/security/auth/Subject.java line 391: > 389: *

> 390: * No matter what storage is chosen, the current subject will > 391: * always be retrievable by the {@link #current} method. Same comment as above. src/java.base/share/classes/javax/security/auth/Subject.java line 394: > 392: * > 393: * @param subject the intended current subject for {@code action}. > 394: * Can be {@code null}. Is it necessary to allow `null` in the new `callAs` method? Is there a use case where this is useful? I know the `doAs` methods allowed it, but it looks like they simply call `AccessController.doPrivileged` in that case w/o a subject. Seems it would be simpler to not allow it and throw an NPE. src/java.base/share/classes/javax/security/auth/Subject.java line 400: > 398: * of {@code action} > 399: * @return the value returned by the {@code call} method of {@code action} > 400: * @throws NullPointerException if the {@code Callable} is {@code null}. s/if the {@code Callable}/if {@code action}/ remove '.' src/java.base/share/classes/javax/security/auth/Subject.java line 403: > 401: * @throws CompletionException if {@code action.call()} throws an > 402: * exception, which will be the cause of this > 403: * {@code CompletionException}. Suggest to break this into two sentences: "if {@code action.call()} throws an exception. The cause of the {@code CompletionException} is set to the exception thrown by {@code action.call()}." test/jdk/javax/security/auth/Subject/CurrentSubject.java line 63: > 61: > 62: /** > 63: * Ensure the current subject is the expected Subject objet. typo: objet -> object ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From mullan at openjdk.java.net Wed Oct 27 13:52:18 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 27 Oct 2021 13:52:18 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 12:45:57 GMT, Sean Mullan wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > src/java.base/share/classes/javax/security/auth/Subject.java line 296: > >> 294: * which is equivalent to >> 295: * {@code Subject.getSubject(AccessController.getContext())} >> 296: * by default in this implementation. > > I don't think you need the words "by default". I suggest changing the last sentence to two sentences: "However, obtaining a Subject is useful independent of the Security Manager. Thus, a replacement API named {@link #current()} has been added which can be used to obtain the current subject." I don't think you need to describe the default implementation here because it is hard to explain that succinctly -- just keep that info in `current`. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:05:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:05:12 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v3] In-Reply-To: <3tZoXWAI_1yKbtZ3XL19PWb7ohSXy9xpUvJc3zg6KdY=.7de919ad-1b52-4b85-a138-2821b47ab702@github.com> References: <3tZoXWAI_1yKbtZ3XL19PWb7ohSXy9xpUvJc3zg6KdY=.7de919ad-1b52-4b85-a138-2821b47ab702@github.com> Message-ID: <0tu-ZLFBfiyFynBFGsqirY20ElDwVlNz2eGHfwENE3U=.4f3d6bb5-41e6-4bb0-86c2-b1601ae64d14@github.com> On Wed, 27 Oct 2021 13:06:54 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Corrected trailing whitespaces Source code change looks mostly fine to me. I'm running some tests now. Will get back once they finish. As for the test, IMO, it was meant to show that `SecondLoginModule` is still needed even if it's not in the JAAS login config file. Your updated test only prove it's not really instantiated. How about this: Change the test directives to * @build FirstLoginModule * @run main/othervm/fail Loader * @build SecondLoginModule * @run main/othervm Loader so that the login succeeds only after there exists a `SecondLoginModule`. All those `isLoaded` flags should be removed so their enclosing classes are not compiled automatically. src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 229: > 227: private static final sun.security.util.Debug debug = > 228: sun.security.util.Debug.getInstance("logincontext", "\t[LoginContext]"); > 229: private static final WeakHashMap>> cacheServiceProviders = new WeakHashMap<>(); This line can be a little shorter. There are some other lines below which is also quite long. The original limit was 80 chars but please be at most 90. src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 704: > 702: lmProviders = cacheServiceProviders.get(contextClassLoader); > 703: if (lmProviders == null){ > 704: if (debug != null) Please enclose the following line in a pair of braces. src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 717: > 715: } > 716: cacheServiceProviders.put(contextClassLoader,lmProviders); > 717: } Is it necessary the lines below still be inside the synchronized block? src/java.base/share/classes/javax/security/auth/login/LoginContext.java line 723: > 721: if (debug != null) { > 722: debug.println(name + " loaded as a service"); > 723: } Please de-indent the if block above. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Wed Oct 27 14:28:18 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:28:18 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: <4yomLmh_dnLfLEjGEKMd8dkdhmyYOCrAIrxrJk7LNCg=.4bb1d786-d986-445c-be56-c2455d5a46d0@github.com> Message-ID: On Mon, 25 Oct 2021 19:52:06 GMT, Bernd wrote: >> Sure, I can. I was testing the default value to "false" at some time and found `"true".equals` and `!"false".equals` symmetric and good-looking. :-) > > It probably doesn?t matter to have the Logic centralized, just looked a bit hardcoded (who knows if yes/no/1/0 is wanted as well ,). OK, switch to GetBooleanAction. >> I said "After {@code action} is finished, the current subject is reset to its previous value". Is that what you meant? > > My question was more along the line of Post-Security-manager. Will you always be able to call Subject.doAs - especially with null? And if this can already be speced if it might be rejected or not? (the ?after finished? is well documented) Before the method is removed (It's deprecated from removal), you should always be able to call it with whatever subject including null. If there's no more AccessControlContext we might even have to implement it with callAs. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:40:17 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:40:17 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 13:49:18 GMT, Sean Mullan wrote: >> src/java.base/share/classes/javax/security/auth/Subject.java line 296: >> >>> 294: * which is equivalent to >>> 295: * {@code Subject.getSubject(AccessController.getContext())} >>> 296: * by default in this implementation. >> >> I don't think you need the words "by default". > > I suggest changing the last sentence to two sentences: "However, obtaining a Subject is useful independent of the Security Manager. Thus, a replacement API named {@link #current()} has been added which can be used to obtain the current subject." > > I don't think you need to describe the default implementation here because it is hard to explain that succinctly -- just keep that info in `current`. OK. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:40:19 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:40:19 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 12:46:57 GMT, Sean Mullan wrote: >> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: >> >> renames > > src/java.base/share/classes/javax/security/auth/Subject.java line 324: > >> 322: } >> 323: >> 324: // Store the current subject to a ThreadLocal when a system property is set. > > nit: "... in a ThreadLocal ..." Oops. > src/java.base/share/classes/javax/security/auth/Subject.java line 360: > >> 358: *

>> 359: * No matter what storage is chosen, the current subject will >> 360: * always be installed by the {@link #callAs} method. > > I'm not really sure if this sentence is necessary. It seems like it doesn't need to be in the specification to me. The first sentence is clear enough to me: "The current subject is installed by the {@link #callAs} method." Removed. > src/java.base/share/classes/javax/security/auth/Subject.java line 362: > >> 360: * always be installed by the {@link #callAs} method. >> 361: * >> 362: * @return the current subject. The return value can be > > Suggest to combine this into one sentence: the current subject, or {@code null} if a current subject is not installed or the current subject is set to {@code null}." OK. > src/java.base/share/classes/javax/security/auth/Subject.java line 394: > >> 392: * >> 393: * @param subject the intended current subject for {@code action}. >> 394: * Can be {@code null}. > > Is it necessary to allow `null` in the new `callAs` method? Is there a use case where this is useful? I know the `doAs` methods allowed it, but it looks like they simply call `AccessController.doPrivileged` in that case w/o a subject. Seems it would be simpler to not allow it and throw an NPE. Maybe in a nested call that wants to clear out the existing subject temporarily? It could be useful. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:40:20 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:40:20 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: On Mon, 25 Oct 2021 20:02:14 GMT, Bernd wrote: >> Oh, it's needed. Otherwise the `AccessController.getContext()` call (which is inside `current()`) will also be called in a clean privileged context and there is no subject associated with it. >> >> On the other hand, it still needs to in some sort of doPriv. I don't want to ignore `AuthPermission("getSubject")`. > > Hm yes i see why ?withacombiner? would be needed, just not sure why doPriveledged() is needed (especially since current() does it as well). But I admit i don?t see through that part, so ignore me if I don?t make sense. Application code calling `Krb5Context::initSecContext` does not require a `AuthPermission("getSubject")` because `getSubject` was called in a doPriv. After switching to `current`, it still does not require this permission if we call the new method in a doPrivWithCombiner. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:52:47 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:52:47 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v3] In-Reply-To: References: Message-ID: <6GbQghQwwhfQdWUSFn4f30zba8UMd2M4B6Wi33T8T-k=.ce9723a6-b017-465e-b954-cc9555328e10@github.com> > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: address comments from Sean and Bernd ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5024/files - new: https://git.openjdk.java.net/jdk/pull/5024/files/2f862e02..a29c8d93 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=01-02 Stats: 39 lines in 5 files changed: 0 ins; 11 del; 28 mod Patch: https://git.openjdk.java.net/jdk/pull/5024.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5024/head:pull/5024 PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Wed Oct 27 14:52:51 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 14:52:51 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v2] In-Reply-To: References: Message-ID: <130pM_koAhwW6pFyVYzSTMNLItLVziZ-4ZxyxdxcbUQ=.dfc6042d-9fc8-4332-a823-554bf13395d9@github.com> On Sat, 23 Oct 2021 00:40:39 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > renames New commit pushed. The only unresolved is about whether `callAs` can take a null subject. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Wed Oct 27 16:21:20 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Wed, 27 Oct 2021 16:21:20 GMT Subject: Integrated: 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes In-Reply-To: References: Message-ID: <9BGa0d9dkCjuAJV2PJrCCMDAMGjW6WSkDGeuWSn3Xh8=.6eacd128-16e4-4d80-a9a4-310e9107f6af@github.com> On Thu, 9 Sep 2021 06:50:21 GMT, Andrey Turbanov wrote: > StringBuffer is a legacy synchronized class. There are more modern alternatives which perform better: > 1. Plain String concatenation should be preferred > 2. StringBuilder is a direct replacement to StringBuffer which generally have better performance > > In [JDK-8264029](https://bugs.openjdk.java.net/browse/JDK-8264029) I migrated only usages which were automatically detected by IDEA. It turns out there are more usages which can be migrated. This pull request has now been integrated. Changeset: 9a3e9542 Author: Andrey Turbanov Committer: Naoto Sato URL: https://git.openjdk.java.net/jdk/commit/9a3e9542997860de79d07a4411b1007e9cd5c348 Stats: 31 lines in 11 files changed: 0 ins; 0 del; 31 mod 8274879: Replace uses of StringBuffer with StringBuilder within java.base classes Reviewed-by: naoto ------------- PR: https://git.openjdk.java.net/jdk/pull/5432 From hchao at openjdk.java.net Wed Oct 27 16:32:48 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Wed, 27 Oct 2021 16:32:48 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v2] In-Reply-To: References: Message-ID: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated TimestampCheck test and removed its unused methods ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6126/files - new: https://git.openjdk.java.net/jdk/pull/6126/files/ba4bb4b7..02f723d5 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=00-01 Stats: 46 lines in 1 file changed: 0 ins; 45 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/6126.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6126/head:pull/6126 PR: https://git.openjdk.java.net/jdk/pull/6126 From weijun at openjdk.java.net Wed Oct 27 16:47:12 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 16:47:12 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v2] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 16:32:48 GMT, Hai-May Chao wrote: >> This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Updated TimestampCheck test and removed its unused methods One new comment: Now that if there is only one cert, there is no need to write `Certificate #n of m`. If there's only one signer, we also don't need to write `of signer #n`. ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From michaelm at openjdk.java.net Wed Oct 27 17:23:17 2021 From: michaelm at openjdk.java.net (Michael McMahon) Date: Wed, 27 Oct 2021 17:23:17 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v9] In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 16:24:48 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Add @ throws NPE to hosts file resolver javadoc src/java.base/share/classes/java/net/InetAddress.java line 841: > 839: // 'resolver.lookupByAddress' and 'InetAddress.getAllByName0' delegate to the system-wide resolver, > 840: // which could be a custom one. At that point we treat any unexpected RuntimeException thrown by > 841: // the resolver as we would treat an UnknownHostException or an unmatched host name. indentation issue in comment above src/java.base/share/classes/java/net/InetAddress.java line 1308: > 1306: * Creates an InetAddress based on the provided host name and IP address. > 1307: * System {@linkplain InetAddressResolver resolver} is not used to check > 1308: * the validity of the address. Is this term "system resolver" defined somewhere? I think it means the configured resolver for the current VM. Previously, it really was the system resolver. So, I think it's potentially confusing, as there is also reference to the java.net.preferIPv6Addresses system property as having a possible value "system" which refers to the operating system. Since the CSR is approved, I'm happy to discuss this point post integration. ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From ascarpino at openjdk.java.net Wed Oct 27 17:55:15 2021 From: ascarpino at openjdk.java.net (Anthony Scarpino) Date: Wed, 27 Oct 2021 17:55:15 GMT Subject: Withdrawn: 8158689: java.security.KeyPair should implement Destroyable In-Reply-To: References: Message-ID: On Fri, 22 Oct 2021 23:50:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review of this change. It makes KeyPair implement Destroyable and implements the methods to call the underlying privateKey. It also sets the public and private key to 'final'. > > The bug includes a CSR and Release Notes > CSR: https://bugs.openjdk.java.net/browse/JDK-8275823 > RN: https://bugs.openjdk.java.net/browse/JDK-8275826 This pull request has been closed without being integrated. ------------- PR: https://git.openjdk.java.net/jdk/pull/6089 From duke at openjdk.java.net Wed Oct 27 18:25:40 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Wed, 27 Oct 2021 18:25:40 GMT Subject: RFR: 8275918: Remove unused local variables in java.base security code [v2] In-Reply-To: References: Message-ID: > Cleanup unused local variables. Looks like they are leftovers after refactoring. Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: 8275918: Remove unused local variables in java.base security code remove local variable ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6092/files - new: https://git.openjdk.java.net/jdk/pull/6092/files/1d333bb4..3e917a27 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6092&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6092&range=00-01 Stats: 2 lines in 1 file changed: 0 ins; 1 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/6092.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6092/head:pull/6092 PR: https://git.openjdk.java.net/jdk/pull/6092 From duke at openjdk.java.net Wed Oct 27 18:25:44 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Wed, 27 Oct 2021 18:25:44 GMT Subject: RFR: 8275918: Remove unused local variables in java.base security code [v2] In-Reply-To: References: Message-ID: <_9a-Ha7K4s9RmG8DEjnPpqpknFL4_aNtr6Q7C8jYsDs=.f1607ae2-f385-4395-a456-9ec53b915ec7@github.com> On Tue, 26 Oct 2021 15:18:26 GMT, Weijun Wang wrote: >> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision: >> >> 8275918: Remove unused local variables in java.base security code >> remove local variable > > src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java line 211: > >> 209: AlgorithmParameterSpec keyParams = rsaKey.getParams(); >> 210: // validate key parameters >> 211: if (!isCompatible(keyParams, this.sigParams)) { > > Why not remove the assignment on line 209? This is more consistent with your fix this time. Ok. Removed. ------------- PR: https://git.openjdk.java.net/jdk/pull/6092 From duke at openjdk.java.net Wed Oct 27 18:43:46 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 18:43:46 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v3] In-Reply-To: <3tZoXWAI_1yKbtZ3XL19PWb7ohSXy9xpUvJc3zg6KdY=.7de919ad-1b52-4b85-a138-2821b47ab702@github.com> References: <3tZoXWAI_1yKbtZ3XL19PWb7ohSXy9xpUvJc3zg6KdY=.7de919ad-1b52-4b85-a138-2821b47ab702@github.com> Message-ID: On Wed, 27 Oct 2021 13:06:54 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Corrected trailing whitespaces Thanks for the review, I'll update the code according to your notices. Sorry, I didn't catch the point with the test. Why the `lc.login();` succeed if SecondLoginModule is compiled or not? > "so that the login succeeds only after there exists a SecondLoginModule" maybe you mean the test Loader.java itself? I have rolled back changes in Loader.java and FirstLoginModule.java, added directives that you proposed to Loader.java, but the test fails. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Wed Oct 27 18:43:41 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 18:43:41 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v4] In-Reply-To: References: Message-ID: > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: Address review notices ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/fbe99ed7..c4d744a0 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=02-03 Stats: 15 lines in 1 file changed: 3 ins; 1 del; 11 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Wed Oct 27 18:49:26 2021 From: duke at openjdk.java.net (Andrey Turbanov) Date: Wed, 27 Oct 2021 18:49:26 GMT Subject: RFR: 8275918: Remove unused local variables in java.base security code [v3] In-Reply-To: References: Message-ID: > Cleanup unused local variables. Looks like they are leftovers after refactoring. Andrey Turbanov has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains three commits: - Merge remote-tracking branch 'origin/master' into remove_unused_local_variables_java.base_security # Conflicts: # src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java - 8275918: Remove unused local variables in java.base security code remove local variable - [PATCH] Remove unused local variables in java.base security code ------------- Changes: https://git.openjdk.java.net/jdk/pull/6092/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6092&range=02 Stats: 31 lines in 13 files changed: 0 ins; 17 del; 14 mod Patch: https://git.openjdk.java.net/jdk/pull/6092.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6092/head:pull/6092 PR: https://git.openjdk.java.net/jdk/pull/6092 From mullan at openjdk.java.net Wed Oct 27 19:32:08 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 27 Oct 2021 19:32:08 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 15:42:02 GMT, Weijun Wang wrote: >> src/java.base/share/classes/java/security/KeyStoreSpi.java line 457: >> >>> 455: */ >>> 456: public Set engineGetAttributes(String alias) { >>> 457: return Collections.emptySet(); >> >> Would `Set.of()` be better here? > > Both returns an internal constant object and I think they are similar. I was copying the default implementation of `Entry::getAttributes`. Ok. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Wed Oct 27 19:39:33 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 19:39:33 GMT Subject: RFR: 8231107: Allow store password to be null when saving a PKCS12 KeyStore [v3] In-Reply-To: References: Message-ID: > You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`. > > Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: spec change only in patch2: unchanged: ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5950/files - new: https://git.openjdk.java.net/jdk/pull/5950/files/aae1b0c1..3670f992 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5950&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5950&range=01-02 Stats: 3 lines in 1 file changed: 2 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5950.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5950/head:pull/5950 PR: https://git.openjdk.java.net/jdk/pull/5950 From mullan at openjdk.java.net Wed Oct 27 19:43:15 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Wed, 27 Oct 2021 19:43:15 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: Message-ID: <4dQ1KFbLDUzR1dRXv_slBDR21YYjSZmoFI2bTkzSvIQ=.27aff629-78e1-48fe-b85f-dd36b5be73b8@github.com> On Tue, 26 Oct 2021 15:35:40 GMT, Weijun Wang wrote: >> src/java.base/share/classes/java/security/KeyStore.java line 1035: >> >>> 1033: * not extractable (For example, if the attributes is encrypted >>> 1034: * in a private key entry or a secret key entry). >>> 1035: * >> >> I think this would read better if you broke it up into multiple sentences, ex: "an unmodifiable {@code Set} of attributes. The set may be empty if the given alias does not exist, or the alias does exist but there are no attributes associated with it or the attributes are not extractable (for example, the attributes may not be extractable if they are encrypted in a private key or secret key entry)." >> >> You may also want to add a sentence to try the `KeyStore$Entry::getAttributes` method if there are no attributes. >> >> Did you consider throwing a KeyStoreException if they are not extractable? It would be useful to distinguish that case from an alias that has no attributes. > > This is complicated. Theoretically a KeyStore implementation can store some attributes in clear text and some encrypted, and it's probably not possible to know if there exist any encrypted ones before actually decrypting the entry. Maybe I should say "For a PrivateKeyEntry or SecretKeyEntry, some attributes might only be available after the entry is extracted by the getEntry() method. Try calling the entry's getAttributes() method to see if there are any". Yes, a sentence like that would help. Some suggested tweaks: "For a PrivateKeyEntry or SecretKeyEntry, some attributes may be protected and not available unless the entry is first extracted by the getEntry() method." I don't think you need the last sentence. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Wed Oct 27 19:59:11 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 19:59:11 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v4] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 18:43:41 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Address review notices Have you removed the `isLoaded` flags? If they are still referenced in `Loader`, the two files will always be compiled before running the test. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Wed Oct 27 20:08:34 2021 From: duke at openjdk.java.net (Larry-N) Date: Wed, 27 Oct 2021 20:08:34 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: References: Message-ID: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: Trailing spaces ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/c4d744a0..a6cc6151 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=03-04 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Wed Oct 27 20:14:18 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Wed, 27 Oct 2021 20:14:18 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: <4dQ1KFbLDUzR1dRXv_slBDR21YYjSZmoFI2bTkzSvIQ=.27aff629-78e1-48fe-b85f-dd36b5be73b8@github.com> References: <4dQ1KFbLDUzR1dRXv_slBDR21YYjSZmoFI2bTkzSvIQ=.27aff629-78e1-48fe-b85f-dd36b5be73b8@github.com> Message-ID: On Wed, 27 Oct 2021 19:40:16 GMT, Sean Mullan wrote: >> This is complicated. Theoretically a KeyStore implementation can store some attributes in clear text and some encrypted, and it's probably not possible to know if there exist any encrypted ones before actually decrypting the entry. Maybe I should say "For a PrivateKeyEntry or SecretKeyEntry, some attributes might only be available after the entry is extracted by the getEntry() method. Try calling the entry's getAttributes() method to see if there are any". > > Yes, a sentence like that would help. Some suggested tweaks: "For a PrivateKeyEntry or SecretKeyEntry, some attributes may be protected and not available unless the entry is first extracted by the getEntry() method." > > I don't think you need the last sentence. I wonder if someone will interpret this as "after I've called `getEntry` on a private key, I can get the encrypted attributes through `KeyStore::getAttributes`". How about something like "and only available through the {@link KeyEntry.getAttributres} method after the entry is extracted"? ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From mullan at openjdk.java.net Thu Oct 28 13:46:20 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 28 Oct 2021 13:46:20 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v3] In-Reply-To: <6GbQghQwwhfQdWUSFn4f30zba8UMd2M4B6Wi33T8T-k=.ce9723a6-b017-465e-b954-cc9555328e10@github.com> References: <6GbQghQwwhfQdWUSFn4f30zba8UMd2M4B6Wi33T8T-k=.ce9723a6-b017-465e-b954-cc9555328e10@github.com> Message-ID: On Wed, 27 Oct 2021 14:52:47 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > address comments from Sean and Bernd src/java.base/share/classes/javax/security/auth/Subject.java line 381: > 379: * is equivalent to {@code action.call()} and the exception thrown is > 380: * modified to match the specification of this method. > 381: * If the system property {@code jdk.security.auth.subject.useTL} I would add a similar sentence before this, like in the `current` method: "This preserves compatibility with code that may still be calling {@code getSubject(AccessControlContext)} which retrieves the subject from an {@code AccessControlContext}." src/java.base/share/classes/javax/security/auth/Subject.java line 393: > 391: * of {@code action} > 392: * @return the value returned by the {@code call} method of {@code action} > 393: * @throws NullPointerException if {@code code} is {@code null} s/code/action/ src/java.base/share/classes/javax/security/auth/Subject.java line 539: > 537: * and subject to removal in a future release. Instead, users can > 538: * call {@link #callAs} to perform the same work, which is based on > 539: * this method by default in this implementation. Same comment as above. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From mullan at openjdk.java.net Thu Oct 28 13:46:20 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 28 Oct 2021 13:46:20 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v3] In-Reply-To: References: <4yomLmh_dnLfLEjGEKMd8dkdhmyYOCrAIrxrJk7LNCg=.4bb1d786-d986-445c-be56-c2455d5a46d0@github.com> Message-ID: On Mon, 25 Oct 2021 19:55:44 GMT, Bernd wrote: >> I just don't want to touch existing spec. Even for `doAs`, I only said "callAs is based on doAs by default" and didn't went out explaining what is NOT by default. Is that OK? > > Yes good reason not to change it. Suggest using similar wording as in `getSubject`: "However, performing work as a Subject is useful independent of the Security Manager. Thus, a replacement API named {@link #callAs()} has been added which can be used to perform the same work." ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From mullan at openjdk.java.net Thu Oct 28 13:54:16 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Thu, 28 Oct 2021 13:54:16 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method In-Reply-To: References: <4dQ1KFbLDUzR1dRXv_slBDR21YYjSZmoFI2bTkzSvIQ=.27aff629-78e1-48fe-b85f-dd36b5be73b8@github.com> Message-ID: <_An1mPxt9cv-ZN70M46vimP6zylG3bbRzdyhTx1XVkI=.f7b3bcfa-4764-457e-8a48-a977b5a62fd2@github.com> On Wed, 27 Oct 2021 20:10:57 GMT, Weijun Wang wrote: >> Yes, a sentence like that would help. Some suggested tweaks: "For a PrivateKeyEntry or SecretKeyEntry, some attributes may be protected and not available unless the entry is first extracted by the getEntry() method." >> >> I don't think you need the last sentence. > > I wonder if someone will interpret this as "after I've called `getEntry` on a private key, I can get the encrypted attributes through `KeyStore::getAttributes`". How about something like "and only available through the {@link KeyEntry.getAttributres} method after the entry is extracted"? Ok. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From duke at openjdk.java.net Thu Oct 28 15:39:18 2021 From: duke at openjdk.java.net (Larry-N) Date: Thu, 28 Oct 2021 15:39:18 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> References: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> Message-ID: On Wed, 27 Oct 2021 20:08:34 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Trailing spaces Probably i do something wrong, but I've removed the isLoaded from both login modules classes, so the test looks like this: * @build FirstLoginModule * @run main/othervm/fail Loader * @build SecondLoginModule * @run main/othervm Loader */ public class Loader { public static void main(String[] args) throws Exception { System.setProperty("java.security.auth.login.config", new File(System.getProperty("test.src"), "sl.conf").toString()); LoginContext lc = new LoginContext("me"); lc.login(); } } and the jtreg says: Failed. Execution passed unexpectedly: ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 16:05:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 16:05:13 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> References: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> Message-ID: On Wed, 27 Oct 2021 20:08:34 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Trailing spaces On my machine, the 1st `@run` fails as expected with "java.util.ServiceConfigurationError: javax.security.auth.spi.LoginModule: Provider SecondLoginModule not found". When it passed on your machine, can you find SecondLoginModule.class in jtreg's working directory? If I stop at the first `@run` I only see Loader.class and FirstLoginModule.class. Maybe you need to clean up the working directory first? ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From hchao at openjdk.java.net Thu Oct 28 16:17:44 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 16:17:44 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v3] In-Reply-To: References: Message-ID: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Update output per review comment ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6126/files - new: https://git.openjdk.java.net/jdk/pull/6126/files/02f723d5..85b3cf46 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=02 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=01-02 Stats: 130 lines in 4 files changed: 82 ins; 23 del; 25 mod Patch: https://git.openjdk.java.net/jdk/pull/6126.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6126/head:pull/6126 PR: https://git.openjdk.java.net/jdk/pull/6126 From hchao at openjdk.java.net Thu Oct 28 16:17:51 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 16:17:51 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v3] In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 23:23:35 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Update output per review comment > > src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2878: > >> 2876: out.println(); >> 2877: out.println(); >> 2878: out.println(rb.getString("Signature.")); > > Please remove a newline as well. There needn't be 3 `println()` calls. Done. > src/java.base/share/classes/sun/security/tools/keytool/Resources.java line 469: > >> 467: {"one.in.many", "%1$s #%2$d of %3$d"}, >> 468: {"one.in.many1", "%1$s of signer #%2$d"}, >> 469: {"one.in.many2", "%1$s #%2$d of %3$d of signer #%4$d"}, > > `certificate #1 of 2 of signer #1` is a little too complicated. The second number is not really necessary. I think `certificate #1 of signer #1` is enough. Done. Changed the warning message. ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From weijun at openjdk.java.net Thu Oct 28 16:58:47 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 16:58:47 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method [v2] In-Reply-To: References: Message-ID: > Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: clarification on protected attributes ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6026/files - new: https://git.openjdk.java.net/jdk/pull/6026/files/86bbe87b..7238e784 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=00-01 Stats: 18 lines in 2 files changed: 13 ins; 0 del; 5 mod Patch: https://git.openjdk.java.net/jdk/pull/6026.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026 PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Thu Oct 28 16:58:49 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 16:58:49 GMT Subject: RFR: 8225181: KeyStore should have a getAttributes method [v2] In-Reply-To: <_An1mPxt9cv-ZN70M46vimP6zylG3bbRzdyhTx1XVkI=.f7b3bcfa-4764-457e-8a48-a977b5a62fd2@github.com> References: <4dQ1KFbLDUzR1dRXv_slBDR21YYjSZmoFI2bTkzSvIQ=.27aff629-78e1-48fe-b85f-dd36b5be73b8@github.com> <_An1mPxt9cv-ZN70M46vimP6zylG3bbRzdyhTx1XVkI=.f7b3bcfa-4764-457e-8a48-a977b5a62fd2@github.com> Message-ID: On Thu, 28 Oct 2021 13:51:01 GMT, Sean Mullan wrote: >> I wonder if someone will interpret this as "after I've called `getEntry` on a private key, I can get the encrypted attributes through `KeyStore::getAttributes`". How about something like "and only available through the {@link KeyEntry.getAttributres} method after the entry is extracted"? > > Ok. New commit pushed. The words are sightly different between in `KeyStore` and `KeyStoreSpi`. CSR updated as well. ------------- PR: https://git.openjdk.java.net/jdk/pull/6026 From weijun at openjdk.java.net Thu Oct 28 17:21:42 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:21:42 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v4] In-Reply-To: References: Message-ID: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> > New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. > > In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. > > User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). > > Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: more spec tweaks ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5024/files - new: https://git.openjdk.java.net/jdk/pull/5024/files/a29c8d93..a9380c0b Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5024&range=02-03 Stats: 14 lines in 1 file changed: 4 ins; 0 del; 10 mod Patch: https://git.openjdk.java.net/jdk/pull/5024.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5024/head:pull/5024 PR: https://git.openjdk.java.net/jdk/pull/5024 From weijun at openjdk.java.net Thu Oct 28 17:25:17 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:25:17 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v4] In-Reply-To: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> References: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> Message-ID: On Thu, 28 Oct 2021 17:21:42 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > more spec tweaks New commit pushed. CSR updated as well. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From duke at openjdk.java.net Thu Oct 28 17:34:16 2021 From: duke at openjdk.java.net (Larry-N) Date: Thu, 28 Oct 2021 17:34:16 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> References: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> Message-ID: On Wed, 27 Oct 2021 20:08:34 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Trailing spaces Thank you for the explanations. When I cleaned up the working directory all pass ok. ( And fails when I submitted the test a second time) ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 17:39:17 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:39:17 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v3] In-Reply-To: References: Message-ID: On Thu, 28 Oct 2021 16:17:44 GMT, Hai-May Chao wrote: >> This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Update output per review comment src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2895: > 2893: ss.add(signer); > 2894: } > 2895: } I think the `while (entries.hasMoreElements())` block should end here, so that you collect all signers of all entries before printing them out. Also, there is no need to count `CodeSigner`, you can simply get it from `ss.size()`. ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From duke at openjdk.java.net Thu Oct 28 17:45:44 2021 From: duke at openjdk.java.net (Larry-N) Date: Thu, 28 Oct 2021 17:45:44 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v6] In-Reply-To: References: Message-ID: <0Ze5JxE4sVukq8xrfkamAz6rjpE0HH0QSdkuneB4mD4=.b1760826-9681-4cb6-9a1a-6ec6bd5ae6c4@github.com> > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: A Corrected the Loader.java testcase ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/a6cc6151..9ab2090e Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=05 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=04-05 Stats: 25 lines in 3 files changed: 3 ins; 21 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 17:45:46 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:45:46 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v6] In-Reply-To: <0Ze5JxE4sVukq8xrfkamAz6rjpE0HH0QSdkuneB4mD4=.b1760826-9681-4cb6-9a1a-6ec6bd5ae6c4@github.com> References: <0Ze5JxE4sVukq8xrfkamAz6rjpE0HH0QSdkuneB4mD4=.b1760826-9681-4cb6-9a1a-6ec6bd5ae6c4@github.com> Message-ID: <3Qc97mO_YzU0zkElaz1pdG4i_iNcyNt7UanChGPvYXU=.185d0955-cdf2-4fb6-abb9-47107c7fa47f@github.com> On Thu, 28 Oct 2021 17:42:28 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > A Corrected the Loader.java testcase Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 17:45:49 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:45:49 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: References: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> Message-ID: <1HOkre9YE0FRpUF1Icksc11TGDR71uMxFLDbmuq5vHs=.1278c9f8-e18e-46af-8ea1-df032030f3af@github.com> On Thu, 28 Oct 2021 17:31:26 GMT, Larry-N wrote: > Thank you for the explanations. When I cleaned up the working directory all pass ok. ( And fails when I submitted the test a second time) Let's hope the directory is always clean when the test is actually launched. I have no other comments. Thanks for the patience. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 17:48:17 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 17:48:17 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v5] In-Reply-To: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> References: <72ol0eu2KxP3ZIMygieY8ZMN5heXQ7-AHX7TCj-wXSc=.84ddb8e6-56ab-4f23-a7d3-3e4281d088f7@github.com> Message-ID: On Wed, 27 Oct 2021 20:08:34 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Trailing spaces You might want to see if the "clean" action is useful here. See https://openjdk.java.net/jtreg/tag-spec.html. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From chap at anastigmatix.net Thu Oct 28 17:48:19 2021 From: chap at anastigmatix.net (Chapman Flack) Date: Thu, 28 Oct 2021 13:48:19 -0400 Subject: Post-JEP411 request: callAs(Supplier) Re: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v4] In-Reply-To: References: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> Message-ID: <617AE263.5050306@anastigmatix.net> On 10/28/21 13:25, Weijun Wang wrote: >>> New `Subject` APIs `current()` and `callAs()` are created ... >>> where the `callAs()` method stores the subject into a `ThreadLocal` >>> object and the `current()` method returns it That approach is simple and sweet. There is a case it doesn't cover, where the Java runtime is embedded in a larger application where the identity could change during upcalls from Java into the embedding app. For those cases, it is better to be able to pass callAs a Supplier rather than a single unchanging Subject. The effect was achievable in the pre-JEP411 world by installing a suitably clever DomainCombiner, but with the current proposed replacement the ability would be lost. Naturally, it would be simple to support the callAs(Subject s) common case as well, and simply store () -> s in the ThreadLocal. Regards, -Chap From duke at openjdk.java.net Thu Oct 28 18:55:32 2021 From: duke at openjdk.java.net (Larry-N) Date: Thu, 28 Oct 2021 18:55:32 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v7] In-Reply-To: References: Message-ID: > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. Larry-N has updated the pull request incrementally with one additional commit since the last revision: Address review notes ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5748/files - new: https://git.openjdk.java.net/jdk/pull/5748/files/9ab2090e..842eb370 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=06 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5748&range=05-06 Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jdk/pull/5748.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5748/head:pull/5748 PR: https://git.openjdk.java.net/jdk/pull/5748 From duke at openjdk.java.net Thu Oct 28 18:55:33 2021 From: duke at openjdk.java.net (Larry-N) Date: Thu, 28 Oct 2021 18:55:33 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v6] In-Reply-To: <0Ze5JxE4sVukq8xrfkamAz6rjpE0HH0QSdkuneB4mD4=.b1760826-9681-4cb6-9a1a-6ec6bd5ae6c4@github.com> References: <0Ze5JxE4sVukq8xrfkamAz6rjpE0HH0QSdkuneB4mD4=.b1760826-9681-4cb6-9a1a-6ec6bd5ae6c4@github.com> Message-ID: On Thu, 28 Oct 2021 17:45:44 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > A Corrected the Loader.java testcase Thanks, I've added `@clean` as you propose. ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From rick.hillegas at gmail.com Thu Oct 28 19:14:41 2021 From: rick.hillegas at gmail.com (Rick Hillegas) Date: Thu, 28 Oct 2021 12:14:41 -0700 Subject: previously prevented exploit now possible with JDK 18 Message-ID: <2b6ac315-5de9-aa0f-6f3a-6ea9f019773b@gmail.com> As a canary in the mineshaft, I built and tested Apache Derby with the recent build 18-ea+20-1248 of Open JDK 18. I tripped across the following issue when running Derby's regression tests. The problem is explained in more detail at https://issues.apache.org/jira/browse/DERBY-7126, where a simple repro (DERBY_7126_A) can be found. The problem is almost surely the result of work done on https://bugs.openjdk.java.net/browse/JDK-8269039 (Disable SHA-1 Signed JARs). Under previous versions of the JDK, the JVM would raise an error if you tried to load a class from a jar file which had been signed with SHA-1 but later hacked by inserting malware via "jar -uf". This was the error: ? SHA1 digest error for $corruptedJarFileName However, under JDK 18 the hacked class loads, no error is raised, and the malware can now be executed. I was surprised that a previously prevented exploit now works. I think it would be better if the JVM still refused to load the hacked class even though SHA-1 has been deprecated. Thanks, -Rick From weijun at openjdk.java.net Thu Oct 28 19:28:16 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 19:28:16 GMT Subject: RFR: 8273026: Slow LoginContext.login() on multi threading application [v7] In-Reply-To: References: Message-ID: On Thu, 28 Oct 2021 18:55:32 GMT, Larry-N wrote: >> This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. >> This code passed successfully tier1 and tier2 tests on mac os. > > Larry-N has updated the pull request incrementally with one additional commit since the last revision: > > Address review notes Marked as reviewed by weijun (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From weijun at openjdk.java.net Thu Oct 28 19:38:13 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 19:38:13 GMT Subject: RFR: 8267108: Alternate Subject.getSubject and doAs APIs that do not depend on Security Manager APIs [v4] In-Reply-To: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> References: <1Zw7noLccsCfoSTfZ_3rLgMhhLeuwPU0vSlaWVHsIuo=.7a2287ea-48c6-40fc-880d-84d529ca9aa6@github.com> Message-ID: <1Crl5KbvRl-JoKbc0ZhJ6-QPgHhLj3E9KQEVYVmWOMc=.d4899d9f-dbda-413d-91ea-c9819c824831@github.com> On Thu, 28 Oct 2021 17:21:42 GMT, Weijun Wang wrote: >> New `Subject` APIs `current()` and `callAs()` are created to be replacements of `getSubject()` and `doAs()` since the latter two methods are now deprecated for removal. >> >> In this implementation, by default, `current()` returns the same value as `getSubject(AccessController.getCurrent())` and `callAs()` is implemented based on `doAs()`. This behavior is subject to change in the future once `SecurityManager` is removed. >> >> User can experiment a possible future mechanism by setting the system property `jdk.security.auth.subject.useTL` to `true`, where the `callAs()` method stores the subject into a `ThreadLocal` object and the `current()` method returns it (Note: this mechanism does not work with principal-based permissions). >> >> Inside JDK, we?ve switched from `getSubject()` to `current()` in JGSS and user can start switching to `callAs()` in their applications. Users can also switch to `current()` but please note that if you used to call `getSubject(acc)` in a `doPrivileged` call you might need to try calling `current()` in a `doPrivilegedWithCombiner` call to see if the `AccessControlContext` inside the call inherits the subject from the outer one. > > Weijun Wang has updated the pull request incrementally with one additional commit since the last revision: > > more spec tweaks Hi, Chap. Thanks for the comment. Is it possible you run `callAs` with a "higher level" subject that contains a link to another more dynamic subject? For example, just make your `Supplier` a public credential inside. ------------- PR: https://git.openjdk.java.net/jdk/pull/5024 From hchao at openjdk.java.net Thu Oct 28 21:13:40 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 21:13:40 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v4] In-Reply-To: References: Message-ID: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Update while block code ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6126/files - new: https://git.openjdk.java.net/jdk/pull/6126/files/85b3cf46..1b5840b8 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=03 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=02-03 Stats: 82 lines in 1 file changed: 33 ins; 38 del; 11 mod Patch: https://git.openjdk.java.net/jdk/pull/6126.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6126/head:pull/6126 PR: https://git.openjdk.java.net/jdk/pull/6126 From hchao at openjdk.java.net Thu Oct 28 21:13:44 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 21:13:44 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v3] In-Reply-To: References: Message-ID: On Thu, 28 Oct 2021 17:34:46 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: >> >> Update output per review comment > > src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2895: > >> 2893: ss.add(signer); >> 2894: } >> 2895: } > > I think the `while (entries.hasMoreElements())` block should end here, so that you collect all signers of all entries before printing them out. Also, there is no need to count `CodeSigner`, you can simply get it from `ss.size()`. Fixed. ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From weijun at openjdk.java.net Thu Oct 28 22:02:17 2021 From: weijun at openjdk.java.net (Weijun Wang) Date: Thu, 28 Oct 2021 22:02:17 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v4] In-Reply-To: References: Message-ID: <2BbotCXyLEjl8DqfIwIKILItU8cNbGpaKRr00z6ovYk=.bdca5c1e-4cd0-4d42-83c8-99a3a0d6f756@github.com> On Thu, 28 Oct 2021 21:13:40 GMT, Hai-May Chao wrote: >> This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Update while block code Looks fine now. I wonder if the order of signers in the set matters. It's possible that one signer appears first in the result of `getCodeSigners()` but because `HashSet` maintains no order it becomes the second. If you are also worried about this, you can make `ss` a `LinkedHashSet`. ------------- Marked as reviewed by weijun (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/6126 From hchao at openjdk.java.net Thu Oct 28 23:01:32 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 23:01:32 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v5] In-Reply-To: References: Message-ID: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Used LinkedHashSet ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/6126/files - new: https://git.openjdk.java.net/jdk/pull/6126/files/1b5840b8..a4dbd582 Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=04 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6126&range=03-04 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/6126.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6126/head:pull/6126 PR: https://git.openjdk.java.net/jdk/pull/6126 From hchao at openjdk.java.net Thu Oct 28 23:01:32 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 23:01:32 GMT Subject: RFR: 8257722: Improve "keytool -printcert -jarfile" output [v4] In-Reply-To: References: Message-ID: On Thu, 28 Oct 2021 21:13:40 GMT, Hai-May Chao wrote: >> This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. > > Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: > > Update while block code It'd be worry-free by keeping the same ordering. Changed as suggested. Thanks for the review! ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From hchao at openjdk.java.net Thu Oct 28 23:08:13 2021 From: hchao at openjdk.java.net (Hai-May Chao) Date: Thu, 28 Oct 2021 23:08:13 GMT Subject: Integrated: 8257722: Improve "keytool -printcert -jarfile" output In-Reply-To: References: Message-ID: On Tue, 26 Oct 2021 22:37:02 GMT, Hai-May Chao wrote: > This change does a few improvements to the output of `keytool -printcert -jarfile` command to help readability and diagnosis. This pull request has now been integrated. Changeset: de93b1d0 Author: Hai-May Chao URL: https://git.openjdk.java.net/jdk/commit/de93b1d0e83a9428dae4a9609996fe7b7e9b4932 Stats: 253 lines in 4 files changed: 166 ins; 84 del; 3 mod 8257722: Improve "keytool -printcert -jarfile" output Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/6126 From serb at openjdk.java.net Fri Oct 29 05:47:10 2021 From: serb at openjdk.java.net (Sergey Bylokhov) Date: Fri, 29 Oct 2021 05:47:10 GMT Subject: RFR: 8273101: Eliminate the usage of threadgroup sandboxing in the java.util.logging In-Reply-To: References: Message-ID: On Wed, 1 Sep 2021 06:31:16 GMT, Sergey Bylokhov wrote: > At the time Java supported applets and webstart, a special mechanism for launching various applications in one JVM was used to reduce memory usage and each application was isolated from each other. > > This isolation was implemented via ThreadGroups where each application created its own thread group and all data for the application was stored in the context of its own group. > > Some parts of the JDK used ThreadGroups directly, others used special classes like sun.awt.AppContext. > > Such sandboxing became useless since the plugin and webstart are no longer supported and were removed in jdk11. > > Note that this is just a first step for the overall cleanup, here is my plan: > 1. Cleanup the usage of AppContext in the ?java.util.logging.LogManager" class in the java.base module. > 2. Cleanup the usage of TheadGroup in the JavaSound > 3. Cleanup the usage of TheadGroup in the JavaBeans > 4. Cleanup the usage of AppContext in the Swing > 5. Cleanup the usage of AppContext in the AWT > 6. Delete the AppContext class. > > The current PR is for the first step. So this is the request to delete the usage of AppContext in the LogManager and related tests. > > Tested by tier1/tier2/tier3 and jdk_desktop tests. Does anybody have any other suggestions? ------------- PR: https://git.openjdk.java.net/jdk/pull/5326 From duke at openjdk.java.net Fri Oct 29 11:41:15 2021 From: duke at openjdk.java.net (Larry-N) Date: Fri, 29 Oct 2021 11:41:15 GMT Subject: Integrated: 8273026: Slow LoginContext.login() on multi threading application In-Reply-To: References: Message-ID: <_gieCQIwkVflrb9sJRFBKMlymL0katqmdyO3QW9WN5g=.d35c0af8-6c10-42ef-8e07-d76ac956b779@github.com> On Wed, 29 Sep 2021 10:45:41 GMT, Larry-N wrote: > This fix adds a cache of service provider classes to LoginContext (in particular, it's a cache of LoginModules classes). The approach helps to increase the performance of the LoginContext.login() method significantly, especially in a multi-threading environment. Service Loader is used for polling on Service Provider classes, without instantiating LoginModules object if Service Provider name doesn't match record in .config file. The set of service providers is cached for each Context Loader separately. > This code passed successfully tier1 and tier2 tests on mac os. This pull request has now been integrated. Changeset: c0cda1db Author: Ilarion Nakonechnyy Committer: Weijun Wang URL: https://git.openjdk.java.net/jdk/commit/c0cda1db4fe74b86faa12136336bdf98c96758d2 Stats: 53 lines in 3 files changed: 26 ins; 17 del; 10 mod 8273026: Slow LoginContext.login() on multi threading application Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/5748 From Alan.Bateman at oracle.com Fri Oct 29 11:58:29 2021 From: Alan.Bateman at oracle.com (Alan Bateman) Date: Fri, 29 Oct 2021 12:58:29 +0100 Subject: previously prevented exploit now possible with JDK 18 In-Reply-To: <2b6ac315-5de9-aa0f-6f3a-6ea9f019773b@gmail.com> References: <2b6ac315-5de9-aa0f-6f3a-6ea9f019773b@gmail.com> Message-ID: <7fefdfec-22d4-5b56-5705-8cb283eb4740@oracle.com> On 28/10/2021 20:14, Rick Hillegas wrote: > As a canary in the mineshaft, I built and tested Apache Derby with the > recent build 18-ea+20-1248 of Open JDK 18. I tripped across the > following issue when running Derby's regression tests. The problem is > explained in more detail at > https://issues.apache.org/jira/browse/DERBY-7126, where a simple repro > (DERBY_7126_A) can be found. The problem is almost surely the result > of work done on https://bugs.openjdk.java.net/browse/JDK-8269039 > (Disable SHA-1 Signed JARs). > > Under previous versions of the JDK, the JVM would raise an error if > you tried to load a class from a jar file which had been signed with > SHA-1 but later hacked by inserting malware via "jar -uf". This was > the error: > > ? SHA1 digest error for $corruptedJarFileName > > However, under JDK 18 the hacked class loads, no error is raised, and > the malware can now be executed. I was surprised that a previously > prevented exploit now works. I think it would be better if the JVM > still refused to load the hacked class even though SHA-1 has been > deprecated. As I understand it, if the JAR file was signed with SHA-1 then it is now treated as unsigned. Are you saying that unsigned JARs are trusted in the environment? -Alan From mullan at openjdk.java.net Fri Oct 29 12:46:24 2021 From: mullan at openjdk.java.net (Sean Mullan) Date: Fri, 29 Oct 2021 12:46:24 GMT Subject: Integrated: 8251468: X509Certificate.get{Subject, Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable In-Reply-To: References: Message-ID: <15Ytiw5C1XPKhmx_fmow_DgFJaIypX5wqpXGQnHOvaM=.2842a324-578c-44a7-9854-ecd78ac1af85@github.com> On Mon, 25 Oct 2021 12:53:43 GMT, Sean Mullan wrote: > The JDK implementation (as supplied by the "SUN" provider) of `X509Certificate::getSubjectAlternativeNames` and `X509Certificate::getIssuerAlternativeNames` returns `null` instead of throwing a `CertificateParsingException` when the extension is unparseable. > > This fix changes the behavior to comply with the specification. > > CSR: https://bugs.openjdk.java.net/browse/JDK-8275822 This pull request has now been integrated. Changeset: 8cc59509 Author: Sean Mullan URL: https://git.openjdk.java.net/jdk/commit/8cc59509fe7c01c9032275798ccd1531eb8f2e9f Stats: 234 lines in 4 files changed: 182 ins; 36 del; 16 mod 8251468: X509Certificate.get{Subject,Issuer}AlternativeNames and getExtendedKeyUsage do not throw CertificateParsingException if extension is unparseable Reviewed-by: weijun ------------- PR: https://git.openjdk.java.net/jdk/pull/6106 From rick.hillegas at gmail.com Fri Oct 29 15:23:22 2021 From: rick.hillegas at gmail.com (Rick Hillegas) Date: Fri, 29 Oct 2021 08:23:22 -0700 Subject: previously prevented exploit now possible with JDK 18 In-Reply-To: <7fefdfec-22d4-5b56-5705-8cb283eb4740@oracle.com> References: <2b6ac315-5de9-aa0f-6f3a-6ea9f019773b@gmail.com> <7fefdfec-22d4-5b56-5705-8cb283eb4740@oracle.com> Message-ID: <20618e62-1f58-19c6-024e-d43ac1732fa8@gmail.com> On 10/29/21 4:58 AM, Alan Bateman wrote: > On 28/10/2021 20:14, Rick Hillegas wrote: >> As a canary in the mineshaft, I built and tested Apache Derby with >> the recent build 18-ea+20-1248 of Open JDK 18. I tripped across the >> following issue when running Derby's regression tests. The problem is >> explained in more detail at >> https://issues.apache.org/jira/browse/DERBY-7126, where a simple >> repro (DERBY_7126_A) can be found. The problem is almost surely the >> result of work done on >> https://bugs.openjdk.java.net/browse/JDK-8269039 (Disable SHA-1 >> Signed JARs). >> >> Under previous versions of the JDK, the JVM would raise an error if >> you tried to load a class from a jar file which had been signed with >> SHA-1 but later hacked by inserting malware via "jar -uf". This was >> the error: >> >> ? SHA1 digest error for $corruptedJarFileName >> >> However, under JDK 18 the hacked class loads, no error is raised, and >> the malware can now be executed. I was surprised that a previously >> prevented exploit now works. I think it would be better if the JVM >> still refused to load the hacked class even though SHA-1 has been >> deprecated. > > As I understand it, if the JAR file was signed with SHA-1 then it is > now treated as unsigned. Are you saying that unsigned JARs are trusted > in the environment? > > -Alan There are many security mechanisms in Derby. Application designers pick and choose the mechanisms they think are useful. So, yes, many applications load unsigned jars into the database. For applications which require signed jars, this poses a vulnerability which didn't exist before. At first blush, the jar appears to be signed. From aefimov at openjdk.java.net Fri Oct 29 16:17:51 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Fri, 29 Oct 2021 16:17:51 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v9] In-Reply-To: References: Message-ID: On Wed, 27 Oct 2021 16:23:29 GMT, Michael McMahon wrote: >> Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: >> >> Add @ throws NPE to hosts file resolver javadoc > > src/java.base/share/classes/java/net/InetAddress.java line 841: > >> 839: // 'resolver.lookupByAddress' and 'InetAddress.getAllByName0' delegate to the system-wide resolver, >> 840: // which could be a custom one. At that point we treat any unexpected RuntimeException thrown by >> 841: // the resolver as we would treat an UnknownHostException or an unmatched host name. > > indentation issue in comment above Thanks - moved the comment block inside `catch` block (f660cc6ecc7a31c83de220160b9fd8d0fbacd1be) > src/java.base/share/classes/java/net/InetAddress.java line 1308: > >> 1306: * Creates an InetAddress based on the provided host name and IP address. >> 1307: * System {@linkplain InetAddressResolver resolver} is not used to check >> 1308: * the validity of the address. > > Is this term "system resolver" defined somewhere? I think it means the configured resolver for the current VM. Previously, it really was the system resolver. So, I think it's potentially confusing, as there is also reference to the java.net.preferIPv6Addresses system property as having a possible value "system" which refers to the operating system. Since the CSR is approved, I'm happy to discuss this point post integration. Thanks for highlighting that: Changed `"system"` to `"the system-wide"` - that's what was originally meant by `"system resolver"` (f660cc6ecc7a31c83de220160b9fd8d0fbacd1be). ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From aefimov at openjdk.java.net Fri Oct 29 16:17:46 2021 From: aefimov at openjdk.java.net (Aleksei Efimov) Date: Fri, 29 Oct 2021 16:17:46 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v10] In-Reply-To: References: Message-ID: > This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. > > The following API classes are added to `java.net.spi` package to facilitate this: > - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. > - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. > - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. > - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. > > More details in [JEP-418](https://openjdk.java.net/jeps/418). > > Testing: new and existing `tier1:tier3` tests Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: Replace 'system' with 'the system-wide', move comment section ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5822/files - new: https://git.openjdk.java.net/jdk/pull/5822/files/2ca78ba9..f660cc6e Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=09 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5822&range=08-09 Stats: 8 lines in 1 file changed: 4 ins; 3 del; 1 mod Patch: https://git.openjdk.java.net/jdk/pull/5822.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5822/head:pull/5822 PR: https://git.openjdk.java.net/jdk/pull/5822 From dfuchs at openjdk.java.net Fri Oct 29 16:28:16 2021 From: dfuchs at openjdk.java.net (Daniel Fuchs) Date: Fri, 29 Oct 2021 16:28:16 GMT Subject: RFR: 8244202: Implementation of JEP 418: Internet-Address Resolution SPI [v10] In-Reply-To: References: Message-ID: On Fri, 29 Oct 2021 16:17:46 GMT, Aleksei Efimov wrote: >> This change implements a new service provider interface for host name and address resolution, so that java.net.InetAddress API can make use of resolvers other than the platform's built-in resolver. >> >> The following API classes are added to `java.net.spi` package to facilitate this: >> - `InetAddressResolverProvider` - abstract class defining a service, and is, essentially, a factory for `InetAddressResolver` resolvers. >> - `InetAddressResolverProvider.Configuration ` - an interface describing the platform's built-in configuration for resolution operations that could be used to bootstrap a resolver construction, or to implement partial delegation of lookup operations. >> - `InetAddressResolver` - an interface that defines methods for the fundamental forward and reverse lookup operations. >> - `InetAddressResolver.LookupPolicy` - a class whose instances describe the characteristics of one forward lookup operation. >> >> More details in [JEP-418](https://openjdk.java.net/jeps/418). >> >> Testing: new and existing `tier1:tier3` tests > > Aleksei Efimov has updated the pull request incrementally with one additional commit since the last revision: > > Replace 'system' with 'the system-wide', move comment section Marked as reviewed by dfuchs (Reviewer). ------------- PR: https://git.openjdk.java.net/jdk/pull/5822 From mchung at openjdk.java.net Fri Oct 29 16:35:23 2021 From: mchung at openjdk.java.net (Mandy Chung) Date: Fri, 29 Oct 2021 16:35:23 GMT Subject: RFR: 8273101: Eliminate the usage of threadgroup sandboxing in the java.util.logging In-Reply-To: References: Message-ID: On Wed, 1 Sep 2021 06:31:16 GMT, Sergey Bylokhov wrote: > At the time Java supported applets and webstart, a special mechanism for launching various applications in one JVM was used to reduce memory usage and each application was isolated from each other. > > This isolation was implemented via ThreadGroups where each application created its own thread group and all data for the application was stored in the context of its own group. > > Some parts of the JDK used ThreadGroups directly, others used special classes like sun.awt.AppContext. > > Such sandboxing became useless since the plugin and webstart are no longer supported and were removed in jdk11. > > Note that this is just a first step for the overall cleanup, here is my plan: > 1. Cleanup the usage of AppContext in the ?java.util.logging.LogManager" class in the java.base module. > 2. Cleanup the usage of TheadGroup in the JavaSound > 3. Cleanup the usage of TheadGroup in the JavaBeans > 4. Cleanup the usage of AppContext in the Swing > 5. Cleanup the usage of AppContext in the AWT > 6. Delete the AppContext class. > > The current PR is for the first step. So this is the request to delete the usage of AppContext in the LogManager and related tests. > > Tested by tier1/tier2/tier3 and jdk_desktop tests. The change looks okay. My suggestion is to get 1-6 all ready to push around the same time. It's okay to have separate JBS issues and PRs. ------------- PR: https://git.openjdk.java.net/jdk/pull/5326 From cverghese at openjdk.java.net Fri Oct 29 23:58:06 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Fri, 29 Oct 2021 23:58:06 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. [v2] In-Reply-To: References: Message-ID: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback Clive Verghese has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains three new commits since the last revision: - 8274308: Improve efficiency for HandshakeContext initialization - Add SSLEngineBenchmark - Benchmark ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5793/files - new: https://git.openjdk.java.net/jdk/pull/5793/files/46ae42bf..baf0a90f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5793&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5793&range=00-01 Stats: 882 lines in 9 files changed: 487 ins; 351 del; 44 mod Patch: https://git.openjdk.java.net/jdk/pull/5793.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5793/head:pull/5793 PR: https://git.openjdk.java.net/jdk/pull/5793 From cverghese at openjdk.java.net Fri Oct 29 23:58:08 2021 From: cverghese at openjdk.java.net (Clive Verghese) Date: Fri, 29 Oct 2021 23:58:08 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. In-Reply-To: References: Message-ID: On Sat, 2 Oct 2021 05:45:47 GMT, Clive Verghese wrote: > Hi, > > We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. > > In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. > > Sockets created from the SSLSocketFactory see this improvements. > > Old Benchmarks > > Benchmark Mode Cnt Score Error Units > SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op > > New Benchmarks > > SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms > SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op > > > > I have also attached the JFR profiles from before and after the change. > Before > SSLOverhead-old > > After > SSLOverhead-new > > We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` > > In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. > > Looking for your feedback Hi, I have update the PR with an alternate implementation. The updated benchmark results are New Benchmarks Benchmark Mode Cnt Score Error Units SSLStartHandshake.handshakeBenchmark thrpt 25 0.241 ? 0.016 ops/ms SSLStartHandshake.handshakeBenchmark avgt 25 4.010 ? 0.224 ms/op SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.642 ? 0.021 ops/ms SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.552 ? 0.058 ms/op Old Benchmarks Benchmark Mode Cnt Score Error Units SSLStartHandshake.handshakeBenchmark thrpt 25 0.229 ? 0.010 ops/ms SSLStartHandshake.handshakeBenchmark avgt 25 4.375 ? 0.283 ms/op SSLEngineStartHandshake.handshakeBenchmark thrpt 25 0.621 ? 0.035 ops/ms SSLEngineStartHandshake.handshakeBenchmark avgt 25 1.830 ? 0.406 ms/op This new implementation uses a cache in the HandshakeContext class. Looking forward for you feedback. ------------- PR: https://git.openjdk.java.net/jdk/pull/5793 From xuelei at openjdk.java.net Sat Oct 30 05:02:10 2021 From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan) Date: Sat, 30 Oct 2021 05:02:10 GMT Subject: RFR: 8274308: Improve efficiency for HandshakeContext initialization. [v2] In-Reply-To: References: Message-ID: On Fri, 29 Oct 2021 23:58:06 GMT, Clive Verghese wrote: >> Hi, >> >> We have identified that the `HandshakeContext` initialization takes up a close to 50% of the flame graph for startHandshake. I have moved the computation of the `activeProtocols` and `activeCipherSuites` from the HandshakeContext constructor to SSLConfiguration class because the values used to compute the two list are available in the SSLConfiguration. >> >> In order to reuse this, I have initialized SSLConfiguration in the SSLSocketFactory and reused this when possible for Client Socket Constructors in the SSLSocketImpl. >> >> Sockets created from the SSLSocketFactory see this improvements. >> >> Old Benchmarks >> >> Benchmark Mode Cnt Score Error Units >> SSLStartHandshake.handshakeBenchmark thrpt 25 0.247 ? 0.011 ops/ms >> SSLStartHandshake.handshakeBenchmark avgt 25 4.210 ? 0.445 ms/op >> >> New Benchmarks >> >> SSLStartHandshake.handshakeBenchmark thrpt 25 0.257 ? 0.017 ops/ms >> SSLStartHandshake.handshakeBenchmark avgt 25 3.967 ? 0.208 ms/op >> >> >> >> I have also attached the JFR profiles from before and after the change. >> Before >> SSLOverhead-old >> >> After >> SSLOverhead-new >> >> We have been able to optimize the `TransportContext.kickstart` function by removing the `HandshakeContext.` initialization and reduce the time to start the handshake by reusing `activeProtocols` and `activeCipherSuites` >> >> In addition to the SSL and http tests, I have run tier-1 and tier-2 tests and ensure that they pass. >> >> Looking for your feedback > > Clive Verghese has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains three new commits since the last revision: > > - 8274308: Improve efficiency for HandshakeContext initialization > - Add SSLEngineBenchmark > - Benchmark src/java.base/share/classes/sun/security/ssl/HandshakeContext.java line 74: > 72: "sun.security.ssl.allowLegacyHelloMessages", true); > 73: > 74: static Cache handshakeContextCache; I think I understand the motivation, but a mutable cache in handshake context does not sound like the right direction. A cache could impact the performance more and occupy additional memories , because we have to synchronizing the access to the cache. Maybe, you could to benchmark the maximum operations allowed per seconds, and try to use more complex cases, and see what the result could be. I did not yet try to find an improvement yet. But at this moment, the idea to me is to thinking about the TLS user cases. It is common that applications use one instance of SSLContext and default configurations. From the SSLContext instance, with the default configuration, the connections get established. Normally, we don't recommend to set protocols and cipher suites other than the default SSLContex configuration, because it is not algorithm aglity. So, it may be a direction to have the default and final active protocols and cipher suites, parsed and cached in SSLContext. Just for your reference if you want a further improvement. ------------- PR: https://git.openjdk.java.net/jdk/pull/5793