From weijun at openjdk.java.net  Wed Dec  1 00:51:39 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 00:51:39 GMT
Subject: Integrated: 8272162: S4U2Self ticket without forwardable flag
In-Reply-To: <IMLHoan7CoKO0DEb-lW3Tf_8gwEhXUYi7JKxui7fDVM=.1fd3ecb7-ffa5-49eb-a5d3-19289e4e54a0@github.com>
References: <IMLHoan7CoKO0DEb-lW3Tf_8gwEhXUYi7JKxui7fDVM=.1fd3ecb7-ffa5-49eb-a5d3-19289e4e54a0@github.com>
Message-ID: <GfFNtL-1GIZBTHVUw3oNMROMC8ANt-X_apPwvouHh3g=.fefc57f1-a4b0-4e2e-a2f4-8b83310288f4@github.com>

On Fri, 22 Oct 2021 16:31:02 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
> 
> There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.

This pull request has now been integrated.

Changeset: ab867f6c
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/ab867f6c7c578ae7e65af2989b6836d523a41c5a
Stats:     413 lines in 17 files changed: 218 ins; 38 del; 157 mod

8272162: S4U2Self ticket without forwardable flag

Reviewed-by: valeriep

-------------

PR: https://git.openjdk.java.net/jdk/pull/6082

From weijun at openjdk.java.net  Wed Dec  1 01:01:31 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 01:01:31 GMT
Subject: RFR: 8276660: Scalability bottleneck in
 java.security.Provider.getService() [v2]
In-Reply-To: <S6hBTzTEP_QnmVW0KiERvRgaUT3bMYFOL0x5sT4Qp_I=.1cb5cdb4-f74d-4153-b178-ec179036805d@github.com>
References: <UYZKq0NwhkPnJvIgo4bxggAjRQGO_DMJiw_r7ackWxM=.469b7fe2-1e43-432f-afaa-92da218ee3f5@github.com>
 <S6hBTzTEP_QnmVW0KiERvRgaUT3bMYFOL0x5sT4Qp_I=.1cb5cdb4-f74d-4153-b178-ec179036805d@github.com>
Message-ID: <rD0-CsOPTWpDJ6RyXDDQEehnBOjeovJmKUaIl_71NYs=.5beb45e0-7528-4eed-8185-b76cbab79c61@github.com>

On Wed, 24 Nov 2021 21:17:34 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> It is observed that when running crypto benchmark with large number of threads, a lot of time is spent on the synchronized block inside the Provider.getService() method. The cause for this is that Provider.getService() method first uses the 'serviceMap' field to find the requested service. However, when the requested service is not supported by this provider, e.g. requesting Cipher.RSA from SUN provider, the impl continues to try searching the legacy registrations whose processing is guarded by the "synchronized" keyword. When apps use getInstance() calls without the provider argument, Provider class has to iterate through existing providers trying to find one that supports the requested service.
>> 
>> Now that the parent class of Provider no longer synchronizes all of its methods, Provider class should follow suit and de-synchronize its methods. Parsing of the legacy registration is done eagerly (at the time of put(...) calls) instead of lazily (at the time of getService(...) calls). This also makes "legacyStrings" redundant as the registration is parsed and stored directly into "legacyMap". 
>> 
>> The bug reporter has confirmed that the changes resolve the performance bottleneck and all regression tests pass.
>> 
>> Please review and thanks in advance,
>> Valerie
>
> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Updated to use pattern matching with instanceof operator.

Since all legacy registration are done eagerly, I assume the original `ensureLegacyParsed()` method should be super fast now. Maybe we don't need to change any synchronized keyword.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6513

From weijun at openjdk.java.net  Wed Dec  1 01:04:34 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 01:04:34 GMT
Subject: Integrated: 8231107: Allow store password to be null when saving a
 PKCS12 KeyStore
In-Reply-To: <eZTgZ0tmhtxv5zgNA6tSZseLrLrw-Cs0WzhfMHOtGZU=.a7e37ccb-bfb6-466f-910f-d03b77417a01@github.com>
References: <eZTgZ0tmhtxv5zgNA6tSZseLrLrw-Cs0WzhfMHOtGZU=.a7e37ccb-bfb6-466f-910f-d03b77417a01@github.com>
Message-ID: <4PWegQ4sEk9thgrQG3fmufcgBM0P_5CnRT_2K4aGyyA=.b9bfc012-42a5-477d-ac4d-a59294025088@github.com>

On Thu, 14 Oct 2021 14:43:32 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> You can create a password-less PKCS12 KeyStore file now by calling `ks.store(outStream, null)` no matter what the default cert protection algorithm and Mac algorithm are defined in `java.security`.
> 
> Note: the system properties set in `ToolsJDK.gmk` to generate `cacerts` must be retained (at the moment) because the tool is launched with BOOT_JDK.

This pull request has now been integrated.

Changeset: 7049c13c
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/7049c13cf4bf4cdfcd0c8f0fa96bf4c3748ae1e7
Stats:     70 lines in 4 files changed: 37 ins; 16 del; 17 mod

8231107: Allow store password to be null when saving a PKCS12 KeyStore

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/5950

From weijun at openjdk.java.net  Wed Dec  1 01:15:27 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 01:15:27 GMT
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v5]
In-Reply-To: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
Message-ID: <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>

> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.

Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:

 - final spec change
 - Merge branch 'master' into 8225181
 - Merge branch 'master' into 8225181
 - redine spec
 - more clear and precise spec
 - clarification on protected attributes
 - 8225181: KeyStore should have a getAttributes method
   
   8225181: KeyStore should have a getAttributes method

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6026/files
  - new: https://git.openjdk.java.net/jdk/pull/6026/files/901bdf83..702168db

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=04
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=03-04

  Stats: 929909 lines in 2271 files changed: 483097 ins; 432951 del; 13861 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6026.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026

PR: https://git.openjdk.java.net/jdk/pull/6026

From weijun at openjdk.java.net  Wed Dec  1 01:15:28 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 01:15:28 GMT
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v4]
In-Reply-To: <pxu-nUyqjSGl4cmO_uuq-8-z3rF8bqacbUOAAHu77JQ=.24e240f1-6390-45aa-ad79-afcbca8cfa08@github.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
 <pxu-nUyqjSGl4cmO_uuq-8-z3rF8bqacbUOAAHu77JQ=.24e240f1-6390-45aa-ad79-afcbca8cfa08@github.com>
Message-ID: <E5SRHgktppf50K5Zockk67aPIvFVx0QTIOIPJDRzzh4=.42ff2d3c-e101-4725-9260-95dc1b6be19a@github.com>

On Thu, 4 Nov 2021 19:34:50 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   redine spec

New commits pushed. Except for the merge commits, the only change is method spec update to match the text in the approved CSR.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6026

From mstjohns at comcast.net  Wed Dec  1 03:01:58 2021
From: mstjohns at comcast.net (Michael StJohns)
Date: Tue, 30 Nov 2021 22:01:58 -0500
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v5]
In-Reply-To: <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
 <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
Message-ID: <93aeca60-53e4-fe1b-67f5-8886a675e338@comcast.net>

Hi -

Generically, PKCS12 doesn't require an alias (friendlyName) for a 
particular Bag, but does permit it. Which means that 
getAttributes(String alias) could fail on a legal PKCS12.? It may be 
worthwhile to add a Set<Entry.Attribute> KeyStore::getAttributes(int 
bagNumber) method.

Mike

On 11/30/2021 8:15 PM, Weijun Wang wrote:
>> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.
> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
>
>   - final spec change
>   - Merge branch 'master' into 8225181
>   - Merge branch 'master' into 8225181
>   - redine spec
>   - more clear and precise spec
>   - clarification on protected attributes
>   - 8225181: KeyStore should have a getAttributes method
>     
>     8225181: KeyStore should have a getAttributes method
>
> -------------
>
> Changes:
>    - all: https://git.openjdk.java.net/jdk/pull/6026/files
>    - new: https://git.openjdk.java.net/jdk/pull/6026/files/901bdf83..702168db
>
> Webrevs:
>   - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=04
>   - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=03-04
>
>    Stats: 929909 lines in 2271 files changed: 483097 ins; 432951 del; 13861 mod
>    Patch: https://git.openjdk.java.net/jdk/pull/6026.diff
>    Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026
>
> PR: https://git.openjdk.java.net/jdk/pull/6026



From weijun.wang at oracle.com  Wed Dec  1 03:07:30 2021
From: weijun.wang at oracle.com (Wei-Jun Wang)
Date: Wed, 1 Dec 2021 03:07:30 +0000
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v5]
In-Reply-To: <93aeca60-53e4-fe1b-67f5-8886a675e338@comcast.net>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
 <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
 <93aeca60-53e4-fe1b-67f5-8886a675e338@comcast.net>
Message-ID: <497A535B-78B6-4A6E-A2C3-B008D8AC3530@oracle.com>

My understanding is that Java's PKCS12KeyStore will fabricate an alias string if there is no friendlyName, since every entry inside a KeyStore object must have an alias. I'll take some look tomorrow.

Thanks,
Max

> On Nov 30, 2021, at 10:01 PM, Michael StJohns <mstjohns at comcast.net> wrote:
> 
> Hi -
> 
> Generically, PKCS12 doesn't require an alias (friendlyName) for a particular Bag, but does permit it. Which means that getAttributes(String alias) could fail on a legal PKCS12.  It may be worthwhile to add a Set<Entry.Attribute> KeyStore::getAttributes(int bagNumber) method.
> 
> Mike
> 
> On 11/30/2021 8:15 PM, Weijun Wang wrote:
>>> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.
>> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
>> 
>>  - final spec change
>>  - Merge branch 'master' into 8225181
>>  - Merge branch 'master' into 8225181
>>  - redine spec
>>  - more clear and precise spec
>>  - clarification on protected attributes
>>  - 8225181: KeyStore should have a getAttributes method
>>        8225181: KeyStore should have a getAttributes method
>> 
>> -------------
>> 
>> Changes:
>>   - all: https://git.openjdk.java.net/jdk/pull/6026/files
>>   - new: https://git.openjdk.java.net/jdk/pull/6026/files/901bdf83..702168db
>> 
>> Webrevs:
>>  - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=04
>>  - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=03-04
>> 
>>   Stats: 929909 lines in 2271 files changed: 483097 ins; 432951 del; 13861 mod
>>   Patch: https://git.openjdk.java.net/jdk/pull/6026.diff
>>   Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026
>> 
>> PR: https://git.openjdk.java.net/jdk/pull/6026
> 
> 


From ssahoo at openjdk.java.net  Wed Dec  1 06:35:43 2021
From: ssahoo at openjdk.java.net (Sibabrata Sahoo)
Date: Wed, 1 Dec 2021 06:35:43 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java test
 times out
Message-ID: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>

This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.

-------------

Commit messages:
 - 8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out
 - 8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

Changes: https://git.openjdk.java.net/jdk/pull/6626/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6626&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8277353
  Stats: 3 lines in 1 file changed: 0 ins; 0 del; 3 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6626.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6626/head:pull/6626

PR: https://git.openjdk.java.net/jdk/pull/6626

From weijun at openjdk.java.net  Wed Dec  1 15:15:28 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 15:15:28 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out
In-Reply-To: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
Message-ID: <BYuqk9jVMqijyuGFZjTaBOpfyTDC-I44hkIWKXsV6X8=.03353bd4-b300-4fa4-8d4e-96689455c641@github.com>

On Wed, 1 Dec 2021 06:26:58 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.

Can you lower the `threadsFactor` or `duration`? Or set an upper limit for `nTasks`?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From weijun at openjdk.java.net  Wed Dec  1 17:11:43 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 17:11:43 GMT
Subject: RFR: 8255266: 2021-11-27 public suffix list update v 3c213aa
Message-ID: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>

Update Public Suffix List data to the latest version at https://github.com/publicsuffix/list.

-------------

Commit messages:
 - 8255266: 2021-11-27 public suffix list update v 3c213aa

Changes: https://git.openjdk.java.net/jdk/pull/6643/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6643&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8255266
  Stats: 1254 lines in 5 files changed: 887 ins; 215 del; 152 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6643.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6643/head:pull/6643

PR: https://git.openjdk.java.net/jdk/pull/6643

From weijun at openjdk.java.net  Wed Dec  1 17:38:37 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 1 Dec 2021 17:38:37 GMT
Subject: RFR: 8275082: Update XML Security for Java to 2.3.0
Message-ID: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>

Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.

Two commits are pushed:

- 2.3.0: Import 2.3.0 code changes
- revert: revert the Santuario secure validation changes

-------------

Commit messages:
 - revert
 - 2.3.0

Changes: https://git.openjdk.java.net/jdk/pull/6644/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6644&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8275082
  Stats: 406 lines in 32 files changed: 54 ins; 267 del; 85 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6644.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6644/head:pull/6644

PR: https://git.openjdk.java.net/jdk/pull/6644

From valeriep at openjdk.java.net  Wed Dec  1 18:10:00 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 1 Dec 2021 18:10:00 GMT
Subject: RFR: 8276660: Scalability bottleneck in
 java.security.Provider.getService() [v3]
In-Reply-To: <UYZKq0NwhkPnJvIgo4bxggAjRQGO_DMJiw_r7ackWxM=.469b7fe2-1e43-432f-afaa-92da218ee3f5@github.com>
References: <UYZKq0NwhkPnJvIgo4bxggAjRQGO_DMJiw_r7ackWxM=.469b7fe2-1e43-432f-afaa-92da218ee3f5@github.com>
Message-ID: <9B6vK6bURls5Vfk5WRbQBUDuJJwjV9ij9njZT2SuN_I=.45a72e57-62cb-41a6-8da9-8dc5bd092851@github.com>

> It is observed that when running crypto benchmark with large number of threads, a lot of time is spent on the synchronized block inside the Provider.getService() method. The cause for this is that Provider.getService() method first uses the 'serviceMap' field to find the requested service. However, when the requested service is not supported by this provider, e.g. requesting Cipher.RSA from SUN provider, the impl continues to try searching the legacy registrations whose processing is guarded by the "synchronized" keyword. When apps use getInstance() calls without the provider argument, Provider class has to iterate through existing providers trying to find one that supports the requested service.
> 
> Now that the parent class of Provider no longer synchronizes all of its methods, Provider class should follow suit and de-synchronize its methods. Parsing of the legacy registration is done eagerly (at the time of put(...) calls) instead of lazily (at the time of getService(...) calls). This also makes "legacyStrings" redundant as the registration is parsed and stored directly into "legacyMap". 
> 
> The bug reporter has confirmed that the changes resolve the performance bottleneck and all regression tests pass.
> 
> Please review and thanks in advance,
> Valerie

Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:

  Update for address review comments

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6513/files
  - new: https://git.openjdk.java.net/jdk/pull/6513/files/37dc1d9f..178161d6

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6513&range=02
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6513&range=01-02

  Stats: 24 lines in 1 file changed: 5 ins; 5 del; 14 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6513.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6513/head:pull/6513

PR: https://git.openjdk.java.net/jdk/pull/6513

From bchristi at openjdk.java.net  Wed Dec  1 18:21:04 2021
From: bchristi at openjdk.java.net (Brent Christian)
Date: Wed, 1 Dec 2021 18:21:04 GMT
Subject: RFR: JDK-8276447 Deprecate finalization-related methods for
 removal [v2]
In-Reply-To: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
References: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
Message-ID: <m-ud7vTqLEF_8-DW2uxNLYZL7U0orlenSQXjZ4wmUgw=.7872b89e-a5f2-48dd-b17f-8b263fb07024@github.com>

> Here are the code changes for the "Deprecate finalizers in the standard Java API" portion of JEP 421 ("Deprecate Finalization for Removal") for code review.
> 
> This change makes the indicated deprecations, and updates the API spec for JEP 421. It also updates the relevant @SuppressWarning annotations.
> 
> The CSR has been approved.
> An automated test build+test run passes cleanly (FWIW :D ).

Brent Christian has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 32 commits:

 - Merge branch 'master' into 8276447
 - merge
 - @SuppressWarnings(removal) in Windows CKey.java
 - Add jls tag to runFinalization methods
 - Update wording of Object.finalize, new paragraph is now bold
 - update Object.finalize javadoc
 - update Object.finalize JavaDoc and @deprecated tag
 - Update Object.finalize deprecation message
 - Indicate that runFinalizers does nothing if finalization is disabled or removed
 - Fix @since on @Deprecated for java.lang.Enum
 - ... and 22 more: https://git.openjdk.java.net/jdk/compare/a363b7b9...e4986a48

-------------

Changes: https://git.openjdk.java.net/jdk/pull/6465/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6465&range=01
  Stats: 194 lines in 62 files changed: 54 ins; 38 del; 102 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6465.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6465/head:pull/6465

PR: https://git.openjdk.java.net/jdk/pull/6465

From bchristi at openjdk.java.net  Wed Dec  1 19:23:59 2021
From: bchristi at openjdk.java.net (Brent Christian)
Date: Wed, 1 Dec 2021 19:23:59 GMT
Subject: RFR: JDK-8276447 Deprecate finalization-related methods for
 removal [v3]
In-Reply-To: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
References: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
Message-ID: <zORovjOCVMm-8yG6qtNfIrH5ICFkC5WJzL1LKMVyOJ8=.6e92825a-9fc5-4878-9659-aa70da4ed0cc@github.com>

> Here are the code changes for the "Deprecate finalizers in the standard Java API" portion of JEP 421 ("Deprecate Finalization for Removal") for code review.
> 
> This change makes the indicated deprecations, and updates the API spec for JEP 421. It also updates the relevant @SuppressWarning annotations.
> 
> The CSR has been approved.
> An automated test build+test run passes cleanly (FWIW :D ).

Brent Christian has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 33 commits:

 - Merge branch 'master' into 8276447
 - Merge branch 'master' into 8276447
 - merge
 - @SuppressWarnings(removal) in Windows CKey.java
 - Add jls tag to runFinalization methods
 - Update wording of Object.finalize, new paragraph is now bold
 - update Object.finalize javadoc
 - update Object.finalize JavaDoc and @deprecated tag
 - Update Object.finalize deprecation message
 - Indicate that runFinalizers does nothing if finalization is disabled or removed
 - ... and 23 more: https://git.openjdk.java.net/jdk/compare/0dfb3a70...8cde0674

-------------

Changes: https://git.openjdk.java.net/jdk/pull/6465/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6465&range=02
  Stats: 194 lines in 62 files changed: 54 ins; 38 del; 102 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6465.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6465/head:pull/6465

PR: https://git.openjdk.java.net/jdk/pull/6465

From ssahoo at openjdk.java.net  Wed Dec  1 19:32:27 2021
From: ssahoo at openjdk.java.net (Sibabrata Sahoo)
Date: Wed, 1 Dec 2021 19:32:27 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out
In-Reply-To: <BYuqk9jVMqijyuGFZjTaBOpfyTDC-I44hkIWKXsV6X8=.03353bd4-b300-4fa4-8d4e-96689455c641@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <BYuqk9jVMqijyuGFZjTaBOpfyTDC-I44hkIWKXsV6X8=.03353bd4-b300-4fa4-8d4e-96689455c641@github.com>
Message-ID: <-1XBp6JiiqgD7WCk_V3z8NovGNS1LScKU5vRgM4muBw=.86f26cb4-6150-44a7-b076-b63e1ea53221@github.com>

On Wed, 1 Dec 2021 15:12:16 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Can you lower the `threadsFactor` or `duration`? Or set an upper limit for `nTasks`?

I can reduce the threadFactor and duration to close to half(threadsFactor=2 and duration=2 Or hardcode nTasks=20) and i think there still will be enough threads to verify threadsafety. In that case default JTREG timeout period should be enough and no need for any additional timeout with @run tag.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From valeriep at openjdk.java.net  Wed Dec  1 21:49:40 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 1 Dec 2021 21:49:40 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
Message-ID: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>

PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 

I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.

Thanks,
Valerie

-------------

Commit messages:
 - 8255409: Support the new APIs in PKCS#11 v3.0

Changes: https://git.openjdk.java.net/jdk/pull/6655/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6655&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8255409
  Stats: 706 lines in 17 files changed: 552 ins; 17 del; 137 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6655.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6655/head:pull/6655

PR: https://git.openjdk.java.net/jdk/pull/6655

From kcr at openjdk.java.net  Wed Dec  1 21:58:22 2021
From: kcr at openjdk.java.net (Kevin Rushforth)
Date: Wed, 1 Dec 2021 21:58:22 GMT
Subject: RFR: 8255266: 2021-11-27 public suffix list update v 3c213aa
In-Reply-To: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
References: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
Message-ID: <TN89qc3yOsuGFkIoXC-Jk2E_nViVBXtnLdYceKcTsW8=.e6a6a315-4662-44af-9712-e788aff5b0bd@github.com>

On Wed, 1 Dec 2021 17:03:24 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Update Public Suffix List data to the latest version at https://github.com/publicsuffix/list.

This is not a formal review, but it looks good to me. I verified that the new file matches the one from the referenced upstream commit. I also did a local JDK build with this fix, and then used that in a local test build of FX 8 for [JDK-8277734](https://bugs.openjdk.java.net/browse/JDK-8277734). All passed.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6643

From mstjohns at comcast.net  Wed Dec  1 23:28:45 2021
From: mstjohns at comcast.net (Michael StJohns)
Date: Wed, 1 Dec 2021 18:28:45 -0500
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v5]
In-Reply-To: <497A535B-78B6-4A6E-A2C3-B008D8AC3530@oracle.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
 <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
 <93aeca60-53e4-fe1b-67f5-8886a675e338@comcast.net>
 <497A535B-78B6-4A6E-A2C3-B008D8AC3530@oracle.com>
Message-ID: <f43647ba-33ab-ea4f-c2fb-733684093294@comcast.net>

On 11/30/2021 10:07 PM, Wei-Jun Wang wrote:
> My understanding is that Java's PKCS12KeyStore will fabricate an alias string if there is no friendlyName, since every entry inside a KeyStore object must have an alias. I'll take some look tomorrow.

Ah - I see it now in PKCS12KeyStore - it assigns an "unfriendlyName" as 
an alias if "friendlyName" is missing - basically "0", "1", etc.

Thanks - Mike

>
> Thanks,
> Max
>
>> On Nov 30, 2021, at 10:01 PM, Michael StJohns <mstjohns at comcast.net> wrote:
>>
>> Hi -
>>
>> Generically, PKCS12 doesn't require an alias (friendlyName) for a particular Bag, but does permit it. Which means that getAttributes(String alias) could fail on a legal PKCS12.  It may be worthwhile to add a Set<Entry.Attribute> KeyStore::getAttributes(int bagNumber) method.
>>
>> Mike
>>
>> On 11/30/2021 8:15 PM, Weijun Wang wrote:
>>>> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.
>>> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
>>>
>>>   - final spec change
>>>   - Merge branch 'master' into 8225181
>>>   - Merge branch 'master' into 8225181
>>>   - redine spec
>>>   - more clear and precise spec
>>>   - clarification on protected attributes
>>>   - 8225181: KeyStore should have a getAttributes method
>>>         8225181: KeyStore should have a getAttributes method
>>>
>>> -------------
>>>
>>> Changes:
>>>    - all: https://git.openjdk.java.net/jdk/pull/6026/files
>>>    - new: https://git.openjdk.java.net/jdk/pull/6026/files/901bdf83..702168db
>>>
>>> Webrevs:
>>>   - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=04
>>>   - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6026&range=03-04
>>>
>>>    Stats: 929909 lines in 2271 files changed: 483097 ins; 432951 del; 13861 mod
>>>    Patch: https://git.openjdk.java.net/jdk/pull/6026.diff
>>>    Fetch: git fetch https://git.openjdk.java.net/jdk pull/6026/head:pull/6026
>>>
>>> PR: https://git.openjdk.java.net/jdk/pull/6026
>>


From weijun at openjdk.java.net  Thu Dec  2 00:29:28 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Thu, 2 Dec 2021 00:29:28 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out
In-Reply-To: <-1XBp6JiiqgD7WCk_V3z8NovGNS1LScKU5vRgM4muBw=.86f26cb4-6150-44a7-b076-b63e1ea53221@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <BYuqk9jVMqijyuGFZjTaBOpfyTDC-I44hkIWKXsV6X8=.03353bd4-b300-4fa4-8d4e-96689455c641@github.com>
 <-1XBp6JiiqgD7WCk_V3z8NovGNS1LScKU5vRgM4muBw=.86f26cb4-6150-44a7-b076-b63e1ea53221@github.com>
Message-ID: <P4epiqmuSX9qdahnRC3ksUETPIYQIBp-8GMl7pttDcs=.2cffab39-f4b0-4e88-9510-6284f2cf92f3@github.com>

On Wed, 1 Dec 2021 19:29:36 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

> > Can you lower the `threadsFactor` or `duration`? Or set an upper limit for `nTasks`?
> 
> I can reduce the threadFactor and duration to close to half(threadsFactor=2 and duration=2 Or hardcode nTasks=20) and i think there still will be enough threads to verify threadsafety. In that case default JTREG timeout period should be enough and no need for any additional timeout with @run tag.

Maybe you can contact the author of this test to see if that's enough.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From smarks at openjdk.java.net  Thu Dec  2 01:26:30 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Thu, 2 Dec 2021 01:26:30 GMT
Subject: RFR: JDK-8276447 Deprecate finalization-related methods for
 removal [v3]
In-Reply-To: <zORovjOCVMm-8yG6qtNfIrH5ICFkC5WJzL1LKMVyOJ8=.6e92825a-9fc5-4878-9659-aa70da4ed0cc@github.com>
References: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
 <zORovjOCVMm-8yG6qtNfIrH5ICFkC5WJzL1LKMVyOJ8=.6e92825a-9fc5-4878-9659-aa70da4ed0cc@github.com>
Message-ID: <nJKHDn0E59sPCmNw72xg_Pm22IB4JtQmufM09mM7Dek=.9e48eca8-07c1-40b2-ad90-4c8df399b59e@github.com>

On Wed, 1 Dec 2021 19:23:59 GMT, Brent Christian <bchristi at openjdk.org> wrote:

>> Here are the code changes for the "Deprecate finalizers in the standard Java API" portion of JEP 421 ("Deprecate Finalization for Removal") for code review.
>> 
>> This change makes the indicated deprecations, and updates the API spec for JEP 421. It also updates the relevant @SuppressWarning annotations.
>> 
>> The CSR has been approved.
>> An automated test build+test run passes cleanly (FWIW :D ).
>
> Brent Christian has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 33 commits:
> 
>  - Merge branch 'master' into 8276447
>  - Merge branch 'master' into 8276447
>  - merge
>  - @SuppressWarnings(removal) in Windows CKey.java
>  - Add jls tag to runFinalization methods
>  - Update wording of Object.finalize, new paragraph is now bold
>  - update Object.finalize javadoc
>  - update Object.finalize JavaDoc and @deprecated tag
>  - Update Object.finalize deprecation message
>  - Indicate that runFinalizers does nothing if finalization is disabled or removed
>  - ... and 23 more: https://git.openjdk.java.net/jdk/compare/0dfb3a70...8cde0674

Marked as reviewed by smarks (Reviewer).

src/jdk.jconsole/share/classes/sun/tools/jconsole/SummaryTab.java line 116:

> 114:     StringBuilder buf;
> 115: 
> 116:     @SuppressWarnings("deprecation")

Item for future cleanup: refactor the call to `getObjectPendingFinalizationCount()` at line 219 (!) into a local variable declaration, and then move the warnings suppression to that declaration. This reduces the scope of warnings suppression.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6465

From valeriep at openjdk.java.net  Thu Dec  2 01:29:46 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 2 Dec 2021 01:29:46 GMT
Subject: RFR: 8278099: two sun/security/pkcs11/Signature tests failed with
 AssertionError
Message-ID: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>

Can someone help reviewing this trivial one-line fix? The assert check in CK_MECHANISM.java is too strict and fail unexpectedly when digest-specific PSS signature mechanisms are supported by the underlying PKCS#11 library. The fix is to remove this assert check. No new regression test added with this fix as this is already covered by existing regression tests.

Thanks,
Valerie

-------------

Commit messages:
 - 8278099: two sun/security/pkcs11/Signature tests failed with AssertionError

Changes: https://git.openjdk.java.net/jdk/pull/6656/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6656&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278099
  Stats: 1 line in 1 file changed: 0 ins; 1 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6656.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6656/head:pull/6656

PR: https://git.openjdk.java.net/jdk/pull/6656

From weijun at openjdk.java.net  Thu Dec  2 01:46:27 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Thu, 2 Dec 2021 01:46:27 GMT
Subject: RFR: 8278099: two sun/security/pkcs11/Signature tests failed with
 AssertionError
In-Reply-To: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
References: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
Message-ID: <c2w9maRqodssTLUIOwEiRvVkfrIlBqN0SJq38BRw05M=.38b65e75-3cdf-41a1-9173-decdfc5b2630@github.com>

On Thu, 2 Dec 2021 01:20:30 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help reviewing this trivial one-line fix? The assert check in CK_MECHANISM.java is too strict and fail unexpectedly when digest-specific PSS signature mechanisms are supported by the underlying PKCS#11 library. The fix is to remove this assert check. No new regression test added with this fix as this is already covered by existing regression tests.
> 
> Thanks,
> Valerie

Not a PKCS11 expert, but does a "digest-specific PSS signature mechanism" needs `setParameter` anymore? Or, must it be the same as the existing parameters dictated by the specified digest?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6656

From aleonard at openjdk.java.net  Thu Dec  2 10:59:20 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 10:59:20 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation
In-Reply-To: <OYXY3EfnLesP0j3ctkTaMLftQoKHmzeCYBxO3J8Z6Iw=.0414edba-4953-4d77-901b-de1cccb696d1@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <OYXY3EfnLesP0j3ctkTaMLftQoKHmzeCYBxO3J8Z6Iw=.0414edba-4953-4d77-901b-de1cccb696d1@github.com>
Message-ID: <YUGA1y62YYO6pW3TmVVA6u2FVCGBeSI0fm68BKcFhxs=.4ff07036-f6eb-4c88-8b77-2c16da437308@github.com>

On Thu, 2 Dec 2021 00:09:31 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> I have a question related to the custom cacerts which can be added to the OpenJDK bundle. How do you pass the tests like test/jdk/sun/security/lib/cacerts/VerifyCACerts.java using that custom jdk bundle? Probably we can add an additional configuration to that test so it will check the custom cacerts passed to the build as well?

@mrserb 
So VerifyCACerts is specific to the make/data/cacerts certificates, the README specifically states there that when those are updated VerifyCACerts needs updating. It checks things like fingerprints etc..

If a developer or other provider decide to provide their own cacerts file, then it is up to them to have verified and trust those certificates. They won't run the VerifyCACerts which is specific to the openjdk certs.
This is the case at Adoptium for example, which uses the Mozilla trusted CA certs.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 12:13:03 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 12:13:03 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
Message-ID: <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>

> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
> 
> Signed-off-by: Andrew Leonard <anleonar at redhat.com>

Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:

 - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
   
   Signed-off-by: Andrew Leonard <anleonar at redhat.com>
 - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
 - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
   
   Signed-off-by: Andrew Leonard <anleonar at redhat.com>
 - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
   
   Signed-off-by: Andrew Leonard <anleonar at redhat.com>

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6647/files
  - new: https://git.openjdk.java.net/jdk/pull/6647/files/1084c4e1..16c5ca6b

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6647&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6647&range=00-01

  Stats: 1879 lines in 62 files changed: 1045 ins; 297 del; 537 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6647.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6647/head:pull/6647

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 12:13:07 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 12:13:07 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <bqVvSG4f4MrMMi3PI9g26VY7WLhR-8SjTKKjz4dQ4o4=.8094ae02-baf4-4a23-8c2c-b52cf2b5f1e5@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <bqVvSG4f4MrMMi3PI9g26VY7WLhR-8SjTKKjz4dQ4o4=.8094ae02-baf4-4a23-8c2c-b52cf2b5f1e5@github.com>
Message-ID: <aD7W3eJCxZX9Aw-gDwzu9SInEBT1L8Pg7E7oOK4bZrA=.3ac99b12-0e74-40e8-8ef3-1ac27f602ad3@github.com>

On Wed, 1 Dec 2021 18:47:41 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

>> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
>> 
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> make/autoconf/jdk-options.m4 line 176:
> 
>> 174:       [specify alternative cacerts source folder containing certificates])])
>> 175:   AC_MSG_CHECKING([for cacerts source])
>> 176:   if test "x$with_cacerts_src" == x; then
> 
> Before this if block, please assign an empty value to CACERTS_SRC. Otherwise, if the user happens to have that variable set in the environment, that value will get recorded by configure, which is usually not something we want.

done

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From abakhtin at openjdk.java.net  Thu Dec  2 12:54:24 2021
From: abakhtin at openjdk.java.net (Alexey Bakhtin)
Date: Thu, 2 Dec 2021 12:54:24 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out
In-Reply-To: <-1XBp6JiiqgD7WCk_V3z8NovGNS1LScKU5vRgM4muBw=.86f26cb4-6150-44a7-b076-b63e1ea53221@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <BYuqk9jVMqijyuGFZjTaBOpfyTDC-I44hkIWKXsV6X8=.03353bd4-b300-4fa4-8d4e-96689455c641@github.com>
 <-1XBp6JiiqgD7WCk_V3z8NovGNS1LScKU5vRgM4muBw=.86f26cb4-6150-44a7-b076-b63e1ea53221@github.com>
Message-ID: <tkGJXf8u_kTEroelWP7ZqjP7j8q5e1nJwkDl9k7f3Ok=.757a5be5-6db7-41f7-bea6-cffbb784354f@github.com>

On Wed, 1 Dec 2021 19:29:36 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

>> Can you lower the `threadsFactor` or `duration`? Or set an upper limit for `nTasks`?
>
>> Can you lower the `threadsFactor` or `duration`? Or set an upper limit for `nTasks`?
> 
> I can reduce the threadFactor and duration to close to half(threadsFactor=2 and duration=2 Or hardcode nTasks=20) and i think there still will be enough threads to verify threadsafety. In that case default JTREG timeout period should be enough and no need for any additional timeout with @run tag.

Hi @sisahoo,
Yes, I think the number of threads and duration can be lowered. For example like this:

diff --git a/test/jdk/java/security/MessageDigest/ThreadSafetyTest.java b/test/jdk/java/security/MessageDigest/ThreadSafetyTest.java
index 41ecbca2677..f179bd54257 100644
--- a/test/jdk/java/security/MessageDigest/ThreadSafetyTest.java
+++ b/test/jdk/java/security/MessageDigest/ThreadSafetyTest.java
@@ -25,7 +25,7 @@
  * @test
  * @bug 8241960
  * @summary Confirm that java.security.MessageDigest is thread-safe after clone.
- * @run main/othervm ThreadSafetyTest 5 4
+ * @run main/othervm ThreadSafetyTest 5 2
  */
 
 import java.security.MessageDigest;
@@ -56,7 +56,7 @@ public class ThreadSafetyTest {
             duration = Integer.parseInt(args[1]);
         }
         int nProcessors = Runtime.getRuntime().availableProcessors();
-        int nTasks = nProcessors * threadsFactor;
+        int nTasks = Math.min(nProcessors, 4) * threadsFactor;
         System.out.println("Testing with " + nTasks + " threads on " +
                            nProcessors + " processors for " + duration +

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From erikj at openjdk.java.net  Thu Dec  2 13:58:25 2021
From: erikj at openjdk.java.net (Erik Joelsson)
Date: Thu, 2 Dec 2021 13:58:25 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
Message-ID: <wQDeXK-J_0L0-sntqp0-psHxPEYsd94h-m0bsBWeXEI=.427c1bc6-80d1-4e19-b57c-b2ebd064ab70@github.com>

On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
>> 
>> Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>

Looks good!

-------------

Marked as reviewed by erikj (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6647

From mullan at openjdk.java.net  Thu Dec  2 14:32:29 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Thu, 2 Dec 2021 14:32:29 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
Message-ID: <yBhOsMgb0GurkrqBKqbZWVKtIxbCTLnAuDORDYxG1fk=.85934716-a3e1-4458-b499-d094130623cc@github.com>

On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
>> 
>> Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>

I don?t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From mullan at openjdk.java.net  Thu Dec  2 14:50:28 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Thu, 2 Dec 2021 14:50:28 GMT
Subject: RFR: 8255266: 2021-11-27 public suffix list update v 3c213aa
In-Reply-To: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
References: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
Message-ID: <SwmKduLvvv1w2hXYssnTf65H1kMOnmFjJWJ0hpQ4qZc=.a400bff8-8608-4078-95e9-88f4dbf3f5a8@github.com>

On Wed, 1 Dec 2021 17:03:24 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Update Public Suffix List data to the latest version at https://github.com/publicsuffix/list.

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6643

From dcubed at openjdk.java.net  Thu Dec  2 15:14:29 2021
From: dcubed at openjdk.java.net (Daniel D.Daugherty)
Date: Thu, 2 Dec 2021 15:14:29 GMT
Subject: RFR: 8278099: two sun/security/pkcs11/Signature tests failed with
 AssertionError
In-Reply-To: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
References: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
Message-ID: <RQpazA7otaSydoJyuogfSTrmsK4WtRg_GFBKLo0FuzE=.db26b159-3659-4c64-a4a8-a3bb93e205a9@github.com>

On Thu, 2 Dec 2021 01:20:30 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help reviewing this trivial one-line fix? The assert check in CK_MECHANISM.java is too strict and fail unexpectedly when digest-specific PSS signature mechanisms are supported by the underlying PKCS#11 library. The fix is to remove this assert check. No new regression test added with this fix as this is already covered by existing regression tests.
> 
> Thanks,
> Valerie

I'm not a PKCS11 expert, but the fix does what @valeriepeng describes
in the bug report: removes the offending assert.

Thumbs up.

-------------

Marked as reviewed by dcubed (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6656

From aleonard at openjdk.java.net  Thu Dec  2 15:15:29 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 15:15:29 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <yBhOsMgb0GurkrqBKqbZWVKtIxbCTLnAuDORDYxG1fk=.85934716-a3e1-4458-b499-d094130623cc@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <yBhOsMgb0GurkrqBKqbZWVKtIxbCTLnAuDORDYxG1fk=.85934716-a3e1-4458-b499-d094130623cc@github.com>
Message-ID: <9birWuJ4GIzSwQHZSrNlLO2fvrHy7bAxvEBqq4t80vc=.c7f7884e-c33e-45ff-b8d6-e3ee84efdb74@github.com>

On Thu, 2 Dec 2021 14:29:00 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> I don?t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc.

@seanjmullan Thanks Sean, I'll pass your comment on, cheers Andrew

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From dcubed at openjdk.java.net  Thu Dec  2 15:18:29 2021
From: dcubed at openjdk.java.net (Daniel D.Daugherty)
Date: Thu, 2 Dec 2021 15:18:29 GMT
Subject: RFR: 8278099: two sun/security/pkcs11/Signature tests failed with
 AssertionError
In-Reply-To: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
References: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
Message-ID: <ZRRU_-b6dW3_H_UrnFC47PJXiSQ4KgU7kL6KOwTgyY8=.7cb7e7e2-19d1-4240-b626-21c8f545da84@github.com>

On Thu, 2 Dec 2021 01:20:30 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help reviewing this trivial one-line fix? The assert check in CK_MECHANISM.java is too strict and fail unexpectedly when digest-specific PSS signature mechanisms are supported by the underlying PKCS#11 library. The fix is to remove this assert check. No new regression test added with this fix as this is already covered by existing regression tests.
> 
> Thanks,
> Valerie

Have you verified that this fix works on an Oracle_Linux_8.4 test machine?

And I agree that this is a trivial fix.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6656

From aleonard at openjdk.java.net  Thu Dec  2 15:40:33 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 15:40:33 GMT
Subject: Integrated: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation
In-Reply-To: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
Message-ID: <l7LO2kncQsFnt_jPv7RuAuX1S3nrEp1CDatQaXZCNgg=.e8c94ccf-6fd8-497a-9167-2ac38e48c68d@github.com>

On Wed, 1 Dec 2021 18:30:06 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
> 
> Signed-off-by: Andrew Leonard <anleonar at redhat.com>

This pull request has now been integrated.

Changeset: dc2abc9f
Author:    Andrew Leonard <aleonard at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/dc2abc9f05c2b7c52aeb242082359c48963f9854
Stats:     22 lines in 3 files changed: 22 ins; 0 del; 0 mod

8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation

Reviewed-by: erikj

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From ihse at openjdk.java.net  Thu Dec  2 17:39:29 2021
From: ihse at openjdk.java.net (Magnus Ihse Bursie)
Date: Thu, 2 Dec 2021 17:39:29 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
Message-ID: <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>

On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
>> 
>> Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>

make/modules/java.base/Gendata.gmk line 76:

> 74: ifneq ($(CACERTS_SRC), )
> 75:   GENDATA_CACERTS_SRC := $(CACERTS_SRC)
> 76: endif

Does this even work?! You are reassigning the variable after it has been used. The := assignment means that it not a macro.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From ihse at openjdk.java.net  Thu Dec  2 17:39:31 2021
From: ihse at openjdk.java.net (Magnus Ihse Bursie)
Date: Thu, 2 Dec 2021 17:39:31 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
Message-ID: <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>

On Thu, 2 Dec 2021 17:33:49 GMT, Magnus Ihse Bursie <ihse at openjdk.org> wrote:

>> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
>> 
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>>    
>>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> make/modules/java.base/Gendata.gmk line 76:
> 
>> 74: ifneq ($(CACERTS_SRC), )
>> 75:   GENDATA_CACERTS_SRC := $(CACERTS_SRC)
>> 76: endif
> 
> Does this even work?! You are reassigning the variable after it has been used. The := assignment means that it not a macro.

I would have expected to see something like:

ifneq ($(CACERTS_SRC), )
  GENDATA_CACERTS_SRC := $(CACERTS_SRC)
else
  GENDATA_CACERTS_SRC := $(TOPDIR)/make/data/cacerts/
endif

at line 63.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 17:50:15 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 17:50:15 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
Message-ID: <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>

On Thu, 2 Dec 2021 17:35:36 GMT, Magnus Ihse Bursie <ihse at openjdk.org> wrote:

>> make/modules/java.base/Gendata.gmk line 76:
>> 
>>> 74: ifneq ($(CACERTS_SRC), )
>>> 75:   GENDATA_CACERTS_SRC := $(CACERTS_SRC)
>>> 76: endif
>> 
>> Does this even work?! You are reassigning the variable after it has been used. The := assignment means that it not a macro.
>
> I would have expected to see something like:
> 
> ifneq ($(CACERTS_SRC), )
>   GENDATA_CACERTS_SRC := $(CACERTS_SRC)
> else
>   GENDATA_CACERTS_SRC := $(TOPDIR)/make/data/cacerts/
> endif
> 
> at line 63.

you make a valid point, but i've tested this numerous times, but let me check again

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 17:50:15 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 17:50:15 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
 <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
Message-ID: <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>

On Thu, 2 Dec 2021 17:46:35 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> I would have expected to see something like:
>> 
>> ifneq ($(CACERTS_SRC), )
>>   GENDATA_CACERTS_SRC := $(CACERTS_SRC)
>> else
>>   GENDATA_CACERTS_SRC := $(TOPDIR)/make/data/cacerts/
>> endif
>> 
>> at line 63.
>
> you make a valid point, but i've tested this numerous times, but let me check again

my assumption was the recipe gets resolved later

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 18:07:16 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 18:07:16 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
 <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
 <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>
Message-ID: <mmBV0SG_q3Ko0fbrdD1FSWJWOZxVMy7OF5nw562_ZKY=.ce521db4-5cd5-453f-abaf-414d0877781f@github.com>

On Thu, 2 Dec 2021 17:48:04 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> you make a valid point, but i've tested this numerous times, but let me check again
>
> my assumption was the recipe gets resolved later

this was my understanding: https://www.gnu.org/software/make/manual/html_node/Variables-in-Recipes.html

This occurs after make has finished reading all the makefiles and the target is determined to be out of date; so, the recipes for targets which are not rebuilt are never expanded. 

but i'm going to double check I was checking the resultant cacerts correctly in my tests

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From erikj at openjdk.java.net  Thu Dec  2 18:49:18 2021
From: erikj at openjdk.java.net (Erik Joelsson)
Date: Thu, 2 Dec 2021 18:49:18 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <mmBV0SG_q3Ko0fbrdD1FSWJWOZxVMy7OF5nw562_ZKY=.ce521db4-5cd5-453f-abaf-414d0877781f@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
 <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
 <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>
 <mmBV0SG_q3Ko0fbrdD1FSWJWOZxVMy7OF5nw562_ZKY=.ce521db4-5cd5-453f-abaf-414d0877781f@github.com>
Message-ID: <7mR_iCEJRYWqMJhIXOvexTc-Jen4AVFTge91tV1YqSg=.442238f0-c217-4541-8d2c-b1e099814019@github.com>

On Thu, 2 Dec 2021 18:03:50 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> my assumption was the recipe gets resolved later
>
> this was my understanding: https://www.gnu.org/software/make/manual/html_node/Variables-in-Recipes.html
> 
> This occurs after make has finished reading all the makefiles and the target is determined to be out of date; so, the recipes for targets which are not rebuilt are never expanded. 
> 
> but i'm going to double check I was checking the resultant cacerts correctly in my tests

Oh, I didn't expand the diff far enough to actually see the context correctly when I reviewed this as I would never have imagined the conditional to be placed after the rule. While this will work as so far as using the correct files, incremental builds will not be correct, because the rules are defined in the first pass.

I very much agree with Magnus that this conditional belongs around line 63.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From aleonard at openjdk.java.net  Thu Dec  2 19:15:22 2021
From: aleonard at openjdk.java.net (Andrew Leonard)
Date: Thu, 2 Dec 2021 19:15:22 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <7mR_iCEJRYWqMJhIXOvexTc-Jen4AVFTge91tV1YqSg=.442238f0-c217-4541-8d2c-b1e099814019@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
 <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
 <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>
 <mmBV0SG_q3Ko0fbrdD1FSWJWOZxVMy7OF5nw562_ZKY=.ce521db4-5cd5-453f-abaf-414d0877781f@github.com>
 <7mR_iCEJRYWqMJhIXOvexTc-Jen4AVFTge91tV1YqSg=.442238f0-c217-4541-8d2c-b1e099814019@github.com>
Message-ID: <M8K_4WettXBRsfwxU1mMIUsk8Wi79uyLXPnnml5Kiac=.37d440fb-edd7-4e74-ae2f-790324426b30@github.com>

On Thu, 2 Dec 2021 18:46:09 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

>> this was my understanding: https://www.gnu.org/software/make/manual/html_node/Variables-in-Recipes.html
>> 
>> This occurs after make has finished reading all the makefiles and the target is determined to be out of date; so, the recipes for targets which are not rebuilt are never expanded. 
>> 
>> but i'm going to double check I was checking the resultant cacerts correctly in my tests
>
> Oh, I didn't expand the diff far enough to actually see the context correctly when I reviewed this as I would never have imagined the conditional to be placed after the rule. While this will work as so far as using the correct files, incremental builds will not be correct, because the rules are defined in the first pass.
> 
> I very much agree with Magnus that this conditional belongs around line 63.

yes, thanks, feeling rather stupid here! i'll raise an issue to fix

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From valeriep at openjdk.java.net  Thu Dec  2 19:34:20 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 2 Dec 2021 19:34:20 GMT
Subject: RFR: 8278099: two sun/security/pkcs11/Signature tests failed with
 AssertionError
In-Reply-To: <c2w9maRqodssTLUIOwEiRvVkfrIlBqN0SJq38BRw05M=.38b65e75-3cdf-41a1-9173-decdfc5b2630@github.com>
References: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
 <c2w9maRqodssTLUIOwEiRvVkfrIlBqN0SJq38BRw05M=.38b65e75-3cdf-41a1-9173-decdfc5b2630@github.com>
Message-ID: <4CyoArEUBBNKVLG5k1V69BVqTvdwy6tax5pviFPGdIk=.d41be135-3b3b-4f4d-b95e-cac81725dc9a@github.com>

On Thu, 2 Dec 2021 01:42:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Not a PKCS11 expert, but does a "digest-specific PSS signature mechanism" needs `setParameter` anymore? Or, must it be the same as the existing parameters dictated by the specified digest?

Previously when PSS support is added, the NSS library that we have does not support digest-specific PSS signatures. Now that some machine starts failing due to this assert and passes without this assert, it at least confirms that these digest-specific PSS signature mechanisms still work with the setParameter() call. I will take a closer look at these new mechanisms and see if any changes are needed. Best to remove this assert ASAP for a clean tier 2 result...

-------------

PR: https://git.openjdk.java.net/jdk/pull/6656

From valeriep at openjdk.java.net  Thu Dec  2 19:34:21 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 2 Dec 2021 19:34:21 GMT
Subject: Integrated: 8278099: two sun/security/pkcs11/Signature tests failed
 with AssertionError
In-Reply-To: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
References: <t58WVaHoe9r9Dv-OIqTZi9TX0FsLSVCCIDkvZlsx5Fg=.d164f1ac-b097-4ac5-bcd2-2ef00938ae93@github.com>
Message-ID: <FgTp4Za70iNhctIINQvaZ3iIu0SbXR7vEkniOqSF9MY=.b1262750-eef5-49c0-ae3a-ff99460e8fe7@github.com>

On Thu, 2 Dec 2021 01:20:30 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help reviewing this trivial one-line fix? The assert check in CK_MECHANISM.java is too strict and fail unexpectedly when digest-specific PSS signature mechanisms are supported by the underlying PKCS#11 library. The fix is to remove this assert check. No new regression test added with this fix as this is already covered by existing regression tests.
> 
> Thanks,
> Valerie

This pull request has now been integrated.

Changeset: 669c90e2
Author:    Valerie Peng <valeriep at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/669c90e23b2397fa9fb4388e8380c95c3b19eb48
Stats:     1 line in 1 file changed: 0 ins; 1 del; 0 mod

8278099: two sun/security/pkcs11/Signature tests failed with AssertionError

Reviewed-by: dcubed

-------------

PR: https://git.openjdk.java.net/jdk/pull/6656

From ihse at openjdk.java.net  Thu Dec  2 19:57:18 2021
From: ihse at openjdk.java.net (Magnus Ihse Bursie)
Date: Thu, 2 Dec 2021 19:57:18 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <M8K_4WettXBRsfwxU1mMIUsk8Wi79uyLXPnnml5Kiac=.37d440fb-edd7-4e74-ae2f-790324426b30@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
 <eG7yZvI4mfso0wtx04mfr6spLrr0yrB17bBmIZUwl-w=.618ac88d-4ee7-4eb2-b8c3-7adae8b1e4e6@github.com>
 <RSU05-OjUEVCKg7zlHr4H9w7GjSTctawLXxXFu6zQiE=.25ca1009-b638-4854-a782-b2adec6db022@github.com>
 <k5N_2k_3YNKtDtJGIDE3eCsPlOV88NUTzt8Tkkf2cFw=.189808c2-04a3-45fe-8221-790a10aa7696@github.com>
 <d0EXlPXv_oDqZWTqyd3jwYQ0kDXonvzsJvjaLgE2iPc=.85f6bb20-a5f1-41e4-a8e0-14df740b0f50@github.com>
 <mmBV0SG_q3Ko0fbrdD1FSWJWOZxVMy7OF5nw562_ZKY=.ce521db4-5cd5-453f-abaf-414d0877781f@github.com>
 <7mR_iCEJRYWqMJhIXOvexTc-Jen4AVFTge91tV1YqSg=.442238f0-c217-4541-8d2c-b1e099814019@github.com>
 <M8K_4WettXBRsfwxU1mMIUsk8Wi79uyLXPnnml5Kiac=.37d440fb-edd7-4e74-ae2f-790324426b30@github.com>
Message-ID: <Vf4tCn1i2Yp63w0m-RNBeYG1C6CinVTB0iHjxfvRmoM=.48f54590-6569-424a-8437-3a5059e19ceb@github.com>

On Thu, 2 Dec 2021 19:12:37 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Oh, I didn't expand the diff far enough to actually see the context correctly when I reviewed this as I would never have imagined the conditional to be placed after the rule. While this will work as so far as using the correct files, incremental builds will not be correct, because the rules are defined in the first pass.
>> 
>> I very much agree with Magnus that this conditional belongs around line 63.
>
> yes, thanks, feeling rather stupid here! i'll raise an issue to fix

@andrew-m-leonard Don't be. Make is a horrible programming language, both syntactically and semantically. It's taken me years to be somewhat comfortable with it, and often I just manage to get it right only by sticking to a few, well-proven and battle-hardened patterns. :)

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From valeriep at openjdk.java.net  Thu Dec  2 20:31:12 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 2 Dec 2021 20:31:12 GMT
Subject: RFR: 8275082: Update XML Security for Java to 2.3.0
In-Reply-To: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
References: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
Message-ID: <MX-RLJwCIQBRKgg5hFq5cwkRQPXNh1oMxCmyG8oAaas=.d886fc87-dccb-4208-a1a9-66f394fa0e4d@github.com>

On Wed, 1 Dec 2021 17:31:37 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.
> 
> Two commits are pushed:
> 
> - 2.3.0: Import 2.3.0 code changes
> - revert: revert the Santuario secure validation changes

The revert is done manually and covered by existing regression tests? May need to add a noreg-xxx label

-------------

PR: https://git.openjdk.java.net/jdk/pull/6644

From valeriep at openjdk.java.net  Thu Dec  2 20:40:22 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 2 Dec 2021 20:40:22 GMT
Subject: RFR: 8275082: Update XML Security for Java to 2.3.0
In-Reply-To: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
References: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
Message-ID: <eddHbAIknnHYACrln0lJWAFg2woMdZaGVi1ZfZCQlH0=.87f8e33c-8081-4c9c-b96a-6b2c3cb3a894@github.com>

On Wed, 1 Dec 2021 17:31:37 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.
> 
> Two commits are pushed:
> 
> - 2.3.0: Import 2.3.0 code changes
> - revert: revert the Santuario secure validation changes

src/java.xml.crypto/share/classes/org/jcp/xml/dsig/internal/dom/Policy.java line 53:

> 51:     private static Map<String, Integer> minKeyMap;
> 52:     private static boolean noDuplicateIds;
> 53:     private static boolean noRMLoops;

Does it really make any difference, moving the initialization to the initialize() method? The comment on line 46 no longer apply now that the initialization is relocated.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6644

From duke at openjdk.java.net  Thu Dec  2 21:02:40 2021
From: duke at openjdk.java.net (Tim Prinzing)
Date: Thu, 2 Dec 2021 21:02:40 GMT
Subject: RFR: JDK-8276681: Malformed Javadoc inline tags in JDK source
 jdk/internal/net/http/ResponseSubscribers.java
Message-ID: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>

JDK-8276681: Malformed Javadoc inline tags in JDK source jdk/internal/net/http/ResponseSubscribers.java

-------------

Commit messages:
 - Merge branch 'master' into JDK-8276681
 - Fix missing '@' in javadoc for JDK-8276681

Changes: https://git.openjdk.java.net/jdk/pull/6486/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6486&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8276681
  Stats: 13 lines in 10 files changed: 0 ins; 0 del; 13 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6486.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6486/head:pull/6486

PR: https://git.openjdk.java.net/jdk/pull/6486

From lancea at openjdk.java.net  Thu Dec  2 21:08:17 2021
From: lancea at openjdk.java.net (Lance Andersen)
Date: Thu, 2 Dec 2021 21:08:17 GMT
Subject: RFR: JDK-8276681: Malformed Javadoc inline tags in JDK source
 jdk/internal/net/http/ResponseSubscribers.java
In-Reply-To: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
References: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
Message-ID: <BirNhh9Ja_VPIbBsvqXQE9qnyVxSyIi1FqufTfgDhR0=.20a63cea-3b4d-4d8f-9f23-8e060321eff0@github.com>

On Sat, 20 Nov 2021 04:09:51 GMT, Tim Prinzing <duke at openjdk.java.net> wrote:

> JDK-8276681: Malformed Javadoc inline tags in JDK source jdk/internal/net/http/ResponseSubscribers.java

Marked as reviewed by lancea (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6486

From duke at openjdk.java.net  Thu Dec  2 21:25:54 2021
From: duke at openjdk.java.net (Tim Prinzing)
Date: Thu, 2 Dec 2021 21:25:54 GMT
Subject: Integrated: JDK-8276681: Additional malformed Javadoc inline tags in
 JDK source
In-Reply-To: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
References: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
Message-ID: <bWDNIhKSRZioOMEelJEP6XLFWIVlsL4db0dq8ci1uc8=.65ffd2fa-81ab-43c5-9b2e-f16adc02e97f@github.com>

On Sat, 20 Nov 2021 04:09:51 GMT, Tim Prinzing <duke at openjdk.java.net> wrote:

> JDK-8276681: Additional malformed Javadoc inline tags in JDK source

This pull request has now been integrated.

Changeset: b8ac0d20
Author:    Tim Prinzing <tim.prinzing at oracle.com>
Committer: Lance Andersen <lancea at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/b8ac0d20ceec26b3a1dd0b9577817fa6320ea9ef
Stats:     11 lines in 9 files changed: 0 ins; 0 del; 11 mod

8276681: Additional malformed Javadoc inline tags in JDK source

Reviewed-by: lancea

-------------

PR: https://git.openjdk.java.net/jdk/pull/6486

From duke at openjdk.java.net  Thu Dec  2 21:25:53 2021
From: duke at openjdk.java.net (Tim Prinzing)
Date: Thu, 2 Dec 2021 21:25:53 GMT
Subject: RFR: JDK-8276681: Additional malformed Javadoc inline tags in JDK
 source [v2]
In-Reply-To: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
References: <Xq13dh7dQkT3ZLbvFfFOzCVMf-2hJt6lqJaGc6k4RK0=.cb501327-88dd-440c-95ec-c0f8d50a6ce1@github.com>
Message-ID: <GbmF-XM7XVPim_elGvQ6JdprN0moW9rcXDFloSFV32g=.5df294e6-a3f0-4043-bd7b-aebef585ba87@github.com>

> JDK-8276681: Additional malformed Javadoc inline tags in JDK source

Tim Prinzing has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:

 - Merge branch 'master' into JDK-8276681
 - Merge branch 'master' into JDK-8276681
 - Fix missing '@' in javadoc for JDK-8276681

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6486/files
  - new: https://git.openjdk.java.net/jdk/pull/6486/files/e8071197..8eaf05bc

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6486&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6486&range=00-01

  Stats: 29529 lines in 653 files changed: 17761 ins; 7341 del; 4427 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6486.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6486/head:pull/6486

PR: https://git.openjdk.java.net/jdk/pull/6486

From mbalao at openjdk.java.net  Thu Dec  2 21:31:52 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Thu, 2 Dec 2021 21:31:52 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v3]
In-Reply-To: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
Message-ID: <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>

> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
> 
> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
> 
> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566

Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains six commits:

 - 8271566: DSA signature length value is not accurate in P11Signature (Webrev.02 based)
 - Merge branch 'master' into JDK-8271566
 - Revert 8271566: DSA signature length value is not accurate in P11Signature
 - Revert P11Key static inner classes refactorings.
 - P11Key static inner classes refactorings.
 - 8271566: DSA signature length value is not accurate in P11Signature

-------------

Changes: https://git.openjdk.java.net/jdk/pull/4961/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=4961&range=02
  Stats: 682 lines in 4 files changed: 380 ins; 121 del; 181 mod
  Patch: https://git.openjdk.java.net/jdk/pull/4961.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/4961/head:pull/4961

PR: https://git.openjdk.java.net/jdk/pull/4961

From mbalao at openjdk.java.net  Thu Dec  2 21:53:23 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Thu, 2 Dec 2021 21:53:23 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v2]
In-Reply-To: <GK3nB9gsdNpbrhj1n25tpVXbQ285Zf1QccI3O2u3oGA=.404e8136-bf62-414c-b13d-d7db71f05ea6@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <FPCFus5ti9nNPUazUdnxrQZODxjRkwSWMhdD1eIuIig=.91b2df83-247b-48a0-84ff-0a78542661c4@github.com>
 <8vTXZjaSwUZ3IoHJcfC2cllpmm75dey2vtvVenwo1I4=.8e9ed87b-36de-42c6-b70b-554ba2db23ab@github.com>
 <GK3nB9gsdNpbrhj1n25tpVXbQ285Zf1QccI3O2u3oGA=.404e8136-bf62-414c-b13d-d7db71f05ea6@github.com>
Message-ID: <3QULgzggAtGLP5n2mZd7SzVtcdxLhRMJzhfIrNxvgyw=.dda06c44-e5fe-4814-89eb-b59dcb6fa867@github.com>

On Tue, 30 Nov 2021 19:48:19 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Hmm, thinking more about "internal"/"opaque", given this is naming for the parent, maybe "internal" is more correct. The non-sensitive keys are encapsulated by the children classes and is still an instance of the parent. If you name the parent class w/ "opaque" suffix, it looks misleading/confusing. The opaqueness is implied by the implementation instead of the properties of the objects.
>
>> Hi @valeriepeng ,
>> 
>> Yes, I just verified how serialization works for P11Keys and your 'transient' change makes sense to me now.
>> 
>> I see your point about Internal/Opaque. Keep 'Internal' then if you prefer. The whole inheritance relationship between these classes sounds a bit weird to me, beyond the names we call them. I wouldn't suggest any additional changes there now, though.
>> 
>> It looks to me that the only 2 changes expected for Webrev.02 are: 1) P11RSAPrivateNonCRTKey to use the parent's protected 'n'; and 2) removal of 'long errorCode = e.getErrorCode();'.
>> 
>> Now that we almost have the changeset ready, I'm not sure of how to proceed with the push. Do you want me to commit Webrev.02 in my own branch and use the 'Co-authored-by:' header? If we do that, do we still need an additional Reviewer? Do you prefer to have your own branch? Please let me know of how to move forward.
>> 
>> Martin.-
> 
> You can just incorporate the changes on your branch and proceeds with me being the reviewer. The webrev that I sent u is just an easier way to express the comments/feedbacks.
> 
> Thanks,
> Valerie

Hi @valeriepeng 

I've reverted the initial 2 changesets on this branch, rebased to the latest commit on 'master' (git merge), applied Webrev.02 as discussed and added the test case from the initial commit (with the change from the 2nd commit applied on top).

I've noticed no regressions in jdk/sun/security/pkcs11.

Does it look good to you?

Thanks,
Martin.-

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From ssahoo at openjdk.java.net  Fri Dec  3 06:14:49 2021
From: ssahoo at openjdk.java.net (Sibabrata Sahoo)
Date: Fri, 3 Dec 2021 06:14:49 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out [v2]
In-Reply-To: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
Message-ID: <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>

> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.

Sibabrata Sahoo has updated the pull request incrementally with one additional commit since the last revision:

  8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6626/files
  - new: https://git.openjdk.java.net/jdk/pull/6626/files/325e351d..9a197651

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6626&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6626&range=00-01

  Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6626.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6626/head:pull/6626

PR: https://git.openjdk.java.net/jdk/pull/6626

From ssahoo at openjdk.java.net  Fri Dec  3 06:22:15 2021
From: ssahoo at openjdk.java.net (Sibabrata Sahoo)
Date: Fri, 3 Dec 2021 06:22:15 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out [v2]
In-Reply-To: <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
Message-ID: <QlmKIBvLF1OoYwqAVRkzgM1-Ywo_MHP7-z8keCrboNQ=.b4d22b26-fd11-4b8e-9c36-9048ffa3c4bb@github.com>

On Fri, 3 Dec 2021 06:14:49 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

>> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.
>
> Sibabrata Sahoo has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

Thanks Alexey, I have updated the threadsFactor=4 and duration=2. With this change the Test is completing ~50 seconds in my laptop which is 50% improvement over original.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From weijun at openjdk.java.net  Fri Dec  3 15:24:54 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 3 Dec 2021 15:24:54 GMT
Subject: RFR: 8275082: Update XML Security for Java to 2.3.0 [v2]
In-Reply-To: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
References: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
Message-ID: <1rndJ3etjd4wF0wf6EKNDM4bAjItCEc0nApENWdwyp4=.3ad0ea6f-3aa8-4532-a385-4fefc89b30b0@github.com>

> Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.
> 
> Two commits are pushed:
> 
> - 2.3.0: Import 2.3.0 code changes
> - revert: revert the Santuario secure validation changes

Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:

  update comment

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6644/files
  - new: https://git.openjdk.java.net/jdk/pull/6644/files/26a8a428..318a7c89

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6644&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6644&range=00-01

  Stats: 3 lines in 1 file changed: 2 ins; 1 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6644.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6644/head:pull/6644

PR: https://git.openjdk.java.net/jdk/pull/6644

From mullan at openjdk.java.net  Fri Dec  3 17:46:18 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Fri, 3 Dec 2021 17:46:18 GMT
Subject: RFR: 8225181: KeyStore should have a getAttributes method [v5]
In-Reply-To: <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
 <rxiKvHZyBMJBnrb8a6_wIp2e9tkT8E_tvf52PyFlc-8=.8945f263-67b5-4b6d-8210-08e76bb55519@github.com>
Message-ID: <x229uAAormh8atsp2Lu9Pui5JB5xFA9VNis3KigvTxk=.ce2d89df-5584-4a5f-956d-803a097625f3@github.com>

On Wed, 1 Dec 2021 01:15:27 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.
>
> Weijun Wang has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains seven additional commits since the last revision:
> 
>  - final spec change
>  - Merge branch 'master' into 8225181
>  - Merge branch 'master' into 8225181
>  - redine spec
>  - more clear and precise spec
>  - clarification on protected attributes
>  - 8225181: KeyStore should have a getAttributes method
>    
>    8225181: KeyStore should have a getAttributes method

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6026

From weijun at openjdk.java.net  Fri Dec  3 18:56:22 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 3 Dec 2021 18:56:22 GMT
Subject: Integrated: 8225181: KeyStore should have a getAttributes method
In-Reply-To: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
References: <XTW5eese0JOA1h_vEs4l6_qaza3MLxdcryK_TFs5vFA=.3eb2796e-f3e1-4b0d-898e-c6918ce2de57@github.com>
Message-ID: <ANic_pli5l1HOX6gbTT6Jv0Hss_Qxbs4SEDH3zq1E7A=.7cb6af0c-c226-429d-8059-9e8c02809e31@github.com>

On Wed, 20 Oct 2021 02:08:24 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add `KeyStore::getAttributes` so that one can get the attributes of an entry without retrieving the entry first. This is especially useful for a private key entry which can only be retrieved with a password.

This pull request has now been integrated.

Changeset: a729a70c
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4
Stats:     169 lines in 6 files changed: 167 ins; 0 del; 2 mod

8225181: KeyStore should have a getAttributes method

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/6026

From serb at openjdk.java.net  Fri Dec  3 18:58:16 2021
From: serb at openjdk.java.net (Sergey Bylokhov)
Date: Fri, 3 Dec 2021 18:58:16 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation
In-Reply-To: <YUGA1y62YYO6pW3TmVVA6u2FVCGBeSI0fm68BKcFhxs=.4ff07036-f6eb-4c88-8b77-2c16da437308@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <OYXY3EfnLesP0j3ctkTaMLftQoKHmzeCYBxO3J8Z6Iw=.0414edba-4953-4d77-901b-de1cccb696d1@github.com>
 <YUGA1y62YYO6pW3TmVVA6u2FVCGBeSI0fm68BKcFhxs=.4ff07036-f6eb-4c88-8b77-2c16da437308@github.com>
Message-ID: <oHHnesKTjVCKyV3HfD2iTkfDbQhUWWgl3xNyO7g6A9M=.78d853a7-3b6d-4e61-bb4d-8ddc5fcb4c83@github.com>

On Thu, 2 Dec 2021 10:55:57 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

> This is the case at Adoptium for example, which uses the Mozilla trusted CA certs.

But they didn't think skipping this test was too strong a step? For example validation of the certs expiration is quite useful. I tried to update the test to take into account additional certs, but it caused a merge conflict each time the certs in OpenJDK are updated. Probably we can add a config file that can inject/override some info in the test(at least skip the checksum validation)? By default this config file will be empty and will not be modified in the OpenJDK, but the vendors will be able to modify it. @wangweij @rhalade what do you think?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From rhalade at openjdk.java.net  Fri Dec  3 19:09:23 2021
From: rhalade at openjdk.java.net (Rajan Halade)
Date: Fri, 3 Dec 2021 19:09:23 GMT
Subject: RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to
 enable deterministic cacerts generation [v2]
In-Reply-To: <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
References: <G8-efNnV-rm9nZB7VvAtbkxjooqAtg39xD6_FB7PPos=.f6e00f71-38d7-41bf-91c6-d5d7e8e19012@github.com>
 <kZvtcRb0PLPUh--qpazvcQVm9IyDfp_zK4uBoXB67PI=.d4775b56-3db6-4c97-acd3-6b54b7dab83f@github.com>
Message-ID: <D4HFIhEOharaQH0yIUShMNuLSm5C1d1o6UFG1b6L8K4=.2138739c-5d93-4045-859e-58d86447931b@github.com>

On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

>> Addition of a configure option --with-cacerts-src='user cacerts folder' to allow developers to specify their own cacerts PEM folder for generation of the cacerts store using the deterministic openjdk GenerateCacerts tool.
>> 
>> Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>
> Andrew Leonard has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
> 
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>
>  - 8278080: Add --with-cacerts-src='user cacerts folder' to enable determinsitic cacerts generation
>    
>    Signed-off-by: Andrew Leonard <anleonar at redhat.com>

The purpose of this test is to ensure integrity of the cacerts file along with basic validation of included roots. Having a config file with this information sounds like a good idea for now to be able to handle multiple files.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6647

From weijun at openjdk.java.net  Fri Dec  3 19:45:32 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 3 Dec 2021 19:45:32 GMT
Subject: RFR: 8278247: KeyStoreSpi::engineGetAttributes does not throws
 KeyStoreException
Message-ID: <1yRV1NBDy3k4gVPG6beVIbT5imhPijk8n0HzfD5_3KU=.1b3beb06-d476-41a2-80ec-fcb02d722dcf@github.com>

The specification wrongly claims there could be an exception thrown, but it's not true.

-------------

Commit messages:
 - 8278247: KeyStoreSpi::engineGetAttributes does not throws KeyStoreException

Changes: https://git.openjdk.java.net/jdk/pull/6706/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6706&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278247
  Stats: 3 lines in 1 file changed: 0 ins; 3 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6706.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6706/head:pull/6706

PR: https://git.openjdk.java.net/jdk/pull/6706

From mullan at openjdk.java.net  Fri Dec  3 19:52:15 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Fri, 3 Dec 2021 19:52:15 GMT
Subject: RFR: 8278247: KeyStoreSpi::engineGetAttributes does not throws
 KeyStoreException
In-Reply-To: <1yRV1NBDy3k4gVPG6beVIbT5imhPijk8n0HzfD5_3KU=.1b3beb06-d476-41a2-80ec-fcb02d722dcf@github.com>
References: <1yRV1NBDy3k4gVPG6beVIbT5imhPijk8n0HzfD5_3KU=.1b3beb06-d476-41a2-80ec-fcb02d722dcf@github.com>
Message-ID: <ClddMzRBYyaMnwCtprOSMaoCY9PmHUqgmlIIA056B4A=.8b901bca-49c9-4d1b-9e2e-017276164632@github.com>

On Fri, 3 Dec 2021 19:36:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> The specification wrongly claims there could be an exception thrown, but it's not true.

Looks good. Add a noreg-doc or something similar to the bug.

-------------

Marked as reviewed by mullan (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6706

From valeriep at openjdk.java.net  Fri Dec  3 19:52:26 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Fri, 3 Dec 2021 19:52:26 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v3]
In-Reply-To: <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>
Message-ID: <pjpRtFw1IfqEDMD-vqj2hTJRYCesfjFYWWDisEiB-cs=.64129fe4-e57d-40d4-b26e-d2ae2d5c3822@github.com>

On Thu, 2 Dec 2021 21:31:52 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
>> 
>> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
>> 
>> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
>> 
>> --
>> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566
>
> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains six commits:
> 
>  - 8271566: DSA signature length value is not accurate in P11Signature (Webrev.02 based)
>  - Merge branch 'master' into JDK-8271566
>  - Revert 8271566: DSA signature length value is not accurate in P11Signature
>  - Revert P11Key static inner classes refactorings.
>  - P11Key static inner classes refactorings.
>  - 8271566: DSA signature length value is not accurate in P11Signature

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java line 126:

> 124:         boolean sensitive = false;
> 125:         boolean extractable = true;
> 126:         for (CK_ATTRIBUTE attr : attrs) {

Just noticed this: add a check for non-null attrs? If null, skip the for-loop.

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From weijun at openjdk.java.net  Fri Dec  3 19:56:19 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 3 Dec 2021 19:56:19 GMT
Subject: Integrated: 8278247: KeyStoreSpi::engineGetAttributes does not throws
 KeyStoreException
In-Reply-To: <1yRV1NBDy3k4gVPG6beVIbT5imhPijk8n0HzfD5_3KU=.1b3beb06-d476-41a2-80ec-fcb02d722dcf@github.com>
References: <1yRV1NBDy3k4gVPG6beVIbT5imhPijk8n0HzfD5_3KU=.1b3beb06-d476-41a2-80ec-fcb02d722dcf@github.com>
Message-ID: <GMIAagKPKoo-eJacw1v_2fO5OAZhEIW8c8CEfcS523M=.dacbad44-814b-4a2d-aa65-01383e03b327@github.com>

On Fri, 3 Dec 2021 19:36:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> The specification wrongly claims there could be an exception thrown, but it's not true.

This pull request has now been integrated.

Changeset: e1cde19d
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/e1cde19dbdbbca365ecfea6d1e2e85a42ed8bde0
Stats:     3 lines in 1 file changed: 0 ins; 3 del; 0 mod

8278247: KeyStoreSpi::engineGetAttributes does not throws KeyStoreException

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/6706

From valeriep at openjdk.java.net  Fri Dec  3 21:26:25 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Fri, 3 Dec 2021 21:26:25 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v3]
In-Reply-To: <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>
Message-ID: <-yIPPPmtHHi1gZhXmeLa-6dr_5XbAfQWWC2Wz7PY3t4=.6e2c7ccb-4881-4073-9a7d-1553ee5e139c@github.com>

On Thu, 2 Dec 2021 21:31:52 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
>> 
>> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
>> 
>> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
>> 
>> --
>> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566
>
> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains six commits:
> 
>  - 8271566: DSA signature length value is not accurate in P11Signature (Webrev.02 based)
>  - Merge branch 'master' into JDK-8271566
>  - Revert 8271566: DSA signature length value is not accurate in P11Signature
>  - Revert P11Key static inner classes refactorings.
>  - P11Key static inner classes refactorings.
>  - 8271566: DSA signature length value is not accurate in P11Signature

test/jdk/TEST.groups line 202:

> 200: 
> 201: jdk_security1 = \
> 202:     sun/security/pkcs11

Please discard this, this is just for quick testing, it's not meant to be part of this change...

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From mbalao at openjdk.java.net  Sat Dec  4 21:59:21 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Sat, 4 Dec 2021 21:59:21 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v3]
In-Reply-To: <pjpRtFw1IfqEDMD-vqj2hTJRYCesfjFYWWDisEiB-cs=.64129fe4-e57d-40d4-b26e-d2ae2d5c3822@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <OQeZiEr0bJo3HK29SH9LrWWJK5-nz4k-EkvdMpuHJwA=.98fa1d10-3189-4026-8948-fbc584aa32c1@github.com>
 <pjpRtFw1IfqEDMD-vqj2hTJRYCesfjFYWWDisEiB-cs=.64129fe4-e57d-40d4-b26e-d2ae2d5c3822@github.com>
Message-ID: <lzWbE9vjSmRN1t2HfwFeG-NqJUVI0fOleCJHReAmcwQ=.9736f4cc-f65a-44de-a517-f26c06af7c83@github.com>

On Fri, 3 Dec 2021 19:48:53 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains six commits:
>> 
>>  - 8271566: DSA signature length value is not accurate in P11Signature (Webrev.02 based)
>>  - Merge branch 'master' into JDK-8271566
>>  - Revert 8271566: DSA signature length value is not accurate in P11Signature
>>  - Revert P11Key static inner classes refactorings.
>>  - P11Key static inner classes refactorings.
>>  - 8271566: DSA signature length value is not accurate in P11Signature
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java line 126:
> 
>> 124:         boolean sensitive = false;
>> 125:         boolean extractable = true;
>> 126:         for (CK_ATTRIBUTE attr : attrs) {
> 
> Just noticed this: add a check for non-null attrs? If null, skip the for-loop.

I've noticed that when reviewing your Webrev.01 but thought that the change was on purpose because of the P11Key constructor callers, which do not currently pass null. Anyways, I'll add the null check again just in case.

> test/jdk/TEST.groups line 202:
> 
>> 200: 
>> 201: jdk_security1 = \
>> 202:     sun/security/pkcs11
> 
> Please discard this, this is just for quick testing, it's not meant to be part of this change...

Well spotted.

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From mbalao at openjdk.java.net  Sat Dec  4 22:03:53 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Sat, 4 Dec 2021 22:03:53 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v4]
In-Reply-To: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
Message-ID: <JFPzv7eGs7Cv6aphKJ_Sei-DTla6gcyJc0xWhnUtgBM=.4987bb3a-2773-445b-8d25-31c2d946733f@github.com>

> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
> 
> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
> 
> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566

Martin Balao has updated the pull request incrementally with one additional commit since the last revision:

  Null check added and a fix in the security test group

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/4961/files
  - new: https://git.openjdk.java.net/jdk/pull/4961/files/00564198..1e53b6d0

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=4961&range=03
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=4961&range=02-03

  Stats: 10 lines in 2 files changed: 2 ins; 0 del; 8 mod
  Patch: https://git.openjdk.java.net/jdk/pull/4961.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/4961/head:pull/4961

PR: https://git.openjdk.java.net/jdk/pull/4961

From mbalao at openjdk.java.net  Sat Dec  4 22:14:22 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Sat, 4 Dec 2021 22:14:22 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v2]
In-Reply-To: <GK3nB9gsdNpbrhj1n25tpVXbQ285Zf1QccI3O2u3oGA=.404e8136-bf62-414c-b13d-d7db71f05ea6@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <FPCFus5ti9nNPUazUdnxrQZODxjRkwSWMhdD1eIuIig=.91b2df83-247b-48a0-84ff-0a78542661c4@github.com>
 <8vTXZjaSwUZ3IoHJcfC2cllpmm75dey2vtvVenwo1I4=.8e9ed87b-36de-42c6-b70b-554ba2db23ab@github.com>
 <GK3nB9gsdNpbrhj1n25tpVXbQ285Zf1QccI3O2u3oGA=.404e8136-bf62-414c-b13d-d7db71f05ea6@github.com>
Message-ID: <QevFkLBSoaDVQjOdBEqjE-ctADkHe0df4vXATp341BI=.48e9f552-b075-4659-ae4e-af8eb33884b1@github.com>

On Tue, 30 Nov 2021 19:48:19 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Hmm, thinking more about "internal"/"opaque", given this is naming for the parent, maybe "internal" is more correct. The non-sensitive keys are encapsulated by the children classes and is still an instance of the parent. If you name the parent class w/ "opaque" suffix, it looks misleading/confusing. The opaqueness is implied by the implementation instead of the properties of the objects.
>
>> Hi @valeriepeng ,
>> 
>> Yes, I just verified how serialization works for P11Keys and your 'transient' change makes sense to me now.
>> 
>> I see your point about Internal/Opaque. Keep 'Internal' then if you prefer. The whole inheritance relationship between these classes sounds a bit weird to me, beyond the names we call them. I wouldn't suggest any additional changes there now, though.
>> 
>> It looks to me that the only 2 changes expected for Webrev.02 are: 1) P11RSAPrivateNonCRTKey to use the parent's protected 'n'; and 2) removal of 'long errorCode = e.getErrorCode();'.
>> 
>> Now that we almost have the changeset ready, I'm not sure of how to proceed with the push. Do you want me to commit Webrev.02 in my own branch and use the 'Co-authored-by:' header? If we do that, do we still need an additional Reviewer? Do you prefer to have your own branch? Please let me know of how to move forward.
>> 
>> Martin.-
> 
> You can just incorporate the changes on your branch and proceeds with me being the reviewer. The webrev that I sent u is just an easier way to express the comments/feedbacks.
> 
> Thanks,
> Valerie

Hi @valeriepeng ,

Please take a look at the latest change based on your comments.

No regressions found in 'jdk/sun/security/pkcs11'.

Thanks,
Martin.-

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From weijun at openjdk.java.net  Sun Dec  5 05:15:11 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Sun, 5 Dec 2021 05:15:11 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
Message-ID: <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>

On Wed, 1 Dec 2021 21:42:51 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
> 
> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
> 
> Thanks,
> Valerie

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java line 418:

> 416:             }
> 417:             String word = st.sval;
> 418:             switch (word) {

Since every case has a break it's probably better to use the enhanced switch (`case "x" -> ...;`). It's safer and also saves quite some lines. An IDE can help you with the conversion.

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 405:

> 403:     private void cancelOperation() {
> 404:         // cancel operation by finishing it; avoid killSession as some
> 405:         // hardware vendors may require re-login

The new `cancelOperation()` methods seems identical everywhere. Is it possible to consolidate it to a helper method like `trySessionCancel(token, session, flags)`? It can return true if canceled successfully, false if needs a fallback, and can still throw a `ProviderException`.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From abakhtin at openjdk.java.net  Mon Dec  6 09:24:10 2021
From: abakhtin at openjdk.java.net (Alexey Bakhtin)
Date: Mon, 6 Dec 2021 09:24:10 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out [v2]
In-Reply-To: <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
Message-ID: <Wh5Nk1dkeq-Xum5CjgOb3X3Of85Zf2X0hVrVavilses=.24100644-5b95-41cb-ad68-4dceed0d3f77@github.com>

On Fri, 3 Dec 2021 06:14:49 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

>> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.
>
> Sibabrata Sahoo has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

Thank you. Looks good to me, but I'm not a reviewer

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From weijun at openjdk.java.net  Mon Dec  6 13:58:17 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Mon, 6 Dec 2021 13:58:17 GMT
Subject: RFR: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out [v2]
In-Reply-To: <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
 <4b_-Dz3yRbOwJziNmKdlAsCBuEXLn37aewRH3pVdDG0=.462e6f8d-63f3-4f2b-8100-e6d731fcf379@github.com>
Message-ID: <tw2Yb54zbRQhDxZLEw3p2bMdrhFTSuUOULjbJbOactc=.04058fbf-6d46-46ab-97f1-d5fe27bc1f2b@github.com>

On Fri, 3 Dec 2021 06:14:49 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

>> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.
>
> Sibabrata Sahoo has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

Looks good. Thanks.

-------------

Marked as reviewed by weijun (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6626

From mullan at openjdk.java.net  Mon Dec  6 17:12:11 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Mon, 6 Dec 2021 17:12:11 GMT
Subject: RFR: 8275082: Update XML Security for Java to 2.3.0 [v2]
In-Reply-To: <1rndJ3etjd4wF0wf6EKNDM4bAjItCEc0nApENWdwyp4=.3ad0ea6f-3aa8-4532-a385-4fefc89b30b0@github.com>
References: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
 <1rndJ3etjd4wF0wf6EKNDM4bAjItCEc0nApENWdwyp4=.3ad0ea6f-3aa8-4532-a385-4fefc89b30b0@github.com>
Message-ID: <ushlrMvnLEckv_nEUTsuNoT61dtIHwdeoIj0s6yHlmY=.d1628ebf-2fc9-4055-97c5-052fdac6796d@github.com>

On Fri, 3 Dec 2021 15:24:54 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.
>> 
>> Two commits are pushed:
>> 
>> - 2.3.0: Import 2.3.0 code changes
>> - revert: revert the Santuario secure validation changes
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   update comment

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6644

From prr at openjdk.java.net  Mon Dec  6 17:57:14 2021
From: prr at openjdk.java.net (Phil Race)
Date: Mon, 6 Dec 2021 17:57:14 GMT
Subject: RFR: JDK-8276447 Deprecate finalization-related methods for
 removal [v3]
In-Reply-To: <zORovjOCVMm-8yG6qtNfIrH5ICFkC5WJzL1LKMVyOJ8=.6e92825a-9fc5-4878-9659-aa70da4ed0cc@github.com>
References: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
 <zORovjOCVMm-8yG6qtNfIrH5ICFkC5WJzL1LKMVyOJ8=.6e92825a-9fc5-4878-9659-aa70da4ed0cc@github.com>
Message-ID: <nSZ4HW0XPapNwI8DZeL4VLDLuQGT-Nl9z48R8lHsfHY=.d25aabd8-99e9-48d5-a5e0-eed809c72074@github.com>

On Wed, 1 Dec 2021 19:23:59 GMT, Brent Christian <bchristi at openjdk.org> wrote:

>> Here are the code changes for the "Deprecate finalizers in the standard Java API" portion of JEP 421 ("Deprecate Finalization for Removal") for code review.
>> 
>> This change makes the indicated deprecations, and updates the API spec for JEP 421. It also updates the relevant @SuppressWarning annotations.
>> 
>> The CSR has been approved.
>> An automated test build+test run passes cleanly (FWIW :D ).
>
> Brent Christian has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 33 commits:
> 
>  - Merge branch 'master' into 8276447
>  - Merge branch 'master' into 8276447
>  - merge
>  - @SuppressWarnings(removal) in Windows CKey.java
>  - Add jls tag to runFinalization methods
>  - Update wording of Object.finalize, new paragraph is now bold
>  - update Object.finalize javadoc
>  - update Object.finalize JavaDoc and @deprecated tag
>  - Update Object.finalize deprecation message
>  - Indicate that runFinalizers does nothing if finalization is disabled or removed
>  - ... and 23 more: https://git.openjdk.java.net/jdk/compare/0dfb3a70...8cde0674

Marked as reviewed by prr (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6465

From weijun at openjdk.java.net  Mon Dec  6 18:04:21 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Mon, 6 Dec 2021 18:04:21 GMT
Subject: Integrated: 8275082: Update XML Security for Java to 2.3.0
In-Reply-To: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
References: <XW6h4qlQMRSzf5986jJx0VKkRMO44bHUapS_aT05y10=.55ce49cc-d54c-448b-b29a-2ed3135b7516@github.com>
Message-ID: <yfM1gKHpNDtKUvH_7SguVa5QDB-Ty-yFVfO6UqE8Qaw=.446ec535-5417-4781-b5e8-7cc54924ec14@github.com>

On Wed, 1 Dec 2021 17:31:37 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Import Apache Santuario 2.3.0 without the secure validation changes since in OpenJDK we are using the `jdk.xml.dsig.secureValidationPolicy` security property for XML Signature secure validation protection.
> 
> Two commits are pushed:
> 
> - 2.3.0: Import 2.3.0 code changes
> - revert: revert the Santuario secure validation changes

This pull request has now been integrated.

Changeset: 2c31a173
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/2c31a1735d5b8646ed8984a5475d5c8c9c91c19d
Stats:     409 lines in 32 files changed: 56 ins; 268 del; 85 mod

8275082: Update XML Security for Java to 2.3.0

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/6644

From ascarpino at openjdk.java.net  Mon Dec  6 18:53:13 2021
From: ascarpino at openjdk.java.net (Anthony Scarpino)
Date: Mon, 6 Dec 2021 18:53:13 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
Message-ID: <KdAqDciTC2VmubKK9MHMGi4b3qvGJKwbTC9660MNHIE=.5aeb680f-a3ac-4b23-b648-975e62f81ef6@github.com>

On Wed, 1 Dec 2021 21:42:51 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
> 
> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
> 
> Thanks,
> Valerie

Are there no tests because there is no support for 3.0 in nss?

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 406:

> 404:         token.ensureValid();
> 405:         if (token.p11.getVersion().major == 3) {
> 406:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);

I think this is a syntax nit with no space between "encrypt" and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 449:

> 447:         token.ensureValid();
> 448:         if (token.p11.getVersion().major == 3) {
> 449:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);

I think this is a syntax nit with no space between "encrypt" and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 291:

> 289: 
> 290:         if (token.p11.getVersion().major == 3) {
> 291:             long flags = (opmode == Cipher.ENCRYPT_MODE? CKF_ENCRYPT :

I think this is a syntax nit with no space between MODE and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java line 275:

> 273: 
> 274:         if (token.p11.getVersion().major == 3) {
> 275:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);

I think this is a syntax nit with no space between M_SIGN and '?'

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java line 285:

> 283: 
> 284:         if (token.p11.getVersion().major == 3) {
> 285:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);

M_SIGN ? ...

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java line 558:

> 556:             throws PKCS11Exception;
> 557: 
> 558:     ///**

Was it intentional to have the below commented out?

src/jdk.crypto.cryptoki/windows/native/libj2pkcs11/p11_md.c line 128:

> 126:     }
> 127: 
> 128: #ifdef DEBUG

Is C_GetInterfaceList in DEBUG only because it's a new 3.0 function we are not supporting yet?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From ascarpino at openjdk.java.net  Mon Dec  6 19:03:17 2021
From: ascarpino at openjdk.java.net (Anthony Scarpino)
Date: Mon, 6 Dec 2021 19:03:17 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
Message-ID: <2QWSpMna1XYVuQXlt7hss4vuZ7-zz2-tUf56KuL0a-w=.97f834d3-ab28-4344-aed6-371af911a506@github.com>

On Wed, 1 Dec 2021 21:42:51 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
> 
> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
> 
> Thanks,
> Valerie

I updated my comments because I neglected to read your initial message and went straight to the code review

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From valeriep at openjdk.java.net  Mon Dec  6 20:10:16 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Mon, 6 Dec 2021 20:10:16 GMT
Subject: RFR: 8271566: DSA signature length value is not accurate in
 P11Signature [v4]
In-Reply-To: <JFPzv7eGs7Cv6aphKJ_Sei-DTla6gcyJc0xWhnUtgBM=.4987bb3a-2773-445b-8d25-31c2d946733f@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
 <JFPzv7eGs7Cv6aphKJ_Sei-DTla6gcyJc0xWhnUtgBM=.4987bb3a-2773-445b-8d25-31c2d946733f@github.com>
Message-ID: <a3L0ss8t3hZwOfQ7i2k_9CPhPkLrAd6nDg52vnDTOWo=.40d2ae61-bf7b-4670-b32e-19b3fb28d1aa@github.com>

On Sat, 4 Dec 2021 22:03:53 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
>> 
>> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
>> 
>> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
>> 
>> --
>> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566
>
> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Null check added and a fix in the security test group

Looks good. Thanks! Valerie

-------------

Marked as reviewed by valeriep (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/4961

From mbalao at openjdk.java.net  Mon Dec  6 20:35:23 2021
From: mbalao at openjdk.java.net (Martin Balao)
Date: Mon, 6 Dec 2021 20:35:23 GMT
Subject: Integrated: 8271566: DSA signature length value is not accurate in
 P11Signature
In-Reply-To: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
References: <1TPW26SEl6BcKnQobVmN2SVGnU4RBrhaeLtx28AJzt0=.162e98c1-94e9-47ee-8070-b4dde6dbf66f@github.com>
Message-ID: <fLNTZy2cg_O__g7AkXdJiwvUeSPuuzrPNpWGOcLFswA=.988e4577-4b3e-4a1f-a52f-2212fb24752f@github.com>

On Mon, 2 Aug 2021 19:31:54 GMT, Martin Balao <mbalao at openjdk.org> wrote:

> As described in JDK-8271566 [1], this patch proposal is intended to fix a problem that arises when using DSA keys that have a 256-bits (or larger) G parameter for signatures (either signing or verifying). There were some incorrect assumptions and hard-coded length values in the code before. Please note that, for example, the tuple (2048, 256) for DSA is valid according to FIPS PUB 186-4.
> 
> Beyond the specific issues in signatures, I decided to provide a broader solution and enable key parameter retrieval for other key types (EC, DH) when possible. This is, when the key is not sensitive. One thing that I should note here is that token keys (those that have the CKA_TOKEN attribute equal to 'true') are considered sensitive in this regard, at least by the NSS Software Token implementation. I don't have access to other vendor implementations but if there is any concern, we can adjust the constraint to NSS-only. However, I'm not sure which use-case would require to get private keys out of a real token, weakening its security. I'd be more conservative here and not query the values if not sure that it will succeed.
> 
> No regressions found in jdk/sun/security/pkcs11. A new test added: LargerDSAKey.
> 
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8271566

This pull request has now been integrated.

Changeset: ea8d3c92
Author:    Martin Balao <mbalao at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/ea8d3c92c69c393cdbc6c62398f1e9c6adc708d3
Stats:     686 lines in 3 files changed: 379 ins; 118 del; 189 mod

8271566: DSA signature length value is not accurate in P11Signature

Reviewed-by: valeriep

-------------

PR: https://git.openjdk.java.net/jdk/pull/4961

From bchristi at openjdk.java.net  Mon Dec  6 20:41:43 2021
From: bchristi at openjdk.java.net (Brent Christian)
Date: Mon, 6 Dec 2021 20:41:43 GMT
Subject: RFR: JDK-8276447 Deprecate finalization-related methods for
 removal [v4]
In-Reply-To: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
References: <rkKRczPheXDb7UDIQvhCRkjavYqGgUxAjlLC1-nrS_A=.03889200-fe97-4668-b622-f92bcfdb943c@github.com>
Message-ID: <yjAb3SVdTAs6VQz9haonP9y-ZnXker4ZyskjKghmwH0=.c6841727-32de-4840-94d8-4ae568a157fe@github.com>

> Here are the code changes for the "Deprecate finalizers in the standard Java API" portion of JEP 421 ("Deprecate Finalization for Removal") for code review.
> 
> This change makes the indicated deprecations, and updates the API spec for JEP 421. It also updates the relevant @SuppressWarning annotations.
> 
> The CSR has been approved.
> An automated test build+test run passes cleanly (FWIW :D ).

Brent Christian has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 34 commits:

 - Merge branch 'master' into 8276447
 - Merge branch 'master' into 8276447
 - Merge branch 'master' into 8276447
 - merge
 - @SuppressWarnings(removal) in Windows CKey.java
 - Add jls tag to runFinalization methods
 - Update wording of Object.finalize, new paragraph is now bold
 - update Object.finalize javadoc
 - update Object.finalize JavaDoc and @deprecated tag
 - Update Object.finalize deprecation message
 - ... and 24 more: https://git.openjdk.java.net/jdk/compare/ea8d3c92...0a983d51

-------------

Changes: https://git.openjdk.java.net/jdk/pull/6465/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6465&range=03
  Stats: 194 lines in 62 files changed: 54 ins; 38 del; 102 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6465.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6465/head:pull/6465

PR: https://git.openjdk.java.net/jdk/pull/6465

From valeriep at openjdk.java.net  Mon Dec  6 21:39:16 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Mon, 6 Dec 2021 21:39:16 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
 <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>
Message-ID: <eFv2deGKFHqacTFMg7CodpIkMAc45IW1lQxQQTxq0Fg=.3763b6ec-686a-46d1-bee2-c2052245f16b@github.com>

On Sun, 5 Dec 2021 04:51:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
>> 
>> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
>> 
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Config.java line 418:
> 
>> 416:             }
>> 417:             String word = st.sval;
>> 418:             switch (word) {
> 
> Since every case has a break it's probably better to use the enhanced switch (`case "x" -> ...;`). It's safer and also saves quite some lines. An IDE can help you with the conversion.

Sure, I can do that. I tend to use the "->" for switch with less items.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From weijun at openjdk.java.net  Mon Dec  6 22:30:24 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Mon, 6 Dec 2021 22:30:24 GMT
Subject: RFR: 8277932: Subject:callAs() not throwing NPE when action is null
Message-ID: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>

Add null check. I must have thought the NPE will be thrown anyway but the `catch Exception` block swallows it.

I added a noreg-trivial label. If you think differently can add one.

-------------

Commit messages:
 - 8277932: Subject:callAs() not throwing NPE when action is null

Changes: https://git.openjdk.java.net/jdk/pull/6728/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6728&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8277932
  Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6728.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6728/head:pull/6728

PR: https://git.openjdk.java.net/jdk/pull/6728

From rriggs at openjdk.java.net  Mon Dec  6 23:37:14 2021
From: rriggs at openjdk.java.net (Roger Riggs)
Date: Mon, 6 Dec 2021 23:37:14 GMT
Subject: RFR: 8277932: Subject:callAs() not throwing NPE when action is
 null
In-Reply-To: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
References: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
Message-ID: <W1a4QMwO2A92s1nn4_TVepFErnGLWgWuGPVyKHIncnQ=.6a46513e-dace-495d-8b10-c7d9b02bf50a@github.com>

On Mon, 6 Dec 2021 22:22:14 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add null check. I must have thought the NPE will be thrown anyway but the `catch Exception` block swallows it.
> 
> I added a noreg-trivial label. If you think differently can add one.

Yes, the stack trace will be more useful with the explicit check, otherwise it would be buried inside other calls and it won't be so obvious that the argument passed to callAs is null.

-------------

Marked as reviewed by rriggs (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6728

From valeriep at openjdk.java.net  Tue Dec  7 00:11:17 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Tue, 7 Dec 2021 00:11:17 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
 <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>
Message-ID: <rLuufmes_Fq0hBj6DHNM_CPPV12_PVzDL7VbPUNTB8M=.35eaed5c-8061-48f2-8b06-7b4de8f60a36@github.com>

On Sun, 5 Dec 2021 05:00:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
>> 
>> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
>> 
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 405:
> 
>> 403:     private void cancelOperation() {
>> 404:         // cancel operation by finishing it; avoid killSession as some
>> 405:         // hardware vendors may require re-login
> 
> The new `cancelOperation()` methods seems identical everywhere. Is it possible to consolidate it to a helper method like `trySessionCancel(token, session, flags)`? It can return true if canceled successfully, false if needs a fallback, and can still throw a `ProviderException`.

I assume you mean the if-() block of code? I can move the code into a helper method inside the P11Util class.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From weijun at openjdk.java.net  Tue Dec  7 01:41:18 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 7 Dec 2021 01:41:18 GMT
Subject: Integrated: 8277932: Subject:callAs() not throwing NPE when action is
 null
In-Reply-To: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
References: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
Message-ID: <lwR3PP8Cke6EdMJsGjv0GjvTS0NLt0zahiYS4XEY3_k=.e2057a88-325f-47ae-a8f9-c7a9938d7971@github.com>

On Mon, 6 Dec 2021 22:22:14 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add null check. I must have thought the NPE will be thrown anyway but the `catch Exception` block swallows it.
> 
> I added a noreg-trivial label. If you think differently can add one.

This pull request has now been integrated.

Changeset: 10db0e41
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/10db0e41634b62be5c1a931bd54ac4260108670d
Stats:     1 line in 1 file changed: 1 ins; 0 del; 0 mod

8277932: Subject:callAs() not throwing NPE when action is null

Reviewed-by: rriggs

-------------

PR: https://git.openjdk.java.net/jdk/pull/6728

From weijun at openjdk.java.net  Tue Dec  7 01:49:10 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 7 Dec 2021 01:49:10 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <rLuufmes_Fq0hBj6DHNM_CPPV12_PVzDL7VbPUNTB8M=.35eaed5c-8061-48f2-8b06-7b4de8f60a36@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
 <M8MuB6fYvLQfEscMlxdUTvJOhqNPVHYuDtaj_UpBeGM=.70567cfe-e6b1-4a2d-9eca-d4d3e9c56af0@github.com>
 <rLuufmes_Fq0hBj6DHNM_CPPV12_PVzDL7VbPUNTB8M=.35eaed5c-8061-48f2-8b06-7b4de8f60a36@github.com>
Message-ID: <kKdT8ytV-YjIyTQVePs3RnVjpy7h0Hf5vgXVRKDZrhM=.ef70ecb6-68fe-4f51-9e32-a2639b8269e6@github.com>

On Tue, 7 Dec 2021 00:08:03 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 405:
>> 
>>> 403:     private void cancelOperation() {
>>> 404:         // cancel operation by finishing it; avoid killSession as some
>>> 405:         // hardware vendors may require re-login
>> 
>> The new `cancelOperation()` methods seems identical everywhere. Is it possible to consolidate it to a helper method like `trySessionCancel(token, session, flags)`? It can return true if canceled successfully, false if needs a fallback, and can still throw a `ProviderException`.
>
> I assume you mean the if-() block of code? I can move the code into a helper method inside the P11Util class.

Yes, just keep duplicated lines as few as possible.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From valeriep at openjdk.java.net  Tue Dec  7 04:06:13 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Tue, 7 Dec 2021 04:06:13 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <KdAqDciTC2VmubKK9MHMGi4b3qvGJKwbTC9660MNHIE=.5aeb680f-a3ac-4b23-b648-975e62f81ef6@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
 <KdAqDciTC2VmubKK9MHMGi4b3qvGJKwbTC9660MNHIE=.5aeb680f-a3ac-4b23-b648-975e62f81ef6@github.com>
Message-ID: <47dMbCbzP87LE18e86vXKrnwgcw48UMLIOiHpJNm55s=.ad561798-7ba5-4f01-baf5-6cd00fb6b9ef@github.com>

On Mon, 6 Dec 2021 17:24:44 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> PKCS#11 v3.0 adds the support for several new APIs. For this particular RFE, it enhances SunPKCS11 provider to load PKCS#11 provider by first trying the C_GetInterface (new in 3.0) before the C_GetFunctionList assuming not explicitly specified in config. In addition, PKCS#11 v3.0 defines a new API for cancelling session operations, so I've also updated various classes to call this new API if the PKCS#11 library version is 3.0. Otherwise, these classes will try to cancel by finishing off current operations as before. The support for the new C_LoginUser() has not been tested, so I commented it out for now. Given the current release schedule, support for other new PKCS#11 APIs (such as message-based ones and parameters structure) and options for C_GetInterface (if needed) will be handled later. 
>> 
>> I validated the current changes against different NSS releases (supports PKCS#11 v2.40 and v3..0 respectively) with existing regression tests.
>> 
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java line 275:
> 
>> 273: 
>> 274:         if (token.p11.getVersion().major == 3) {
>> 275:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);
> 
> I think this is a syntax nit with no space between M_SIGN and '?'

Ok, will add the space.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From valeriep at openjdk.java.net  Tue Dec  7 04:14:15 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Tue, 7 Dec 2021 04:14:15 GMT
Subject: RFR: 8255409: Support the new APIs in PKCS#11 v3.0
In-Reply-To: <KdAqDciTC2VmubKK9MHMGi4b3qvGJKwbTC9660MNHIE=.5aeb680f-a3ac-4b23-b648-975e62f81ef6@github.com>
References: <PzZDScnryU9SfmhLZCkY364Kb641sEhAZh_j0G05DCs=.afd7444b-f208-4fd7-a336-187318a658d4@github.com>
 <KdAqDciTC2VmubKK9MHMGi4b3qvGJKwbTC9660MNHIE=.5aeb680f-a3ac-4b23-b648-975e62f81ef6@github.com>
Message-ID: <rfgRTy9IovRtb18YKj6jSpyu733SDRxB6Lpx7ICEJEs=.e2c9eed6-f96c-4ce9-9080-abec347c655a@github.com>

On Mon, 6 Dec 2021 18:50:08 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

> Should the NSS supporting 3.0 get added to the changeset for testing?

Recall there was a bug filed for updating the artifactory NSS version. There was some window build issue, will follow up with the SQE RE again.

> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java line 406:
> 
>> 404:         token.ensureValid();
>> 405:         if (token.p11.getVersion().major == 3) {
>> 406:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);
> 
> I think this is a syntax nit with no space between "encrypt" and '?'

Ok.

> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 449:
> 
>> 447:         token.ensureValid();
>> 448:         if (token.p11.getVersion().major == 3) {
>> 449:             long flags = (encrypt? CKF_ENCRYPT : CKF_DECRYPT);
> 
> I think this is a syntax nit with no space between "encrypt" and '?'

Ok.

> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 291:
> 
>> 289: 
>> 290:         if (token.p11.getVersion().major == 3) {
>> 291:             long flags = (opmode == Cipher.ENCRYPT_MODE? CKF_ENCRYPT :
> 
> I think this is a syntax nit with no space between MODE and '?'

Ok.

> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java line 285:
> 
>> 283: 
>> 284:         if (token.p11.getVersion().major == 3) {
>> 285:             long flags = (mode == M_SIGN? CKF_SIGN : CKF_VERIFY);
> 
> M_SIGN ? ...

Ok. BTW, is there a central place for these syntax? I usually just pick up the convention used in the same file.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6655

From ssahoo at openjdk.java.net  Tue Dec  7 05:14:17 2021
From: ssahoo at openjdk.java.net (Sibabrata Sahoo)
Date: Tue, 7 Dec 2021 05:14:17 GMT
Subject: Integrated: 8277353: java/security/MessageDigest/ThreadSafetyTest.java
 test times out
In-Reply-To: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
References: <8GdNQIf2UfVcwE94T18PpgcgQNOYlRt03WllAYdR4JE=.3987d453-4669-40ff-b3da-828b4c17d602@github.com>
Message-ID: <pOI1nJKrAK5ObHjfV4rLooSy-1bgdyCn66KRdpb6BlY=.0f8a7870-4408-4471-9535-f563563f1597@github.com>

On Wed, 1 Dec 2021 06:26:58 GMT, Sibabrata Sahoo <ssahoo at openjdk.org> wrote:

> This Test gets timeout during low cpu availability. It is modified to support extended timeout period during JTREG execution.

This pull request has now been integrated.

Changeset: f22d157e
Author:    Sibabrata Sahoo <ssahoo at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/f22d157e551fb28991e7713a45e63a0a8d9d2c4c
Stats:     4 lines in 1 file changed: 0 ins; 0 del; 4 mod

8277353: java/security/MessageDigest/ThreadSafetyTest.java test times out

Reviewed-by: weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/6626

From alanb at openjdk.java.net  Tue Dec  7 07:18:16 2021
From: alanb at openjdk.java.net (Alan Bateman)
Date: Tue, 7 Dec 2021 07:18:16 GMT
Subject: RFR: 8277932: Subject:callAs() not throwing NPE when action is
 null
In-Reply-To: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
References: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
Message-ID: <rmFpsqvg92GDQq7UFslUho42YIMoiaOJBDG0_Yh1OjQ=.ca7139f9-b159-4b16-9583-d565ea34f742@github.com>

On Mon, 6 Dec 2021 22:22:14 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add null check. I must have thought the NPE will be thrown anyway but the `catch Exception` block swallows it.
> 
> I added a noreg-trivial label. If you think differently can add one.

Is there a test for this? (I see noreg-trivial is added but a test should be easy to add).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6728

From alanb at openjdk.java.net  Tue Dec  7 08:03:21 2021
From: alanb at openjdk.java.net (Alan Bateman)
Date: Tue, 7 Dec 2021 08:03:21 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
Message-ID: <mYfx4V8vGa_GAE18To-LMcLSi_Wqejj0EivZStBNhnk=.e4cbaf08-2530-4a20-8c63-e9aa37c26348@github.com>

On Wed, 6 Oct 2021 20:37:29 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> 8274809: Update java.base classes to use try-with-resources
>
> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8274809: Update java.base classes to use try-with-resources
>   fix review comments

Marked as reviewed by alanb (Reviewer).

src/java.base/share/classes/sun/net/NetProperties.java line 73:

> 71:             try (FileInputStream in = new FileInputStream(fname);
> 72:                  BufferedInputStream bin = new BufferedInputStream(in))
> 73:             {

Style-wide I'd probably put the "{" at the end of L72.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From dfuchs at openjdk.java.net  Tue Dec  7 11:48:17 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Tue, 7 Dec 2021 11:48:17 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
Message-ID: <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>

On Wed, 6 Oct 2021 20:37:29 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> 8274809: Update java.base classes to use try-with-resources
>
> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8274809: Update java.base classes to use try-with-resources
>   fix review comments

The rest looks OK.

src/java.base/share/classes/sun/net/www/MimeTable.java line 385:

> 383: 
> 384:     protected boolean saveAsProperties(File file) {
> 385:         try (FileOutputStream os = new FileOutputStream(file)) {

This is not strictly equivalent as now an exception thrown during `close()` will be printed instead of being ignored. I have no idea whether it's a good thing or a bad thing, but that's a _different_ thing...
So unless someone with more historical knowledge of this area can comment, maybe this change should be reverted.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From weijun at openjdk.java.net  Tue Dec  7 14:09:18 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 7 Dec 2021 14:09:18 GMT
Subject: RFR: 8277932: Subject:callAs() not throwing NPE when action is
 null
In-Reply-To: <rmFpsqvg92GDQq7UFslUho42YIMoiaOJBDG0_Yh1OjQ=.ca7139f9-b159-4b16-9583-d565ea34f742@github.com>
References: <Gky27djn9v8Yaaz51Z0GOgCi93ZZf89Z6ubDYzrBxv8=.b5f3c559-e4f2-4dcd-b613-562802814fa1@github.com>
 <rmFpsqvg92GDQq7UFslUho42YIMoiaOJBDG0_Yh1OjQ=.ca7139f9-b159-4b16-9583-d565ea34f742@github.com>
Message-ID: <dbR0bgx8puZuWRdQ5foqAjPE9WByFKdhVeMA9Lgbd_U=.404b4e63-7d1b-47b3-8df6-92505c950a4b@github.com>

On Tue, 7 Dec 2021 07:14:53 GMT, Alan Bateman <alanb at openjdk.org> wrote:

> Is there a test for this? (I see noreg-trivial is added but a test should be easy to add).

I can add one, just thought it's not necessary. I didn't say noreg-hard. :-)

-------------

PR: https://git.openjdk.java.net/jdk/pull/6728

From duke at openjdk.java.net  Tue Dec  7 14:28:18 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Tue, 7 Dec 2021 14:28:18 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>
Message-ID: <6HwkNRRJdJHU0_LhA4KHZ0egZ3zd7mDMwARP1EnCdFk=.3f2e8083-6a74-4284-8f74-aae7cc0093ff@github.com>

On Tue, 7 Dec 2021 11:41:12 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   8274809: Update java.base classes to use try-with-resources
>>   fix review comments
>
> src/java.base/share/classes/sun/net/www/MimeTable.java line 385:
> 
>> 383: 
>> 384:     protected boolean saveAsProperties(File file) {
>> 385:         try (FileOutputStream os = new FileOutputStream(file)) {
> 
> This is not strictly equivalent as now an exception thrown during `close()` will be printed instead of being ignored. I have no idea whether it's a good thing or a bad thing, but that's a _different_ thing...
> So unless someone with more historical knowledge of this area can comment, maybe this change should be reverted.

I believe it's always good to have at least _some_ trace if we got Exception. If closing FileOutputStream failed - there is no guarantee, that all written content is actually stored to filesystem.
BTW, this method `saveAsProperties` seems unused...

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From dfuchs at openjdk.java.net  Tue Dec  7 14:51:24 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Tue, 7 Dec 2021 14:51:24 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
Message-ID: <ug8jlwngynqu2wzVGfbmx6CCtpqMJ3c88uq2fCEwC2w=.9ffc3a79-2ed2-42ae-a667-6ce7db6f8d66@github.com>

On Wed, 6 Oct 2021 20:37:29 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> 8274809: Update java.base classes to use try-with-resources
>
> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:
> 
>   8274809: Update java.base classes to use try-with-resources
>   fix review comments

Marked as reviewed by dfuchs (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From dfuchs at openjdk.java.net  Tue Dec  7 14:51:25 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Tue, 7 Dec 2021 14:51:25 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <6HwkNRRJdJHU0_LhA4KHZ0egZ3zd7mDMwARP1EnCdFk=.3f2e8083-6a74-4284-8f74-aae7cc0093ff@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>
 <6HwkNRRJdJHU0_LhA4KHZ0egZ3zd7mDMwARP1EnCdFk=.3f2e8083-6a74-4284-8f74-aae7cc0093ff@github.com>
Message-ID: <ClH8-9AbObS-iQPzN019S9vCW01-ngDKxSVej6XlTWY=.91a65b9b-85b4-4872-ab6d-92f1a2ca5029@github.com>

On Tue, 7 Dec 2021 14:24:41 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> src/java.base/share/classes/sun/net/www/MimeTable.java line 385:
>> 
>>> 383: 
>>> 384:     protected boolean saveAsProperties(File file) {
>>> 385:         try (FileOutputStream os = new FileOutputStream(file)) {
>> 
>> This is not strictly equivalent as now an exception thrown during `close()` will be printed instead of being ignored. I have no idea whether it's a good thing or a bad thing, but that's a _different_ thing...
>> So unless someone with more historical knowledge of this area can comment, maybe this change should be reverted.
>
> I believe it's always good to have at least _some_ trace if we got Exception. If closing FileOutputStream failed - there is no guarantee, that all written content is actually stored to filesystem.
> BTW, this method `saveAsProperties` seems unused...

This is legacy code with probably poor testing coverage. Usually we don't print anything on the console directly and unconditionally - except in some well identified cases. Ignoring exceptions thrown by `close` is a common idiom. That said - it does seem that this method is indeed never called - so for the sake of simplification I'd agree to keep this change as proposed.
Remind me to sponsor this after the fork.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From michaelm at openjdk.java.net  Thu Dec  9 17:00:40 2021
From: michaelm at openjdk.java.net (Michael McMahon)
Date: Thu, 9 Dec 2021 17:00:40 GMT
Subject: RFR: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
Message-ID: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>

This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.

Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores

24c24,31
< #1: ObjectId: 2.5.29.14 Criticality=false
---
> #1: ObjectId: 2.5.29.17 Criticality=true
> SubjectAlternativeName [
>   DNSName: localhost
>   IPAddress: 127.0.0.1
>   IPAddress: 0:0:0:0:0:0:0:1
> ]
>

-------------

Commit messages:
 - updated to check for IPv4/IPv6 support
 - updated to use HttpServerAdapters and h2 tests
 - Merge branch 'master' into simplesslcontext
 - initial fix

Changes: https://git.openjdk.java.net/jdk/pull/6727/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6727&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278312
  Stats: 222 lines in 3 files changed: 218 ins; 0 del; 4 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6727.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6727/head:pull/6727

PR: https://git.openjdk.java.net/jdk/pull/6727

From dfuchs at openjdk.java.net  Thu Dec  9 17:00:41 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Thu, 9 Dec 2021 17:00:41 GMT
Subject: RFR: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
In-Reply-To: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
References: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
Message-ID: <JJmm_2Rdtlupd41ditpndRdkDuxifbb8DGFb_ZlLhCU=.9a121c85-e276-4d70-b1a7-21b77bdd5188@github.com>

On Mon, 6 Dec 2021 21:27:48 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

> This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.
> 
> Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores
> 
> 24c24,31
> < #1: ObjectId: 2.5.29.14 Criticality=false
> ---
>> #1: ObjectId: 2.5.29.17 Criticality=true
>> SubjectAlternativeName [
>>   DNSName: localhost
>>   IPAddress: 127.0.0.1
>>   IPAddress: 0:0:0:0:0:0:0:1
>> ]
>>

test/jdk/com/sun/net/httpserver/SANTest.java line 77:

> 75:             int port1 = s1.getAddress().getPort();
> 76:             int port2 = s2.getAddress().getPort();
> 77:             test ("127.0.0.1", root+"/test1", port2, "smallfile.txt", 23);

Maybe this test should use `IPSupport::hasIPv4` and `IPSupport::hasIPv6` to figure out which addresses can be tested on a particular machine.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6727

From dfuchs at openjdk.java.net  Thu Dec  9 17:00:44 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Thu, 9 Dec 2021 17:00:44 GMT
Subject: RFR: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
In-Reply-To: <JJmm_2Rdtlupd41ditpndRdkDuxifbb8DGFb_ZlLhCU=.9a121c85-e276-4d70-b1a7-21b77bdd5188@github.com>
References: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
 <JJmm_2Rdtlupd41ditpndRdkDuxifbb8DGFb_ZlLhCU=.9a121c85-e276-4d70-b1a7-21b77bdd5188@github.com>
Message-ID: <pZiM6w4fXw6KA_qVqpX8cfJNL0GjtpxEmdwdhwUhs3k=.ebacd639-1bf0-4704-9568-512b2008c8cd@github.com>

On Tue, 7 Dec 2021 15:00:33 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.
>> 
>> Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores
>> 
>> 24c24,31
>> < #1: ObjectId: 2.5.29.14 Criticality=false
>> ---
>>> #1: ObjectId: 2.5.29.17 Criticality=true
>>> SubjectAlternativeName [
>>>   DNSName: localhost
>>>   IPAddress: 127.0.0.1
>>>   IPAddress: 0:0:0:0:0:0:0:1
>>> ]
>>>
>
> test/jdk/com/sun/net/httpserver/SANTest.java line 77:
> 
>> 75:             int port1 = s1.getAddress().getPort();
>> 76:             int port2 = s2.getAddress().getPort();
>> 77:             test ("127.0.0.1", root+"/test1", port2, "smallfile.txt", 23);
> 
> Maybe this test should use `IPSupport::hasIPv4` and `IPSupport::hasIPv6` to figure out which addresses can be tested on a particular machine.

Also it might be good to test with HTTP/2 over SSL - maybe the test class could implement `HttpServerAdapters` to that purpose.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6727

From michaelm at openjdk.java.net  Thu Dec  9 17:00:45 2021
From: michaelm at openjdk.java.net (Michael McMahon)
Date: Thu, 9 Dec 2021 17:00:45 GMT
Subject: RFR: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
In-Reply-To: <pZiM6w4fXw6KA_qVqpX8cfJNL0GjtpxEmdwdhwUhs3k=.ebacd639-1bf0-4704-9568-512b2008c8cd@github.com>
References: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
 <JJmm_2Rdtlupd41ditpndRdkDuxifbb8DGFb_ZlLhCU=.9a121c85-e276-4d70-b1a7-21b77bdd5188@github.com>
 <pZiM6w4fXw6KA_qVqpX8cfJNL0GjtpxEmdwdhwUhs3k=.ebacd639-1bf0-4704-9568-512b2008c8cd@github.com>
Message-ID: <AiDPn7YJ5KAPPDMs9Og9-aj40sUJr0Hrnjjkm145q9E=.9b60f824-62f5-4553-bfe1-eb0491ef4972@github.com>

On Tue, 7 Dec 2021 15:03:31 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>> test/jdk/com/sun/net/httpserver/SANTest.java line 77:
>> 
>>> 75:             int port1 = s1.getAddress().getPort();
>>> 76:             int port2 = s2.getAddress().getPort();
>>> 77:             test ("127.0.0.1", root+"/test1", port2, "smallfile.txt", 23);
>> 
>> Maybe this test should use `IPSupport::hasIPv4` and `IPSupport::hasIPv6` to figure out which addresses can be tested on a particular machine.
>
> Also it might be good to test with HTTP/2 over SSL - maybe the test class could implement `HttpServerAdapters` to that purpose.

Okay, will do.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6727

From dfuchs at openjdk.java.net  Thu Dec  9 17:16:15 2021
From: dfuchs at openjdk.java.net (Daniel Fuchs)
Date: Thu, 9 Dec 2021 17:16:15 GMT
Subject: RFR: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
In-Reply-To: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
References: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
Message-ID: <h5H-DQhOjKTfzEvsECUYvcr0LLLy64qK4-V-_vMG0YI=.438cc7fe-1c79-42df-a332-c132ebff4aab@github.com>

On Mon, 6 Dec 2021 21:27:48 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

> This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.
> 
> Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores
> 
> 24c24,31
> < #1: ObjectId: 2.5.29.14 Criticality=false
> ---
>> #1: ObjectId: 2.5.29.17 Criticality=true
>> SubjectAlternativeName [
>>   DNSName: localhost
>>   IPAddress: 127.0.0.1
>>   IPAddress: 0:0:0:0:0:0:0:1
>> ]
>>

LGTM

-------------

Marked as reviewed by dfuchs (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6727

From michaelm at openjdk.java.net  Thu Dec  9 17:42:17 2021
From: michaelm at openjdk.java.net (Michael McMahon)
Date: Thu, 9 Dec 2021 17:42:17 GMT
Subject: Integrated: 8278312: Update SimpleSSLContext keystore to use SANs for
 localhost IP addresses
In-Reply-To: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
References: <8KPOPEEXnJLYe2ff9vyTGfQSiMw8Oly_5nCsVg073KQ=.8158ccc1-abfe-43ad-b32c-aa8cf417e368@github.com>
Message-ID: <hM2ZzaQ6qYto6MiR7qDWaFKxXD-3RcUXYxNxmvHudag=.3a565d49-ce8a-4816-80fa-fc2cb849f4cf@github.com>

On Mon, 6 Dec 2021 21:27:48 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

> This updates the testkeys keystore file used by SimpleSSLContext in the test tree, in order to add subject alt names for the literal IP addresses "127.0.0.1" and "::1". This should allow the self signed certificate in the keystore to be accepted even when the local OS doesn't have a localhost to loopback address name service mapping.
> 
> Apart from the test, there's nothing to see in the webrev as it's a binary file. Here is the relevant diff between the list output from the old and new keystores
> 
> 24c24,31
> < #1: ObjectId: 2.5.29.14 Criticality=false
> ---
>> #1: ObjectId: 2.5.29.17 Criticality=true
>> SubjectAlternativeName [
>>   DNSName: localhost
>>   IPAddress: 127.0.0.1
>>   IPAddress: 0:0:0:0:0:0:0:1
>> ]
>>

This pull request has now been integrated.

Changeset: bc31ccc9
Author:    Michael McMahon <michaelm at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/bc31ccc95be9523cc6c64932f6d39f81c2e82bdd
Stats:     222 lines in 3 files changed: 218 ins; 0 del; 4 mod

8278312: Update SimpleSSLContext keystore to use SANs for localhost IP addresses

Reviewed-by: dfuchs

-------------

PR: https://git.openjdk.java.net/jdk/pull/6727

From weijun at openjdk.java.net  Thu Dec  9 19:42:28 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Thu, 9 Dec 2021 19:42:28 GMT
Subject: [jdk18] RFR: 8278186: throw StringIndexOutOfBoundsException when
 calling substring method
Message-ID: <ThPnZAF6cI72OubmCKZGqW4y9kzrZVmUuZVzGDOAjlQ=.cbdbd970-43ef-4f65-829c-cda49e71366b@github.com>

Add check on `xpointer(id('name'))` format.

-------------

Commit messages:
 - 8278186: throw StringIndexOutOfBoundsException when calling substring method

Changes: https://git.openjdk.java.net/jdk18/pull/1/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk18&pr=1&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278186
  Stats: 75 lines in 4 files changed: 66 ins; 0 del; 9 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/1.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/1/head:pull/1

PR: https://git.openjdk.java.net/jdk18/pull/1

From weijun at openjdk.java.net  Thu Dec  9 19:43:19 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Thu, 9 Dec 2021 19:43:19 GMT
Subject: Withdrawn: 8278186: throw StringIndexOutOfBoundsException when calling
 substring method
In-Reply-To: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
References: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
Message-ID: <6fZf9RHHOwPomFfI21LmYBxM5nxgpEQQ8shxXUVMwOg=.ae0226dd-4e13-4bf7-94db-6f0aa93401a5@github.com>

On Wed, 8 Dec 2021 15:36:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add check on `xpointer(id('name'))` format.

This pull request has been closed without being integrated.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6769

From weijun at openjdk.java.net  Thu Dec  9 20:09:35 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Thu, 9 Dec 2021 20:09:35 GMT
Subject: [jdk18] Withdrawn: 8278186: throw StringIndexOutOfBoundsException when
 calling substring method
In-Reply-To: <ThPnZAF6cI72OubmCKZGqW4y9kzrZVmUuZVzGDOAjlQ=.cbdbd970-43ef-4f65-829c-cda49e71366b@github.com>
References: <ThPnZAF6cI72OubmCKZGqW4y9kzrZVmUuZVzGDOAjlQ=.cbdbd970-43ef-4f65-829c-cda49e71366b@github.com>
Message-ID: <goZSXexrimTqvFzgxMNvH4NlOmwJt69xneWHhRzH5Yk=.1268937f-b136-4406-9bf8-0af695705ce7@github.com>

On Thu, 9 Dec 2021 19:34:12 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add check on `xpointer(id('name'))` format.

This pull request has been closed without being integrated.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/1

From serb at openjdk.java.net  Fri Dec 10 03:18:37 2021
From: serb at openjdk.java.net (Sergey Bylokhov)
Date: Fri, 10 Dec 2021 03:18:37 GMT
Subject: RFR: 8273101: Eliminate the usage of threadgroup sandboxing in the
 java.util.logging [v2]
In-Reply-To: <qgr9AoAEl2VhjQIefvu0fn8Q2_9I32-VRd_bg3u6IZE=.35e2776a-74ad-48ea-a11e-0546d9b2f1c6@github.com>
References: <qgr9AoAEl2VhjQIefvu0fn8Q2_9I32-VRd_bg3u6IZE=.35e2776a-74ad-48ea-a11e-0546d9b2f1c6@github.com>
Message-ID: <oMxSMgfs2sbqnG2_YD9cgbzxAqLrq9qC0QFF6ZlYZBc=.88298f7c-52c3-40ed-8b35-51b5f60f10c1@github.com>

> At the time Java supported applets and webstart, a special mechanism for launching various applications in one JVM was used to reduce memory usage and each application was isolated from each other.
> 
> This isolation was implemented via ThreadGroups where each application created its own thread group and all data for the application was stored in the context of its own group.
> 
> Some parts of the JDK used ThreadGroups directly, others used special classes like sun.awt.AppContext.
> 
> Such sandboxing became useless since the plugin and webstart are no longer supported and were removed in jdk11.
> 
> Note that this is just a first step for the overall cleanup, here is my plan:
> 1. Cleanup the usage of AppContext in the ?java.util.logging.LogManager" class in the java.base module.
> 2. Cleanup the usage of TheadGroup in the JavaSound
> 3. Cleanup the usage of TheadGroup in the JavaBeans
> 4. Cleanup the usage of AppContext in the Swing
> 5. Cleanup the usage of AppContext in the AWT
> 6. Delete the AppContext class.
> 
> The current PR is for the first step. So this is the request to delete the usage of AppContext in the LogManager and related tests.
> 
> Tested by tier1/tier2/tier3 and jdk_desktop tests.

Sergey Bylokhov has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains four commits:

 - Merge branch 'master' into JDK-8273101
 - Some tests deleted
 - Update the RootLevelInConfigFile test
 - Initial version of JDK-8273101

-------------

Changes: https://git.openjdk.java.net/jdk/pull/5326/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=5326&range=01
  Stats: 1423 lines in 10 files changed: 0 ins; 1418 del; 5 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5326.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5326/head:pull/5326

PR: https://git.openjdk.java.net/jdk/pull/5326

From mdoerr at openjdk.java.net  Fri Dec 10 12:04:13 2021
From: mdoerr at openjdk.java.net (Martin Doerr)
Date: Fri, 10 Dec 2021 12:04:13 GMT
Subject: RFR: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
Message-ID: <aBqrJLrG4Yobya3BHpsm07y1XfmlSQ_QSrSB6WiejdQ=.ef45702e-ff3c-4056-92e8-25090969a34e@github.com>

On Thu, 9 Dec 2021 08:25:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Please review this small test fix.
> KeytoolOpensslInteropTest.java fails with the output below.
> Seems on our SUSE Linux 15 (openssl is
> ~> openssl version
> OpenSSL 1.1.0i-fips 14 Aug 2018
> ) we get a slightly different output with a blank missing after "MAC:" :
> 
> :stdErr:
> Mon Dec 06 21:54:48 CET 2021
> stdout: [];
> stderr: [MAC:sha256 Iteration 10000
>  . . .
> java.lang.RuntimeException: 'MAC: sha256, Iteration 10000' missing from stdout/stderr
> 
> So it is necessary to adjust the test to the other openssl version.

LGTM.

-------------

Marked as reviewed by mdoerr (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6779

From mbaesken at openjdk.java.net  Fri Dec 10 12:18:14 2021
From: mbaesken at openjdk.java.net (Matthias Baesken)
Date: Fri, 10 Dec 2021 12:18:14 GMT
Subject: RFR: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <aBqrJLrG4Yobya3BHpsm07y1XfmlSQ_QSrSB6WiejdQ=.ef45702e-ff3c-4056-92e8-25090969a34e@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
 <aBqrJLrG4Yobya3BHpsm07y1XfmlSQ_QSrSB6WiejdQ=.ef45702e-ff3c-4056-92e8-25090969a34e@github.com>
Message-ID: <QYh9NZ5XSMbWBd_wOw0IrPoyTGzKBNf8CzVCHrF3mO8=.9dbbdbd1-194d-4f8d-be53-0e828b5fd79c@github.com>

On Fri, 10 Dec 2021 12:01:11 GMT, Martin Doerr <mdoerr at openjdk.org> wrote:

> LGTM.

Hi Martin, thanks for the review.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6779

From goetz at openjdk.java.net  Fri Dec 10 16:27:16 2021
From: goetz at openjdk.java.net (Goetz Lindenmaier)
Date: Fri, 10 Dec 2021 16:27:16 GMT
Subject: RFR: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
Message-ID: <j4TZmNsmpuUn7D9vRLtajKyaxVeg5NBEf2zdhF9meHk=.f53169dd-6716-431b-9666-071d95f713dd@github.com>

On Thu, 9 Dec 2021 08:25:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Please review this small test fix.
> KeytoolOpensslInteropTest.java fails with the output below.
> Seems on our SUSE Linux 15 (openssl is
> ~> openssl version
> OpenSSL 1.1.0i-fips 14 Aug 2018
> ) we get a slightly different output with a blank missing after "MAC:" :
> 
> :stdErr:
> Mon Dec 06 21:54:48 CET 2021
> stdout: [];
> stderr: [MAC:sha256 Iteration 10000
>  . . .
> java.lang.RuntimeException: 'MAC: sha256, Iteration 10000' missing from stdout/stderr
> 
> So it is necessary to adjust the test to the other openssl version.

All good, simple fix.

-------------

Marked as reviewed by goetz (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6779

From duke at openjdk.java.net  Fri Dec 10 18:21:47 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Fri, 10 Dec 2021 18:21:47 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v5]
In-Reply-To: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
Message-ID: <VuZU6zfzzOpupKp3Yv35d12cwWQ4ULLGxwAfyaoR474=.0a7ce4e1-bdbc-44ab-a8de-0ac5cbff5312@github.com>

> 8274809: Update java.base classes to use try-with-resources

Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:

  8274809: Update java.base classes to use try-with-resources
  move { to previous line

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/5818/files
  - new: https://git.openjdk.java.net/jdk/pull/5818/files/3b05ec49..033ee3c2

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=04
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5818&range=03-04

  Stats: 2 lines in 1 file changed: 0 ins; 1 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/5818.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/5818/head:pull/5818

PR: https://git.openjdk.java.net/jdk/pull/5818

From duke at openjdk.java.net  Fri Dec 10 18:21:50 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Fri, 10 Dec 2021 18:21:50 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <mYfx4V8vGa_GAE18To-LMcLSi_Wqejj0EivZStBNhnk=.e4cbaf08-2530-4a20-8c63-e9aa37c26348@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <mYfx4V8vGa_GAE18To-LMcLSi_Wqejj0EivZStBNhnk=.e4cbaf08-2530-4a20-8c63-e9aa37c26348@github.com>
Message-ID: <N47WE88LCapkyIi0aZPio4-dvEsRMWpjqjD-33lMVGI=.57ca4d90-51b8-4d88-b6e8-02ce4c44af9c@github.com>

On Tue, 7 Dec 2021 07:59:54 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Andrey Turbanov has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   8274809: Update java.base classes to use try-with-resources
>>   fix review comments
>
> src/java.base/share/classes/sun/net/NetProperties.java line 73:
> 
>> 71:             try (FileInputStream in = new FileInputStream(fname);
>> 72:                  BufferedInputStream bin = new BufferedInputStream(in))
>> 73:             {
> 
> Style-wisee I'd probably put the "{" at the end of L72.

As you wish.
But I personally like to have `{` on separate line, in case of multi-line `try`. It makes clear when `try` header is actually finished and body starts.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From duke at openjdk.java.net  Fri Dec 10 18:21:51 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Fri, 10 Dec 2021 18:21:51 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <ClH8-9AbObS-iQPzN019S9vCW01-ngDKxSVej6XlTWY=.91a65b9b-85b4-4872-ab6d-92f1a2ca5029@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>
 <6HwkNRRJdJHU0_LhA4KHZ0egZ3zd7mDMwARP1EnCdFk=.3f2e8083-6a74-4284-8f74-aae7cc0093ff@github.com>
 <ClH8-9AbObS-iQPzN019S9vCW01-ngDKxSVej6XlTWY=.91a65b9b-85b4-4872-ab6d-92f1a2ca5029@github.com>
Message-ID: <utLSSDhXdbWhBZRhL5Ti1a_GiJaaLQ3H3_0D7hrIVhg=.642bdd9e-ed2a-4a96-a485-20ffad9c6e2b@github.com>

On Tue, 7 Dec 2021 14:48:17 GMT, Daniel Fuchs <dfuchs at openjdk.org> wrote:

>Remind me to sponsor this after the fork.

fork is done :)

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From stuefe at openjdk.java.net  Fri Dec 10 18:22:20 2021
From: stuefe at openjdk.java.net (Thomas Stuefe)
Date: Fri, 10 Dec 2021 18:22:20 GMT
Subject: RFR: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
Message-ID: <fK4W1OFSaOrA0ZJ1ySKTgXIbrwUlBAoOS8bitpS7M0E=.38f1ea3a-13a0-4971-bb02-1807bbf3a2a0@github.com>

On Thu, 9 Dec 2021 08:25:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Please review this small test fix.
> KeytoolOpensslInteropTest.java fails with the output below.
> Seems on our SUSE Linux 15 (openssl is
> ~> openssl version
> OpenSSL 1.1.0i-fips 14 Aug 2018
> ) we get a slightly different output with a blank missing after "MAC:" :
> 
> :stdErr:
> Mon Dec 06 21:54:48 CET 2021
> stdout: [];
> stderr: [MAC:sha256 Iteration 10000
>  . . .
> java.lang.RuntimeException: 'MAC: sha256, Iteration 10000' missing from stdout/stderr
> 
> So it is necessary to adjust the test to the other openssl version.

All good.

-------------

Marked as reviewed by stuefe (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6779

From duke at openjdk.java.net  Fri Dec 10 18:25:16 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Fri, 10 Dec 2021 18:25:16 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <jo3rGZRr13r1FE4-ITCLaSdf0so3aW3CvhPvIuCz4vw=.de4864ab-1f3d-4dbd-9f40-c40223e5ade5@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <ap2Zchppv4BCYi-69qP3aRu0OAF4alyt8FYmZvvqgn4=.8e34e2b5-7cc0-4bb7-8bde-74c42f060642@github.com>
 <3zvnrVEIrgEjiuG3f74jlc_PvvkfTnImTs9uHUiJxJE=.a5375473-bd4a-40d1-9e78-22e380b790d5@github.com>
 <jo3rGZRr13r1FE4-ITCLaSdf0so3aW3CvhPvIuCz4vw=.de4864ab-1f3d-4dbd-9f40-c40223e5ade5@github.com>
Message-ID: <8dYARma8CbANmuuxRQuUMOJuGCLO54s7M_80lIFJBmI=.58aee0dc-0607-4fe6-a8c1-077ad879886c@github.com>

On Thu, 9 Dec 2021 01:25:20 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:

>> That's one of the places where I personally would always use the var keyword too: it makes the line shorter and the type is already clearly visible in the RHS of the assignment, so repeating it on the left hand side does not bring much value...
>
> Just interesting that the style wasn't consistent.  Both ways are fine by me.

I used `var` only in places, where it allows to reduce line length to be less than 80.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From weijun at openjdk.java.net  Fri Dec 10 23:17:39 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 10 Dec 2021 23:17:39 GMT
Subject: RFR: 8278560: X509KeyManagerImpl::getAliases might return a good key
 with others
Message-ID: <sDL4158kuJjPthn0fbhJZjZVv9zlb-peR383jBky6B0=.8def0eec-e44e-4d26-89f3-3c3de060b484@github.com>

Perfect match does not always appear at the beginning if there are multiple KeyTypes.

-------------

Commit messages:
 - 8278560: X509KeyManagerImpl::getAliases might return a good key with others

Changes: https://git.openjdk.java.net/jdk/pull/6804/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6804&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278560
  Stats: 103 lines in 2 files changed: 95 ins; 2 del; 6 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6804.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6804/head:pull/6804

PR: https://git.openjdk.java.net/jdk/pull/6804

From ecki at zusammenkunft.net  Mon Dec 13 06:28:53 2021
From: ecki at zusammenkunft.net (Bernd Eckenfels)
Date: Mon, 13 Dec 2021 06:28:53 +0000
Subject: Why no JNDI de-ser killswitch
Message-ID: <PAXPR08MB7107FA5AD4CE2B67EABDF065BA749@PAXPR08MB7107.eurprd08.prod.outlook.com>

Hello,

I can understand that ldapcontext.lookup() still has to use unsafe deserialisation for legacy reasons (JMS factories etc). But it would be really good if there would be a bit more infra like a killswitch or url-prefix filter JNDI for those who don?t need that.

It was a rather damaging move to claim that there is a fix when the actual rce with JNDI is still present.

I tink the new ObjectInputStream filters (jep290) are a good thing, but they are not easy to set globally on a bigger app server,especially not with 8 and 11 without jep415. So I think that?s not sufficient

Gruss
Bernd


--
http://bernd.eckenfels.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20211213/3509d0f3/attachment.htm>

From mbaesken at openjdk.java.net  Mon Dec 13 07:51:14 2021
From: mbaesken at openjdk.java.net (Matthias Baesken)
Date: Mon, 13 Dec 2021 07:51:14 GMT
Subject: Integrated: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
Message-ID: <5TOwZqH6GbIrdPyi4d_87J0PYVrsoR70rmLlGol3EQc=.1d3b474e-25ee-4300-9e77-6af8f24bca92@github.com>

On Thu, 9 Dec 2021 08:25:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Please review this small test fix.
> KeytoolOpensslInteropTest.java fails with the output below.
> Seems on our SUSE Linux 15 (openssl is
> ~> openssl version
> OpenSSL 1.1.0i-fips 14 Aug 2018
> ) we get a slightly different output with a blank missing after "MAC:" :
> 
> :stdErr:
> Mon Dec 06 21:54:48 CET 2021
> stdout: [];
> stderr: [MAC:sha256 Iteration 10000
>  . . .
> java.lang.RuntimeException: 'MAC: sha256, Iteration 10000' missing from stdout/stderr
> 
> So it is necessary to adjust the test to the other openssl version.

This pull request has now been integrated.

Changeset: 8b5ff4bd
Author:    Matthias Baesken <mbaesken at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/8b5ff4bdffc8f32317d67b00c085071d6c772b30
Stats:     2 lines in 1 file changed: 0 ins; 0 del; 2 mod

8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output

Reviewed-by: mdoerr, goetz, stuefe

-------------

PR: https://git.openjdk.java.net/jdk/pull/6779

From weijun at openjdk.java.net  Mon Dec 13 14:25:14 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Mon, 13 Dec 2021 14:25:14 GMT
Subject: RFR: JDK-8278344:
 sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of
 different openssl output
In-Reply-To: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
References: <TCwCmcJp5-RWLecL1xx_zguz7q43_RC_93h4Ostea2Y=.91f94884-339c-4f01-b6b0-8b38df872829@github.com>
Message-ID: <9JtynJxjR3NdlN22eChCUEuSKzJbp2Wf1SUQsG7W6uw=.67ac2467-ac78-46d4-afb1-0016df65f775@github.com>

On Thu, 9 Dec 2021 08:25:17 GMT, Matthias Baesken <mbaesken at openjdk.org> wrote:

> Please review this small test fix.
> KeytoolOpensslInteropTest.java fails with the output below.
> Seems on our SUSE Linux 15 (openssl is
> ~> openssl version
> OpenSSL 1.1.0i-fips 14 Aug 2018
> ) we get a slightly different output with a blank missing after "MAC:" :
> 
> :stdErr:
> Mon Dec 06 21:54:48 CET 2021
> stdout: [];
> stderr: [MAC:sha256 Iteration 10000
>  . . .
> java.lang.RuntimeException: 'MAC: sha256, Iteration 10000' missing from stdout/stderr
> 
> So it is necessary to adjust the test to the other openssl version.

Sorry about the late comment, but the updated code would allow those 3 strings appearing on different lines. Maybe a `shouldMatch` can be more precise.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6779

From ecki at zusammenkunft.net  Tue Dec 14 11:57:21 2021
From: ecki at zusammenkunft.net (Bernd Eckenfels)
Date: Tue, 14 Dec 2021 11:57:21 +0000
Subject: Why no JNDI de-ser killswitch
In-Reply-To: <PAXPR08MB7107FA5AD4CE2B67EABDF065BA749@PAXPR08MB7107.eurprd08.prod.outlook.com>
References: <PAXPR08MB7107FA5AD4CE2B67EABDF065BA749@PAXPR08MB7107.eurprd08.prod.outlook.com>
Message-ID: <AM9P193MB1142F80FE09E71AE8311A036FF759@AM9P193MB1142.EURP193.PROD.OUTLOOK.COM>

That policy to not comment on security issues is really frustrating. Or even worse are there other reasons I get ignored?

Anyway, i got a note on Twitter that 17 and 8(April) backport has a specific system property already:

?<https://www.oracle.com/java/technologies/javase/8u291-relnotes.html#JDK-8244473> New System and Security Properties to Control Reconstruction of Remote Objects by JDK's Built-in JNDI RMI and LDAP Implementations

jdk.jndi.object.factoriesFilter

com.sun.jndi.ldap.object.trustSerialData

Those seem to be an important fix, not sure how I could miss them and why nobody mentioned them in the log4shell discussions yet.

Gruss
Bernd


--
http://bernd.eckenfels.net
________________________________
Von: security-dev <security-dev-retn at openjdk.java.net> im Auftrag von Bernd Eckenfels <ecki at zusammenkunft.net>
Gesendet: Monday, December 13, 2021 7:28:53 AM
An: security-dev at openjdk.java.net <security-dev at openjdk.java.net>
Betreff: Why no JNDI de-ser killswitch

Hello,

I can understand that ldapcontext.lookup() still has to use unsafe deserialisation for legacy reasons (JMS factories etc). But it would be really good if there would be a bit more infra like a killswitch or url-prefix filter JNDI for those who don?t need that.

It was a rather damaging move to claim that there is a fix when the actual rce with JNDI is still present.

I tink the new ObjectInputStream filters (jep290) are a good thing, but they are not easy to set globally on a bigger app server,especially not with 8 and 11 without jep415. So I think that?s not sufficient

Gruss
Bernd


--
http://bernd.eckenfels.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20211214/8b45e2ce/attachment.htm>

From weijun at openjdk.java.net  Tue Dec 14 15:36:37 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 14 Dec 2021 15:36:37 GMT
Subject: [jdk18] RFR: 8278744: KeyStore:getAttributes() not returning
 unmodifiable Set
Message-ID: <EVch5Z95TfFOf__-JUPnbofw81YDhVFfiWmesLXtiVQ=.2128de25-be4b-46d5-bd34-ac75fef7dd05@github.com>

Make the return value of `PKCS12KeyStore::engineGetAttributes` immutable. Gather the `getAttributes()` value into a new `HashSet` and then make it immutable. This ensures the final result itself is not mutable and it also will not change even if the internal `entry.attributes` is modified.

-------------

Commit messages:
 - 8278744: KeyStore:getAttributes() not returning unmodifiable Set

Changes: https://git.openjdk.java.net/jdk18/pull/23/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk18&pr=23&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278744
  Stats: 65 lines in 2 files changed: 64 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/23.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/23/head:pull/23

PR: https://git.openjdk.java.net/jdk18/pull/23

From weijun at openjdk.java.net  Tue Dec 14 16:45:10 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 14 Dec 2021 16:45:10 GMT
Subject: Withdrawn: 8255266: 2021-11-27 public suffix list update v 3c213aa
In-Reply-To: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
References: <GbvST0PI0Rj6lpXJ_mq9r4egd9bIaCMWsNHkiNIgRLM=.938936fb-6030-454a-a9a6-0cc0cba37120@github.com>
Message-ID: <EF5shXWT4KAkyxw4JOnrlRK8ntLU4588sc4rP9g9zfI=.66a548e2-60ea-43e6-9704-0a162c05da25@github.com>

On Wed, 1 Dec 2021 17:03:24 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Update Public Suffix List data to the latest version at https://github.com/publicsuffix/list.

This pull request has been closed without being integrated.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6643

From mullan at openjdk.java.net  Tue Dec 14 18:08:34 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Tue, 14 Dec 2021 18:08:34 GMT
Subject: [jdk18] RFR: 8278744: KeyStore:getAttributes() not returning
 unmodifiable Set
In-Reply-To: <EVch5Z95TfFOf__-JUPnbofw81YDhVFfiWmesLXtiVQ=.2128de25-be4b-46d5-bd34-ac75fef7dd05@github.com>
References: <EVch5Z95TfFOf__-JUPnbofw81YDhVFfiWmesLXtiVQ=.2128de25-be4b-46d5-bd34-ac75fef7dd05@github.com>
Message-ID: <z8sNFWnf7BTI76P2Z_Ro2m8nqIL7QNsQtK4sf5Qeu2g=.06058cc2-7c50-4311-9e6f-b81984019b16@github.com>

On Tue, 14 Dec 2021 15:24:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Make the return value of `PKCS12KeyStore::engineGetAttributes` immutable. Gather the `getAttributes()` value into a new `HashSet` and then make it immutable. This ensures the final result itself is not mutable and it also will not change even if the internal `entry.attributes` is modified.

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk18/pull/23

From weijun at openjdk.java.net  Tue Dec 14 18:42:42 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 14 Dec 2021 18:42:42 GMT
Subject: [jdk18] Integrated: 8278744: KeyStore:getAttributes() not returning
 unmodifiable Set
In-Reply-To: <EVch5Z95TfFOf__-JUPnbofw81YDhVFfiWmesLXtiVQ=.2128de25-be4b-46d5-bd34-ac75fef7dd05@github.com>
References: <EVch5Z95TfFOf__-JUPnbofw81YDhVFfiWmesLXtiVQ=.2128de25-be4b-46d5-bd34-ac75fef7dd05@github.com>
Message-ID: <drv1AI34-v_Izk2nLvsVSMmUQAEzZYiddpGxh0YammU=.a432ca01-ada7-44a1-828f-b85390663f26@github.com>

On Tue, 14 Dec 2021 15:24:58 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Make the return value of `PKCS12KeyStore::engineGetAttributes` immutable. Gather the `getAttributes()` value into a new `HashSet` and then make it immutable. This ensures the final result itself is not mutable and it also will not change even if the internal `entry.attributes` is modified.

This pull request has now been integrated.

Changeset: 0cc989b7
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk18/commit/0cc989b7d2fa3b903d71b7baab53b853455005ba
Stats:     65 lines in 2 files changed: 64 ins; 0 del; 1 mod

8278744: KeyStore:getAttributes() not returning unmodifiable Set

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk18/pull/23

From valeriep at openjdk.java.net  Tue Dec 14 18:44:04 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Tue, 14 Dec 2021 18:44:04 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed
 with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
Message-ID: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>

Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.

Thanks,
Valerie

-------------

Commit messages:
 - 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"

Changes: https://git.openjdk.java.net/jdk/pull/6837/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6837&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8209398
  Stats: 9 lines in 2 files changed: 4 ins; 2 del; 3 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6837.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6837/head:pull/6837

PR: https://git.openjdk.java.net/jdk/pull/6837

From bulasevich at openjdk.java.net  Wed Dec 15 09:29:22 2021
From: bulasevich at openjdk.java.net (Boris Ulasevich)
Date: Wed, 15 Dec 2021 09:29:22 GMT
Subject: RFR: 8275914: SHA3: changing java implementation to help C2 create
 high-performance code
Message-ID: <-GdKYnL17OXkOLuGXufGFWJWhGqaVJVrVmebnSvihbc=.e1520a9a-a4f4-4c11-ba11-1ca07f50aa64@github.com>

Background

The goal is to improve SHA3 implementation performance as it runs up to two times slower than native (OpenSSL, measured on AMD64 and AArch6464) implementation. Some hardware provides SHA3 accelerators, but most (AMD64 and most ARM64) do not.

For ARM64 hardware that does support SHA3 accelerators, an intrinsic was implemented for ARMv8.2 with SHA3 instructions support:
- [JDK-8252204](https://bugs.openjdk.java.net/browse/JDK-8252204): AArch64: Implement SHA3 accelerator/intrinsic

SHA3 java implementation have already been reworked to eliminate memory consumption and make it work faster:
- [JDK-8157495](https://bugs.openjdk.java.net/browse/JDK-8157495): SHA-3 Hash algorithm performance improvements (~12x speedup)
The latter issue addressed this previously, but there is still some room to improve SHA3 performance with current C2 implementation, which is proposed in this PR.

Option 1 (this PR)

With this change I unroll the internal cycles manually, inline it manually, and use local variables (not array) for data processing. Such an approach gives the best performance (see benchmark results). Without this change (with current array data processing) we observe a lot of load/store operations in comparison to processing in local variables, both on AMD64 and on AArch64.  
Native implementations shows that on AArch64 (32 GPU registers) SHA-3 algorithm can hold all 25 data and all temporary variables in registers. C2 can't optimize it as well because many regisers are allocated for internal usage: rscratch1, rscratch2, rmethod, rthread, etc.  With data in local variables the number of excessive load/stores is much smaller and performance result is much better.

Option 2 (alternative)

LINK: [the change](https://github.com/bulasevich/jdk/commit/095fc9db)

This is a more conservative change which minimizes code changes, but it has lower performance improvement. Please let me know if you think this change is better then main one: in this case I will replace it within this Pull Request.

With this change I unroll the internal cycles manually and use @Forceinline annotation. Manual unrolling is necessary because C2 does not recognize there is a counted cycle that can be completely unrolled. Instead of replacing the loop with five loop bodies C2 splits the loop to pre- main- and post- loop which is not good for this case. C2 works better when the array is created locally, but in our case the array is created on object instantiation, so C2 can't prove the array length is constant. The second issue affecting performance is that methods with unrolled loops get larger and C2 does not inline them. It's addressed here by using @Forceinline annotation.

Benchmark results

We measured the change on four platforms: ARM32, PPC, ARM64 (with no advanced SHA-3 instructions) and AMD on
  [MessageDigests](https://github.com/openjdk/jdk/blob/master/test/micro/org/openjdk/bench/java/security/MessageDigests.java) benchmark. Here is the result: http://cr.openjdk.java.net/~bulasevich/8275914/sha3_bench.html
- fix1 (red) is the Option 1 (this PR) change: gains 50/38/83/38% on ARM32/PPC/AArch64/AMD64
- fix2 (green) is the Option 2 (alternative) change: gains 23/33/40/17% on ARM32/PPC/AArch64/AMD64

Testing

Tested with JTREG and SHA-3 Project (NIST) test vectors: run SHA3 implementation over the same vectors before and after the change, and checking the results are the same.
The test tool: http://cr.openjdk.java.net/~bulasevich/8275914/RunKat.java
The test vectors compiled from the [Final Algorithm Package](https://csrc.nist.gov/Projects/Hash-Functions/SHA-3-Project):
http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_224.txt
http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_256.txt
http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_384.txt
http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_512.txt

-------------

Commit messages:
 - Apply manual inline and unroll, plus moving data into local variables to help C2 with SHA3 impl

Changes: https://git.openjdk.java.net/jdk/pull/6847/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6847&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8275914
  Stats: 208 lines in 1 file changed: 114 ins; 93 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6847.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6847/head:pull/6847

PR: https://git.openjdk.java.net/jdk/pull/6847

From mullan at openjdk.java.net  Wed Dec 15 13:11:58 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Wed, 15 Dec 2021 13:11:58 GMT
Subject: RFR: 8278186: throw StringIndexOutOfBoundsException when calling
 substring method
In-Reply-To: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
References: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
Message-ID: <WvD3iOF4cWDGSy8KZPOtAasyZ3_bD2mACMrcIg8OOzA=.73fb04ce-19d1-4eb8-bd3c-0ee3f8c6643c@github.com>

On Wed, 8 Dec 2021 15:36:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add check on `xpointer(id('name'))` format.

Can you change the title of the bug to "org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method"

-------------

PR: https://git.openjdk.java.net/jdk/pull/6769

From dchuyko at openjdk.java.net  Wed Dec 15 14:25:56 2021
From: dchuyko at openjdk.java.net (Dmitry Chuyko)
Date: Wed, 15 Dec 2021 14:25:56 GMT
Subject: RFR: 8275914: SHA3: changing java implementation to help C2 create
 high-performance code
In-Reply-To: <-GdKYnL17OXkOLuGXufGFWJWhGqaVJVrVmebnSvihbc=.e1520a9a-a4f4-4c11-ba11-1ca07f50aa64@github.com>
References: <-GdKYnL17OXkOLuGXufGFWJWhGqaVJVrVmebnSvihbc=.e1520a9a-a4f4-4c11-ba11-1ca07f50aa64@github.com>
Message-ID: <fUBRaZmSV35VW2Z9DBOij6c28Heid-erBpSnnLJQIIA=.5bd31ee0-f5e9-4657-84c0-884879610577@github.com>

On Wed, 15 Dec 2021 09:20:38 GMT, Boris Ulasevich <bulasevich at openjdk.org> wrote:

> Background
> 
> The goal is to improve SHA3 implementation performance as it runs up to two times slower than native (OpenSSL, measured on AMD64 and AArch6464) implementation. Some hardware provides SHA3 accelerators, but most (AMD64 and most AArch64) do not.
> 
> For AArch64 hardware that does support SHA3 accelerators, an intrinsic was implemented for ARMv8.2 with SHA3 instructions support:
> - [JDK-8252204](https://bugs.openjdk.java.net/browse/JDK-8252204): AArch64: Implement SHA3 accelerator/intrinsic
> 
> SHA3 java implementation have already been reworked to eliminate memory consumption and make it work faster:
> - [JDK-8157495](https://bugs.openjdk.java.net/browse/JDK-8157495): SHA-3 Hash algorithm performance improvements (~12x speedup)
> The latter issue addressed this previously, but there is still some room to improve SHA3 performance with current C2 implementation, which is proposed in this PR.
> 
> Option 1 (this PR)
> 
> With this change I unroll the internal cycles manually, inline it manually, and use local variables (not array) for data processing. Such an approach gives the best performance (see benchmark results). Without this change (with current array data processing) we observe a lot of load/store operations in comparison to processing in local variables, both on AMD64 and on AArch64.  
> Native implementations shows that on AArch64 (32 GPU registers) SHA-3 algorithm can hold all 25 data and all temporary variables in registers. C2 can't optimize it as well because many regisers are allocated for internal usage: rscratch1, rscratch2, rmethod, rthread, etc.  With data in local variables the number of excessive load/stores is much smaller and performance result is much better.
> 
> Option 2 (alternative)
> 
> LINK: [the change](https://github.com/bulasevich/jdk/commit/095fc9db)
> 
> This is a more conservative change which minimizes code changes, but it has lower performance improvement. Please let me know if you think this change is better then main one: in this case I will replace it within this Pull Request.
> 
> With this change I unroll the internal cycles manually and use @Forceinline annotation. Manual unrolling is necessary because C2 does not recognize there is a counted cycle that can be completely unrolled. Instead of replacing the loop with five loop bodies C2 splits the loop to pre- main- and post- loop which is not good for this case. C2 works better when the array is created locally, but in our case the array is created on object instantiation, so C2 can't prove the array length is constant. The second issue affecting performance is that methods with unrolled loops get larger and C2 does not inline them. It's addressed here by using @Forceinline annotation.
> 
> Benchmark results
> 
> We measured the change on four platforms: ARM32, PPC, AArch64 (with no advanced SHA-3 instructions) and AMD on
>   [MessageDigests](https://github.com/openjdk/jdk/blob/master/test/micro/org/openjdk/bench/java/security/MessageDigests.java) benchmark. Here is the result: http://cr.openjdk.java.net/~bulasevich/8275914/sha3_bench.html
> - fix1 (red) is the Option 1 (this PR) change: gains 50/38/83/38% on ARM32/PPC/AArch64/AMD64
> - fix2 (green) is the Option 2 (alternative) change: gains 23/33/40/17% on ARM32/PPC/AArch64/AMD64
> 
> Testing
> 
> Tested with JTREG and SHA-3 Project (NIST) test vectors: run SHA3 implementation over the same vectors before and after the change, and checking the results are the same.
> The test tool: http://cr.openjdk.java.net/~bulasevich/8275914/RunKat.java
> The test vectors compiled from the [Final Algorithm Package](https://csrc.nist.gov/Projects/Hash-Functions/SHA-3-Project):
> http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_224.txt
> http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_256.txt
> http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_384.txt
> http://cr.openjdk.java.net/~bulasevich/8275914/MsgKAT_512.txt

@kuksenko You used to improve this code before, could you share your opinion?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6847

From mullan at openjdk.java.net  Wed Dec 15 14:30:05 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Wed, 15 Dec 2021 14:30:05 GMT
Subject: RFR: 8278186: throw StringIndexOutOfBoundsException when calling
 substring method
In-Reply-To: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
References: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
Message-ID: <byAfCKeBKBfUss8QVFh4Q2DDPMdNfeoyk2Fw38nsNCU=.f858f80e-be43-4e37-8148-16a8bd278add@github.com>

On Wed, 8 Dec 2021 15:36:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add check on `xpointer(id('name'))` format.

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6769

From skuksenko at openjdk.java.net  Wed Dec 15 15:37:58 2021
From: skuksenko at openjdk.java.net (Sergey Kuksenko)
Date: Wed, 15 Dec 2021 15:37:58 GMT
Subject: RFR: 8275914: SHA3: changing java implementation to help C2 create
 high-performance code
In-Reply-To: <fUBRaZmSV35VW2Z9DBOij6c28Heid-erBpSnnLJQIIA=.5bd31ee0-f5e9-4657-84c0-884879610577@github.com>
References: <-GdKYnL17OXkOLuGXufGFWJWhGqaVJVrVmebnSvihbc=.e1520a9a-a4f4-4c11-ba11-1ca07f50aa64@github.com>
 <fUBRaZmSV35VW2Z9DBOij6c28Heid-erBpSnnLJQIIA=.5bd31ee0-f5e9-4657-84c0-884879610577@github.com>
Message-ID: <RKkWJF8xLvI1jRrUxL9OtWgJAlBZPru_pHPPBBLY04g=.d343141a-bf76-48f9-9a3f-fd5c85d8c219@github.com>

On Wed, 15 Dec 2021 14:22:34 GMT, Dmitry Chuyko <dchuyko at openjdk.org> wrote:

> @kuksenko You used to improve this code before, could you share your opinion?

I think benchmark results table tells more. :)

-------------

PR: https://git.openjdk.java.net/jdk/pull/6847

From weijun at openjdk.java.net  Wed Dec 15 17:04:07 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 15 Dec 2021 17:04:07 GMT
Subject: Integrated: 8278186:
 org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws
 StringIndexOutOfBoundsException when calling substring method
In-Reply-To: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
References: <xfmnKWDciWYGayy95zZDJD6mUw8WSwBugm3xNYB7JMA=.a8587fbb-c002-483b-bf5c-b0b42df1cd02@github.com>
Message-ID: <A5IdU6cM3SABnUtHk6C9vTJwgkYD4xX3Rcr0ULsliEg=.97dd68c2-12ee-499a-a68b-bd5e5f176bd2@github.com>

On Wed, 8 Dec 2021 15:36:36 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Add check on `xpointer(id('name'))` format.

This pull request has now been integrated.

Changeset: 1f1db838
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/1f1db838ab7d427170d59a8b55fdb45c4d80c359
Stats:     75 lines in 4 files changed: 66 ins; 0 del; 9 mod

8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/6769

From jwilhelm at openjdk.java.net  Wed Dec 15 23:29:07 2021
From: jwilhelm at openjdk.java.net (Jesper Wilhelmsson)
Date: Wed, 15 Dec 2021 23:29:07 GMT
Subject: RFR: Merge jdk18
Message-ID: <qKJ_aLS34-nMhp9K8Tf3CzC2mNzRkqPK-S7-4F7TXR0=.fb4ea675-ae5c-4697-8dbb-1f91b1d4631d@github.com>

Forwardport JDK 18 -> JDK 19

-------------

Commit messages:
 - Merge
 - 8277964: ClassCastException with no stack trace is thrown with -Xcomp in method handle invocation
 - 8272064: test/jdk/jdk/jfr/api/consumer/TestHiddenMethod.java needs update for JEP 416
 - 8278607: Misc issues in foreign API javadoc
 - 8278233: [macos] tools/jpackage tests timeout due to /usr/bin/osascript
 - 8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
 - 8278744: KeyStore:getAttributes() not returning unmodifiable Set
 - 8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording
 - 8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"

The merge commit only contains trivial merges, so no merge-specific webrevs have been generated.

Changes: https://git.openjdk.java.net/jdk/pull/6856/files
  Stats: 341 lines in 27 files changed: 269 ins; 12 del; 60 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6856.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6856/head:pull/6856

PR: https://git.openjdk.java.net/jdk/pull/6856

From jwilhelm at openjdk.java.net  Thu Dec 16 00:31:05 2021
From: jwilhelm at openjdk.java.net (Jesper Wilhelmsson)
Date: Thu, 16 Dec 2021 00:31:05 GMT
Subject: RFR: Merge jdk18 [v2]
In-Reply-To: <qKJ_aLS34-nMhp9K8Tf3CzC2mNzRkqPK-S7-4F7TXR0=.fb4ea675-ae5c-4697-8dbb-1f91b1d4631d@github.com>
References: <qKJ_aLS34-nMhp9K8Tf3CzC2mNzRkqPK-S7-4F7TXR0=.fb4ea675-ae5c-4697-8dbb-1f91b1d4631d@github.com>
Message-ID: <y7WKIhY7achDv7Sv5kNbRhrTVdbcRbhoTSaTP8k5pWI=.e6150fe3-5235-4ce3-add7-214f43744230@github.com>

> Forwardport JDK 18 -> JDK 19

Jesper Wilhelmsson has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 53 additional commits since the last revision:

 - Merge
 - 8278020: ~13% variation in Renaissance-Scrabble
   
   Reviewed-by: dholmes, stuefe, kvn
 - 8274898: Cleanup usages of StringBuffer in jdk tools modules
   
   Reviewed-by: sspitsyn, lmesnik
 - 8269838: BasicTypeDataBase.findDynamicTypeForAddress(addr, basetype) can be simplified
   
   Reviewed-by: kevinw, sspitsyn
 - 8278186: org.jcp.xml.dsig.internal.dom.Utils.parseIdFromSameDocumentURI throws StringIndexOutOfBoundsException when calling substring method
   
   Reviewed-by: mullan
 - 8278241: Implement JVM SpinPause on linux-aarch64
   
   Reviewed-by: aph, phh
 - 8278842: Parallel: Remove unused VerifyObjectStartArrayClosure::_old_gen
   
   Reviewed-by: tschatzl
 - 8278548: G1: Remove unnecessary check in forward_to_block_containing_addr
   
   Reviewed-by: tschatzl, mli, sjohanss
 - 8202579: Revisit VM_Version and VM_Version_ext for overlap and consolidation
   
   Reviewed-by: dholmes, hseigel
 - 8278351: Add function to retrieve worker_id from any context
   
   Reviewed-by: eosterlund, kbarrett, ayang
 - ... and 43 more: https://git.openjdk.java.net/jdk/compare/6d63c6dd...fa3d80e6

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6856/files
  - new: https://git.openjdk.java.net/jdk/pull/6856/files/fa3d80e6..fa3d80e6

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6856&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6856&range=00-01

  Stats: 0 lines in 0 files changed: 0 ins; 0 del; 0 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6856.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6856/head:pull/6856

PR: https://git.openjdk.java.net/jdk/pull/6856

From jwilhelm at openjdk.java.net  Thu Dec 16 00:31:08 2021
From: jwilhelm at openjdk.java.net (Jesper Wilhelmsson)
Date: Thu, 16 Dec 2021 00:31:08 GMT
Subject: Integrated: Merge jdk18
In-Reply-To: <qKJ_aLS34-nMhp9K8Tf3CzC2mNzRkqPK-S7-4F7TXR0=.fb4ea675-ae5c-4697-8dbb-1f91b1d4631d@github.com>
References: <qKJ_aLS34-nMhp9K8Tf3CzC2mNzRkqPK-S7-4F7TXR0=.fb4ea675-ae5c-4697-8dbb-1f91b1d4631d@github.com>
Message-ID: <NW6w84HCdZDaJgGYmNne-G48bXyhaS9J1DTcRSYO3Hs=.ae992a0d-6391-408e-9abe-ed37d2e7374e@github.com>

On Wed, 15 Dec 2021 23:18:45 GMT, Jesper Wilhelmsson <jwilhelm at openjdk.org> wrote:

> Forwardport JDK 18 -> JDK 19

This pull request has now been integrated.

Changeset: e6b28e05
Author:    Jesper Wilhelmsson <jwilhelm at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/e6b28e05c6f7698f230b04199932d4fc81f41a89
Stats:     341 lines in 27 files changed: 269 ins; 12 del; 60 mod

Merge

-------------

PR: https://git.openjdk.java.net/jdk/pull/6856

From mcimadamore at openjdk.java.net  Thu Dec 16 12:39:24 2021
From: mcimadamore at openjdk.java.net (Maurizio Cimadamore)
Date: Thu, 16 Dec 2021 12:39:24 GMT
Subject: [jdk18] RFR: 8278897: Alignment of heap segments is not enforced
 correctly
Message-ID: <w1NvVtFnNkz2Bnj0FYsM9Ik7ESaRR6t6c-RzF9LPBAY=.789bd653-1d6b-4a85-86db-1fb35b3bf6b2@github.com>

This PR fixes an issue with alignment constraints not being enforced correctly on on-heap segments dereference/copy operations. Alignment of on-heap segments cannot be computed exactly, as alignment of elements in arrays is, ultimately a VM implementation detail. Because of this, alignment checks on heap segments can fail or pass depending on the platform being used.

For more details about the problem and the solution please refer to:
https://mail.openjdk.java.net/pipermail/panama-dev/2021-November/015852.html

-------------

Commit messages:
 - Initial push

Changes: https://git.openjdk.java.net/jdk18/pull/37/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk18&pr=37&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8278897
  Stats: 600 lines in 20 files changed: 566 ins; 0 del; 34 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/37.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/37/head:pull/37

PR: https://git.openjdk.java.net/jdk18/pull/37

From mcimadamore at openjdk.java.net  Thu Dec 16 12:39:24 2021
From: mcimadamore at openjdk.java.net (Maurizio Cimadamore)
Date: Thu, 16 Dec 2021 12:39:24 GMT
Subject: [jdk18] RFR: 8278897: Alignment of heap segments is not enforced
 correctly
In-Reply-To: <w1NvVtFnNkz2Bnj0FYsM9Ik7ESaRR6t6c-RzF9LPBAY=.789bd653-1d6b-4a85-86db-1fb35b3bf6b2@github.com>
References: <w1NvVtFnNkz2Bnj0FYsM9Ik7ESaRR6t6c-RzF9LPBAY=.789bd653-1d6b-4a85-86db-1fb35b3bf6b2@github.com>
Message-ID: <M761pO98FZkyV6ENtCe7ylk1sDnnwsOU8Ifi58-Dx_o=.3fe7d9c1-cf28-4381-bd66-cc859e808ad4@github.com>

On Thu, 16 Dec 2021 12:31:01 GMT, Maurizio Cimadamore <mcimadamore at openjdk.org> wrote:

> This PR fixes an issue with alignment constraints not being enforced correctly on on-heap segments dereference/copy operations. Alignment of on-heap segments cannot be computed exactly, as alignment of elements in arrays is, ultimately a VM implementation detail. Because of this, alignment checks on heap segments can fail or pass depending on the platform being used.
> 
> For more details about the problem and the solution please refer to:
> https://mail.openjdk.java.net/pipermail/panama-dev/2021-November/015852.html

Javadoc: http://cr.openjdk.java.net/~mcimadamore/8278897/v1/javadoc/jdk/incubator/foreign/package-summary.html
Specdiff: http://cr.openjdk.java.net/~mcimadamore/8278897/v1/specdiff_out/overview-summary.html

-------------

PR: https://git.openjdk.java.net/jdk18/pull/37

From xuelei at openjdk.java.net  Fri Dec 17 03:56:26 2021
From: xuelei at openjdk.java.net (Xue-Lei Andrew Fan)
Date: Fri, 17 Dec 2021 03:56:26 GMT
Subject: RFR: 8278560: X509KeyManagerImpl::getAliases might return a good
 key with others
In-Reply-To: <sDL4158kuJjPthn0fbhJZjZVv9zlb-peR383jBky6B0=.8def0eec-e44e-4d26-89f3-3c3de060b484@github.com>
References: <sDL4158kuJjPthn0fbhJZjZVv9zlb-peR383jBky6B0=.8def0eec-e44e-4d26-89f3-3c3de060b484@github.com>
Message-ID: <cqiuapsGirDy19zwyVxGCYMb9yWioLVuChiiXUxIuyM=.c1b39155-839f-469d-8873-c001f3303be3@github.com>

On Fri, 10 Dec 2021 23:09:46 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Perfect match does not always appear at the beginning if there are multiple KeyTypes.

Looks good to me.  Thank you!

-------------

Marked as reviewed by xuelei (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6804

From weijun at openjdk.java.net  Fri Dec 17 12:17:31 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Fri, 17 Dec 2021 12:17:31 GMT
Subject: Integrated: 8278560: X509KeyManagerImpl::getAliases might return a
 good key with others
In-Reply-To: <sDL4158kuJjPthn0fbhJZjZVv9zlb-peR383jBky6B0=.8def0eec-e44e-4d26-89f3-3c3de060b484@github.com>
References: <sDL4158kuJjPthn0fbhJZjZVv9zlb-peR383jBky6B0=.8def0eec-e44e-4d26-89f3-3c3de060b484@github.com>
Message-ID: <xg2kJsi57-6TRWvyHxeW5KqFM4QGQoscKvYb5B3rcd8=.a89f78cc-8cb8-4a17-add8-92c5f815d9ef@github.com>

On Fri, 10 Dec 2021 23:09:46 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Perfect match does not always appear at the beginning if there are multiple KeyTypes.

This pull request has now been integrated.

Changeset: 6412d57a
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/6412d57a0a92ba08cc3db085b371ae1f7ba35ad5
Stats:     103 lines in 2 files changed: 95 ins; 2 del; 6 mod

8278560: X509KeyManagerImpl::getAliases might return a good key with others

Reviewed-by: xuelei

-------------

PR: https://git.openjdk.java.net/jdk/pull/6804

From alanb at openjdk.java.net  Sun Dec 19 07:40:29 2021
From: alanb at openjdk.java.net (Alan Bateman)
Date: Sun, 19 Dec 2021 07:40:29 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled
In-Reply-To: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
Message-ID: <XCbGplub5NvbUblllEMQxytUHkXupGhgFKHw5yW8jmQ=.e33a3f0a-94cb-45ac-b2ef-b023da85a175@github.com>

On Fri, 17 Dec 2021 20:01:27 GMT, Stuart Marks <smarks at openjdk.org> wrote:

> Enable the security manager in rmiregistry's launcher arguments.

As things stand, `rmiregsitry -J-Djava.security.manager` and `rmiregistry -J-Djava.security.manager=allow` are equivalent because rmiregistry sets the default SM. Some difference may be observed if someone is running rmiregistry with a custom system class loader set, or custom file system provider, or running it with a JVM TI agent that is looking at events between VMStart and VMInit but these seem somewhat obscure scenarios for a command line program If rmiregstry worked with ToolProvider then I think there would be more to discuss. If the final patch is to have the launcher set the default security manager then we may want to change RegistryImpl.createRegistry to fail if not set.

The warning that is emitted for both cases is expected. JEP 411 is very clear that it there is no mechanism to suppress it. We may need to add a release note to document that rmiregistry will emit a warning a startup, that will at least be something to point at in the event that anyone asks or reports an issue.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/45

From djelinski1 at gmail.com  Mon Dec 20 18:47:17 2021
From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=)
Date: Mon, 20 Dec 2021 19:47:17 +0100
Subject: TLS 1.3 compatibility mode issue
Message-ID: <CAMrH03+=DLVo+KcAEnPc-PVQGjguwfZAQ3CyOqkXT8MKAPW5gw@mail.gmail.com>

Hello,
Some time ago I filed an issue on bugreport
(https://bugs.openjdk.java.net/browse/JDK-8277881) about the issue
where Java does not fill SessionID field in ClientHello message when
resuming a TLS 1.3 session.

The SessionID field is not required by TLS1.3; its resumption
mechanism relies on PSKs. The field was only added in "middlebox
compatibility mode" to fool network devices that are not aware of
TLS1.3 and expect a 2RTT handshake unless SessionID is present.

Java runs in compatibility mode by default, and sends a non-empty
SessionID on the initial handshake. However, if a TLS 1.3 session is
established during the initial connection, subsequent handshakes send
an empty SessionID.

Our customer reported an issue where our Java application was unable
to reliably establish a connection to a customer-provided server. When
we examined a tcpdump of a successful and a failed connection, the
only difference was in the SessionID field. Indeed, when we run the
application with jdk.tls.client.useCompatibilityMode set to false, all
connection attempts fail.

In https://github.com/openjdk/jdk/pull/6583 I propose a patch to set a
non-empty SessionID in TLS 1.3 ClientHello when running in
compatibility mode, even when resuming a TLS 1.3 session.

Let me know if there's anything else I can do to get the issue fixed.
Regards,
Daniel

From djelinski1 at gmail.com  Mon Dec 20 19:04:26 2021
From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=)
Date: Mon, 20 Dec 2021 20:04:26 +0100
Subject: Incorrect exception strings
Message-ID: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>

Hello,
I fixed a few exception strings that had missing spaces between words;
the PR can be found here https://github.com/openjdk/jdk/pull/6894.

I could use some assistance with a JBS ticket and reviews here.

On a side note, how can I get a JBS account?
Regards,
Daniel

From valerie.peng at oracle.com  Mon Dec 20 21:36:40 2021
From: valerie.peng at oracle.com (Valerie Peng)
Date: Mon, 20 Dec 2021 13:36:40 -0800
Subject: Incorrect exception strings
In-Reply-To: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
Message-ID: <78b8aac7-69bf-70f2-0316-ab6340d55700@oracle.com>

I filed https://bugs.openjdk.java.net/browse/JDK-8279043 for this and 
added a noreg-trivial label.

The usual process is to submit the PR with the associated bug id AFAIK.

Thanks,

Valerie

On 12/20/2021 11:04 AM, Daniel Jeli?ski wrote:
> Hello,
> I fixed a few exception strings that had missing spaces between words;
> the PR can be found here https://github.com/openjdk/jdk/pull/6894.
>
> I could use some assistance with a JBS ticket and reviews here.
>
> On a side note, how can I get a JBS account?
> Regards,
> Daniel

From smarks at openjdk.java.net  Mon Dec 20 22:35:34 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Mon, 20 Dec 2021 22:35:34 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled
In-Reply-To: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
Message-ID: <oE3n-Qm346QGuezStReumP2mNEKVFlbLEussXV_C6kc=.5bc857bc-fd94-40e3-8513-1db06f320f6d@github.com>

On Fri, 17 Dec 2021 20:01:27 GMT, Stuart Marks <smarks at openjdk.org> wrote:

> Enable the security manager in rmiregistry's launcher arguments.

I think there's little to worry about with custom configurations of the `rmiregistry` tool. What somebody might do is to enable a customized security manager using properties... of course they'd also have to ensure that the customized SM is somewhere in the classpath as well, by adding more command line options. That seems fairly unlikely to me. Anyone who wants to run an RMI registry service in some specialized configuration would probably just set things up themselves and then use the `LocateRegistry.createRegistry` API instead of trying to tinker with the `rmiregistry` command.

If `rmiregistry` enables the SM using properties, then yes we can probably change the code to assert that the SM is running instead of conditionally enabling it like it does now.

Next headache is that `tools/launcher/VersionCheck.jtr` fails because it sees the warning messages instead of the version string. (Argh!) Interestingly this test passes even though `rmiregistry` currently fails to operate normally, because it runs well enough to print its version string, but not well enough to start up a registry service. (Double argh!)

The warnings policy is a separate issue being discussed elsewhere.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/45

From weijun.wang at oracle.com  Tue Dec 21 00:20:20 2021
From: weijun.wang at oracle.com (Wei-Jun Wang)
Date: Tue, 21 Dec 2021 00:20:20 +0000
Subject: Incorrect exception strings
In-Reply-To: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
Message-ID: <86DF058B-4E6B-404D-B4D4-627D80CA1853@oracle.com>



> On Dec 20, 2021, at 2:04 PM, Daniel Jeli?ski <djelinski1 at gmail.com> wrote:
> 
> Hello,
> I fixed a few exception strings that had missing spaces between words;
> the PR can be found here https://github.com/openjdk/jdk/pull/6894.
> 
> I could use some assistance with a JBS ticket and reviews here.
> 
> On a side note, how can I get a JBS account?

The "Account Help" link on https://id.openjdk.java.net/console/login leads to https://wiki.openjdk.java.net/display/general/FAQ. It seems you need to become an OpenJDK author first to get an account.

--Weijun

> Regards,
> Daniel


From duke at openjdk.java.net  Tue Dec 21 09:48:40 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Tue, 21 Dec 2021 09:48:40 GMT
Subject: RFR: 8279043 Some Security Exception Messages Miss Spaces
Message-ID: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>

Trivial change. Issue reported by [lgtm.com](https://lgtm.com/projects/g/openjdk/jdk/alerts/?mode=tree&lang=java&ruleFocus=1952840153).

-------------

Commit messages:
 - Add missing spaces

Changes: https://git.openjdk.java.net/jdk/pull/6894/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6894&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8279043
  Stats: 21 lines in 16 files changed: 0 ins; 0 del; 21 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6894.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6894/head:pull/6894

PR: https://git.openjdk.java.net/jdk/pull/6894

From djelinski1 at gmail.com  Tue Dec 21 09:53:38 2021
From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=)
Date: Tue, 21 Dec 2021 10:53:38 +0100
Subject: Incorrect exception strings
In-Reply-To: <78b8aac7-69bf-70f2-0316-ab6340d55700@oracle.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
 <78b8aac7-69bf-70f2-0316-ab6340d55700@oracle.com>
Message-ID: <CAMrH03JEALWhegdosuqecQJ-Jk=FTxiy7MY_QCwjn5Gzeu1unA@mail.gmail.com>

Thank you Valerie.

Without a JBS account I'd have to get a review on the bug report
first, and given that this is a trivial fix I wanted to avoid going
through that.
Thanks again,
Daniel

pon., 20 gru 2021 o 22:36 Valerie Peng <valerie.peng at oracle.com> napisa?(a):
>
> I filed https://bugs.openjdk.java.net/browse/JDK-8279043 for this and
> added a noreg-trivial label.
>
> The usual process is to submit the PR with the associated bug id AFAIK.
>
> Thanks,
>
> Valerie
>
> On 12/20/2021 11:04 AM, Daniel Jeli?ski wrote:
> > Hello,
> > I fixed a few exception strings that had missing spaces between words;
> > the PR can be found here https://github.com/openjdk/jdk/pull/6894.
> >
> > I could use some assistance with a JBS ticket and reviews here.
> >
> > On a side note, how can I get a JBS account?
> > Regards,
> > Daniel

From djelinski1 at gmail.com  Tue Dec 21 10:29:41 2021
From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=)
Date: Tue, 21 Dec 2021 11:29:41 +0100
Subject: Incorrect exception strings
In-Reply-To: <86DF058B-4E6B-404D-B4D4-627D80CA1853@oracle.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
 <86DF058B-4E6B-404D-B4D4-627D80CA1853@oracle.com>
Message-ID: <CAMrH03KmhY3_GFYB888_Arhx4VKcumkcQEajKo-q8gLx12t5wA@mail.gmail.com>

Hi Weijun,

> The "Account Help" link on https://id.openjdk.java.net/console/login leads to https://wiki.openjdk.java.net/display/general/FAQ. It seems you need to become an OpenJDK author first to get an account.

Right. This page then leads to
http://openjdk.java.net/projects/#project-author, which leads to
http://openjdk.java.net/census, which suggests that I should PM Mark
Reinhold at an address that I need to find somewhere else. Is that
about right?
Thanks,
Daniel

From weijun.wang at oracle.com  Tue Dec 21 16:22:46 2021
From: weijun.wang at oracle.com (Wei-Jun Wang)
Date: Tue, 21 Dec 2021 16:22:46 +0000
Subject: Incorrect exception strings
In-Reply-To: <CAMrH03KmhY3_GFYB888_Arhx4VKcumkcQEajKo-q8gLx12t5wA@mail.gmail.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
 <86DF058B-4E6B-404D-B4D4-627D80CA1853@oracle.com>
 <CAMrH03KmhY3_GFYB888_Arhx4VKcumkcQEajKo-q8gLx12t5wA@mail.gmail.com>
Message-ID: <153A178B-2BEA-4638-91C8-52D832B4A1C9@oracle.com>

Hi Daniel,

Yes, http://openjdk.java.net/projects/#project-author page contains a template. You mainly need to talk about your previous contributions to OpenJDK.

And yes, the Project Lead is Mark Reinhold, mark dot reinhold at oracle dot com.

Good luck!

--Weijun

> On Dec 21, 2021, at 5:29 AM, Daniel Jeli?ski <djelinski1 at gmail.com> wrote:
> 
> Hi Weijun,
> 
>> The "Account Help" link on https://id.openjdk.java.net/console/login leads to https://wiki.openjdk.java.net/display/general/FAQ. It seems you need to become an OpenJDK author first to get an account.
> 
> Right. This page then leads to
> http://openjdk.java.net/projects/#project-author, which leads to
> http://openjdk.java.net/census, which suggests that I should PM Mark
> Reinhold at an address that I need to find somewhere else. Is that
> about right?
> Thanks,
> Daniel


From weijun at openjdk.java.net  Tue Dec 21 16:40:55 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 16:40:55 GMT
Subject: RFR: 8279066: Still see private key entries without certificates in a
 PKCS12 keystore
Message-ID: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>

Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 

https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 

Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.

This code change correctly removes the entry.

That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

-------------

Commit messages:
 - 8279066: Still see private key entries without certificates in a PKCS12 keystore

Changes: https://git.openjdk.java.net/jdk/pull/6910/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6910&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8279066
  Stats: 94 lines in 3 files changed: 87 ins; 0 del; 7 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6910.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6910/head:pull/6910

PR: https://git.openjdk.java.net/jdk/pull/6910

From djelinski1 at gmail.com  Tue Dec 21 17:09:20 2021
From: djelinski1 at gmail.com (=?UTF-8?Q?Daniel_Jeli=C5=84ski?=)
Date: Tue, 21 Dec 2021 18:09:20 +0100
Subject: Incorrect exception strings
In-Reply-To: <153A178B-2BEA-4638-91C8-52D832B4A1C9@oracle.com>
References: <CAMrH03L0fNYXHKypnY4uVMB7+9mgn1PMpmADfYWR4G_AQ70SQA@mail.gmail.com>
 <86DF058B-4E6B-404D-B4D4-627D80CA1853@oracle.com>
 <CAMrH03KmhY3_GFYB888_Arhx4VKcumkcQEajKo-q8gLx12t5wA@mail.gmail.com>
 <153A178B-2BEA-4638-91C8-52D832B4A1C9@oracle.com>
Message-ID: <CAMrH03JQgOKmbY3eBvf-Stu04jjZHu+aCVXLpPq1tiW4aXoXDw@mail.gmail.com>

Great, thanks for confirming!
Daniel

wt., 21 gru 2021 o 17:22 Wei-Jun Wang <weijun.wang at oracle.com> napisa?(a):
>
> Hi Daniel,
>
> Yes, http://openjdk.java.net/projects/#project-author page contains a template. You mainly need to talk about your previous contributions to OpenJDK.
>
> And yes, the Project Lead is Mark Reinhold, mark dot reinhold at oracle dot com.
>
> Good luck!
>
> --Weijun
>
> > On Dec 21, 2021, at 5:29 AM, Daniel Jeli?ski <djelinski1 at gmail.com> wrote:
> >
> > Hi Weijun,
> >
> >> The "Account Help" link on https://id.openjdk.java.net/console/login leads to https://wiki.openjdk.java.net/display/general/FAQ. It seems you need to become an OpenJDK author first to get an account.
> >
> > Right. This page then leads to
> > http://openjdk.java.net/projects/#project-author, which leads to
> > http://openjdk.java.net/census, which suggests that I should PM Mark
> > Reinhold at an address that I need to find somewhere else. Is that
> > about right?
> > Thanks,
> > Daniel
>

From weijun at openjdk.java.net  Tue Dec 21 17:21:09 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 17:21:09 GMT
Subject: RFR: 8279043 Some Security Exception Messages Miss Spaces
In-Reply-To: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
References: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
Message-ID: <GSQJIlaeEqmy5TIBVN5NNH2dQfbRmMjDSIknb80fchU=.722d073c-4e4c-4a84-aa0c-f84600880dfd@github.com>

On Mon, 20 Dec 2021 14:50:08 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> Trivial change. Issue reported by [lgtm.com](https://lgtm.com/projects/g/openjdk/jdk/alerts/?mode=tree&lang=java&ruleFocus=1952840153).

Change looks good. Please add a colon after the bug ID in the title. Otherwise Skara might not integrate it.

-------------

Marked as reviewed by weijun (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6894

From duke at openjdk.java.net  Tue Dec 21 17:29:16 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Tue, 21 Dec 2021 17:29:16 GMT
Subject: RFR: 8279043: Some Security Exception Messages Miss Spaces
In-Reply-To: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
References: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
Message-ID: <S-yQvGDL6n9r8aoP1NzL6uhKjFLyp4n-PbQt-JKUDPE=.b4b5de04-9230-48bc-9b9a-39f1085b8567@github.com>

On Mon, 20 Dec 2021 14:50:08 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> Trivial change. Issue reported by [lgtm.com](https://lgtm.com/projects/g/openjdk/jdk/alerts/?mode=tree&lang=java&ruleFocus=1952840153).

Thanks! bug title fixed.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6894

From weijun at openjdk.java.net  Tue Dec 21 17:32:17 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 17:32:17 GMT
Subject: RFR: 8279043: Some Security Exception Messages Miss Spaces
In-Reply-To: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
References: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
Message-ID: <bBLf7-qrbCQ8n4YXiJ_Zcax206Ad9FhL3proiohJPZo=.df88bcdd-1064-45cd-8996-72d3101b547a@github.com>

On Mon, 20 Dec 2021 14:50:08 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> Trivial change. Issue reported by [lgtm.com](https://lgtm.com/projects/g/openjdk/jdk/alerts/?mode=tree&lang=java&ruleFocus=1952840153).

Thanks. I'll run some tests before sponsoring it. Hopefully no one uses the exact exception message as a golden copy.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6894

From mullan at openjdk.java.net  Tue Dec 21 18:26:13 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Tue, 21 Dec 2021 18:26:13 GMT
Subject: RFR: 8279066: Still see private key entries without certificates
 in a PKCS12 keystore
In-Reply-To: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
Message-ID: <JrwZAXYXwMe4krpm3OsSLKmdpKdnOhJ-KGjR_hHWLD4=.d51da4cf-e639-42cd-8924-439085066154@github.com>

On Tue, 21 Dec 2021 16:31:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
> 
> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
> 
> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
> 
> This code change correctly removes the entry.
> 
> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

I still think it's useful even if I can't see the certificate chain. I'd rather see the entry if it actually exists in the keystore and I think removing it is odd because it still exists in the keystore. Also, sometimes I use keytool without a storepass just to see what is in it, and then if I see the certificates are not showing up, I can try again with the password.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6910

From duke at openjdk.java.net  Tue Dec 21 18:28:17 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Tue, 21 Dec 2021 18:28:17 GMT
Subject: Integrated: 8279043: Some Security Exception Messages Miss Spaces
In-Reply-To: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
References: <I2kt_38U6Xe8-efVvqeiYCr9XhtMHcRbVVAaA_gjlQU=.69e1a1c0-a543-4bdb-8a7b-c00553072f1f@github.com>
Message-ID: <zJsUeDUNj8M4VPlFgDJO-UNCfwM4eqEKITaysH5YRB8=.84868da9-3c9f-4ada-b1e2-c43660e07b91@github.com>

On Mon, 20 Dec 2021 14:50:08 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> Trivial change. Issue reported by [lgtm.com](https://lgtm.com/projects/g/openjdk/jdk/alerts/?mode=tree&lang=java&ruleFocus=1952840153).

This pull request has now been integrated.

Changeset: f31dead6
Author:    Daniel Jelinski <djelinski1 at gmail.com>
Committer: Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/f31dead6c550444a836655ffdf97df8816e2d546
Stats:     21 lines in 16 files changed: 0 ins; 0 del; 21 mod

8279043: Some Security Exception Messages Miss Spaces

Reviewed-by: weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/6894

From ascarpino at openjdk.java.net  Tue Dec 21 21:29:17 2021
From: ascarpino at openjdk.java.net (Anthony Scarpino)
Date: Tue, 21 Dec 2021 21:29:17 GMT
Subject: RFR: 8277881 Missing SessionID in TLS1.3 resumption in
 compatibility mode
In-Reply-To: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
References: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
Message-ID: <v5OlJWcrhq-y_0BDB9512q45-Mid_lMKrJ9wal6p5bs=.805e9264-286d-4ec4-a146-4edbb97cff48@github.com>

On Mon, 29 Nov 2021 08:42:22 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> All TLS 1.3 handshakes in compatibility mode must send a non-empty SessionID field. Currently TLS1.3 session resumptions are sending empty session ID. This patch fixes that problem.
> 
> All jdk_core tests passed. The newly added check passes with the patch, fails without it.

Please add " 2021," to the copyright of ResumeTLS13withSNI.java.
I have run all the tests and they pass.

Have you run this fix on your customer's setup or similar setup to confirm this fixed their problem?

-------------

Changes requested by ascarpino (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6583

From weijun at openjdk.java.net  Tue Dec 21 21:42:56 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 21:42:56 GMT
Subject: RFR: 8279066: entries.remove(entry) is useless in PKCS12KeyStore
 [v2]
In-Reply-To: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
Message-ID: <5vb6NpVfzi-2-tcXIC2FLq-DJd8RPm6NU5dlzFUCPFM=.9c3f157a-95ce-4b7d-b08c-22ce851bc109@github.com>

> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
> 
> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
> 
> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
> 
> This code change correctly removes the entry.
> 
> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:

  just ignore it

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6910/files
  - new: https://git.openjdk.java.net/jdk/pull/6910/files/ed6ee075..844bf487

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6910&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6910&range=00-01

  Stats: 98 lines in 3 files changed: 0 ins; 92 del; 6 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6910.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6910/head:pull/6910

PR: https://git.openjdk.java.net/jdk/pull/6910

From mullan at openjdk.java.net  Tue Dec 21 21:42:58 2021
From: mullan at openjdk.java.net (Sean Mullan)
Date: Tue, 21 Dec 2021 21:42:58 GMT
Subject: RFR: 8279066: entries.remove(entry) is useless in PKCS12KeyStore
 [v2]
In-Reply-To: <5vb6NpVfzi-2-tcXIC2FLq-DJd8RPm6NU5dlzFUCPFM=.9c3f157a-95ce-4b7d-b08c-22ce851bc109@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
 <5vb6NpVfzi-2-tcXIC2FLq-DJd8RPm6NU5dlzFUCPFM=.9c3f157a-95ce-4b7d-b08c-22ce851bc109@github.com>
Message-ID: <TKR-HIH6-1gf3i8jr22Kd_vuGpo8w_faGM3z7A-65-Q=.cf6c0dee-7df6-4081-b2d0-37b09c778cef@github.com>

On Tue, 21 Dec 2021 21:39:23 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
>> 
>> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
>> 
>> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
>> 
>> This code change correctly removes the entry.
>> 
>> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   just ignore it

Marked as reviewed by mullan (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6910

From weijun at openjdk.java.net  Tue Dec 21 21:42:59 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 21:42:59 GMT
Subject: RFR: 8279066: entries.remove(entry) is useless in PKCS12KeyStore
In-Reply-To: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
Message-ID: <hZn9fHl_vuBG-aZqwo9WEjCn_BR8Q801k1O8nMSUFxo=.337ba240-ad8d-4b35-a7b5-7b497dd61412@github.com>

On Tue, 21 Dec 2021 16:31:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
> 
> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
> 
> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
> 
> This code change correctly removes the entry.
> 
> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

OK, I've updated the change to simply removing that `remove` all.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6910

From dholmes at openjdk.java.net  Tue Dec 21 21:45:14 2021
From: dholmes at openjdk.java.net (David Holmes)
Date: Tue, 21 Dec 2021 21:45:14 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled
In-Reply-To: <XCbGplub5NvbUblllEMQxytUHkXupGhgFKHw5yW8jmQ=.e33a3f0a-94cb-45ac-b2ef-b023da85a175@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
 <XCbGplub5NvbUblllEMQxytUHkXupGhgFKHw5yW8jmQ=.e33a3f0a-94cb-45ac-b2ef-b023da85a175@github.com>
Message-ID: <lOWbt6DA6Y3Po8N2D8gFQm1BRhbeEC9N6Wnql2u4c_k=.44a8986c-38db-489e-bd78-02c4c2f0a7dd@github.com>

On Sun, 19 Dec 2021 07:37:19 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Enable the security manager in rmiregistry's launcher arguments.
>
> As things stand, `rmiregsitry -J-Djava.security.manager` and `rmiregistry -J-Djava.security.manager=allow` are equivalent because rmiregistry sets the default SM. Some difference may be observed if someone is running rmiregistry with a custom system class loader set, or custom file system provider, or running it with a JVM TI agent that is looking at events between VMStart and VMInit but these seem somewhat obscure scenarios for a command line program If rmiregstry worked with ToolProvider then I think there would be more to discuss. If the final patch is to have the launcher set the default security manager then we may want to change RegistryImpl.createRegistry to fail if not set.
> 
> The warning that is emitted for both cases is expected. JEP 411 is very clear that it there is no mechanism to suppress it. We may need to add a release note to document that rmiregistry will emit a warning a startup, that will at least be something to point at in the event that anyone asks or reports an issue.

In the same kind of PR (https://github.com/openjdk/jdk18/pull/53) for `jstatd` @AlanBateman writes:
> This looks okay in that it is now worked exactly as it did in JDK 17.

And that PR uses `allow` as I have suggested here (to preserve existing behaviour). All the affected launchers should be fixed in the same consistent way.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/45

From weijun at openjdk.java.net  Tue Dec 21 22:16:25 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Tue, 21 Dec 2021 22:16:25 GMT
Subject: Integrated: 8279066: entries.remove(entry) is useless in
 PKCS12KeyStore
In-Reply-To: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
Message-ID: <itVGJ3Ty7_IqacGU5nngPLbBMZgF5eAgjqseOAMeYbA=.1e8f9094-c193-4a45-a15d-0163adfe006b@github.com>

On Tue, 21 Dec 2021 16:31:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry. 
> 
> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272 
> 
> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
> 
> This code change correctly removes the entry.
> 
> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.

This pull request has now been integrated.

Changeset: fb623f1d
Author:    Weijun Wang <weijun at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/fb623f1d2ee858fbc6edfeaaa702b5fcd832a0aa
Stats:     5 lines in 1 file changed: 0 ins; 5 del; 0 mod

8279066: entries.remove(entry) is useless in PKCS12KeyStore

Reviewed-by: mullan

-------------

PR: https://git.openjdk.java.net/jdk/pull/6910

From mstjohns at comcast.net  Tue Dec 21 23:11:21 2021
From: mstjohns at comcast.net (Michael StJohns)
Date: Tue, 21 Dec 2021 18:11:21 -0500
Subject: RFR: 8279066: Still see private key entries without certificates
 in a PKCS12 keystore
In-Reply-To: <JrwZAXYXwMe4krpm3OsSLKmdpKdnOhJ-KGjR_hHWLD4=.d51da4cf-e639-42cd-8924-439085066154@github.com>
References: <RhDhoSitoaT-bgKKVvHuecHHyJHL8JNYWwZT9BVwmZk=.0d9ec0e0-7ef3-4168-81e5-bc1d77fd86de@github.com>
 <JrwZAXYXwMe4krpm3OsSLKmdpKdnOhJ-KGjR_hHWLD4=.d51da4cf-e639-42cd-8924-439085066154@github.com>
Message-ID: <ca35d77c-0be3-71ae-670e-3e8008f74e9d@comcast.net>

On 12/21/2021 1:26 PM, Sean Mullan wrote:
> On Tue, 21 Dec 2021 16:31:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>
>> Before password-less PKCS12 keystores are supported, certificates in a PKCS12 file are always encrypted. Therefore if one loads the keystore with a null pass, it contains `PrivateKeyEntry`s without certificates. This has always been awkward (and most likely useless) so when JDK-8076190 introduced the password-less feature I also added a line to remove such an entry.
>>
>> https://github.com/openjdk/jdk/blob/a729a70c0119ed071ff490b0dfd4e3e2cb1a5ae4/src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java#L2272
>>
>> Unfortunately, the line is not coded correctly, it should have been `remove(key)` but here it's `remove(value)`.
>>
>> This code change correctly removes the entry.
>>
>> That said, this behavior, although weird, has been there from the beginning since PKCS12 keystore was introduced. If you can find out a usage of a private key entry without any certificate and think it's worth kept that way, I can simply remove the `remove` call and leave the entry there.
> I still think it's useful even if I can't see the certificate chain. I'd rather see the entry if it actually exists in the keystore and I think removing it is odd because it still exists in the keystore. Also, sometimes I use keytool without a storepass just to see what is in it, and then if I see the certificates are not showing up, I can try again with the password.
>
> -------------
>
> PR: https://git.openjdk.java.net/jdk/pull/6910

I got curious and took a look at P11KeyStore.java - 
https://github.com/openjdk/jdk/blob/master/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyStore.java 
- and it appears to do exactly the opposite of what you've got here.? 
E.g. if there's no certificate that matches up with the private key, 
then it returns a null - that's in engineGetEntry() around line 963.

Speaking personally, I've always found it a bit annoying that a 
KeyStore.PrivateKeyEntry required a certificate(chain).? It actually 
made dealing with PKCS11 painful as the Java conventions didn't always 
conform to the actual structure of the PKCS11 contents.

Not suggesting that a change necessarily needs to be made, but perhaps 
you might want to have a consistent behavior between the two?


Mike




From hchao at openjdk.java.net  Wed Dec 22 00:30:13 2021
From: hchao at openjdk.java.net (Hai-May Chao)
Date: Wed, 22 Dec 2021 00:30:13 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <2-fPnAW-bWx4FbuaGa-zM_BOY_RAAHo12NWeMoLlbaQ=.89457109-3164-4f74-85be-208217534bc3@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

Marked as reviewed by hchao (Committer).

Looks good.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From weijun at openjdk.java.net  Wed Dec 22 00:43:12 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 22 Dec 2021 00:43:12 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <dt5h49veziXUzwFEpXg4Xq6ea7SKR3eSOgB3qhwBA7s=.0cc4a075-d859-4c16-8fa5-f30376c2aea3@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

What about here?
https://github.com/openjdk/jdk/blob/a5d7de235101696463dba22792703c6809ff7fc4/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java#L280

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From weijun at openjdk.java.net  Wed Dec 22 00:49:20 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 22 Dec 2021 00:49:20 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <Kz4P23Ke21RT7GuEEdY5tkEqG-ptUfQbhYpa6dBhh4E=.b9c9ab8a-975d-4e29-9280-564416946c2b@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

Since the return error code is PKCS11 CKR_ATTRIBUTE_SENSITIVE, does it make sense to assign `sensitive = true` right at the beginning? I'm not a PKCS11 expert and not sure if this has any negative effect on https://github.com/openjdk/jdk/blob/ea8d3c92c69c393cdbc6c62398f1e9c6adc708d3/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#L1394 (where the `sensitive` flag is used).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From smarks at openjdk.java.net  Wed Dec 22 01:18:58 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Wed, 22 Dec 2021 01:18:58 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled [v2]
In-Reply-To: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
Message-ID: <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>

> Enable the security manager in rmiregistry's launcher arguments.

Stuart Marks has updated the pull request incrementally with one additional commit since the last revision:

  Change java.security.manager to "allow"; filter warning lines from VersionCheck

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk18/pull/45/files
  - new: https://git.openjdk.java.net/jdk18/pull/45/files/e899bd2d..f713e731

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk18&pr=45&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk18&pr=45&range=00-01

  Stats: 7 lines in 2 files changed: 3 ins; 0 del; 4 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/45.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/45/head:pull/45

PR: https://git.openjdk.java.net/jdk18/pull/45

From smarks at openjdk.java.net  Wed Dec 22 01:30:15 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Wed, 22 Dec 2021 01:30:15 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled [v2]
In-Reply-To: <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
 <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
Message-ID: <j9NA-OXmsxCzk4qdqOD2zt8y8hTAQS35ShajqVh0t0I=.39eee2a3-eccd-4f61-a938-18d71d9560c0@github.com>

On Wed, 22 Dec 2021 01:18:58 GMT, Stuart Marks <smarks at openjdk.org> wrote:

>> Enable the security manager in rmiregistry's launcher arguments.
>
> Stuart Marks has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Change java.security.manager to "allow"; filter warning lines from VersionCheck

Enabling the security manager using a property, versus setting the property to `allow` and enabling it in code, is mostly a distinction without a difference. I don't think there is really a need to have the different tools be consistent. Local tool considerations probably swamp the need for any cross-tool consistency.

In this case some of the RMI registry tests set the property to `allow` on the command line and then rely on the code to enable the security manager using the API, so it's much easier to switch the `rmiregistry` launcher to use the `allow` technique instead. This is sort-of the tail (the tests) wagging the doc (the tool) but there doesn't seem to any benefit to be gained from fiddling around with the tests and the RMI test library.

I've also updated VersionCheck.java to filter out the security manager warning messages.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/45

From alanb at openjdk.java.net  Wed Dec 22 10:38:27 2021
From: alanb at openjdk.java.net (Alan Bateman)
Date: Wed, 22 Dec 2021 10:38:27 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled [v2]
In-Reply-To: <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
 <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
Message-ID: <e0AhmU1AsthfpxKX-ewDJSp-UfO6V7z-8WA_NxnF6mk=.e3ceb171-14e6-4bcd-b4d5-4476fc6bb4ad@github.com>

On Wed, 22 Dec 2021 01:18:58 GMT, Stuart Marks <smarks at openjdk.org> wrote:

>> Enable the security manager in rmiregistry's launcher arguments.
>
> Stuart Marks has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Change java.security.manager to "allow"; filter warning lines from VersionCheck

This version looks okay, avoids having an attempt to set the SM in createRegistry always be skipped.

-------------

Marked as reviewed by alanb (Reviewer).

PR: https://git.openjdk.java.net/jdk18/pull/45

From serb at openjdk.java.net  Wed Dec 22 10:57:37 2021
From: serb at openjdk.java.net (Sergey Bylokhov)
Date: Wed, 22 Dec 2021 10:57:37 GMT
Subject: RFR: 8279134: Fix Amazon copyright in various files
Message-ID: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>

This bug is similar to https://bugs.openjdk.java.net/browse/JDK-8244094

Currently, some of the files in the OpenJDK repo have Amazon copyright notices which are all slightly different and do not conform to Amazons preferred copyright notice which is simply (intentionally without copyright year):

"Copyright Amazon.com Inc. or its affiliates. All Rights Reserved." 

@simonis @phohensee

-------------

Commit messages:
 - Initial fix JDK-8279134

Changes: https://git.openjdk.java.net/jdk/pull/6915/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6915&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8279134
  Stats: 15 lines in 14 files changed: 0 ins; 1 del; 14 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6915.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6915/head:pull/6915

PR: https://git.openjdk.java.net/jdk/pull/6915

From erikj at openjdk.java.net  Wed Dec 22 13:40:12 2021
From: erikj at openjdk.java.net (Erik Joelsson)
Date: Wed, 22 Dec 2021 13:40:12 GMT
Subject: [jdk18] RFR: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled [v2]
In-Reply-To: <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
 <dq9vvL2gRPYKbKvfrU-hjqXFbgueqNRYW5KEcr9Liho=.74d63971-ce7e-4440-b161-3b8c259fd41a@github.com>
Message-ID: <kdpb7afCAOo48qmkWEhACRErDBfXKhyq_kjt7exSgZE=.f01d9fab-4fbd-49ea-8610-97fd7f7e9d49@github.com>

On Wed, 22 Dec 2021 01:18:58 GMT, Stuart Marks <smarks at openjdk.org> wrote:

>> Enable the security manager in rmiregistry's launcher arguments.
>
> Stuart Marks has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Change java.security.manager to "allow"; filter warning lines from VersionCheck

Build change looks good.

-------------

Marked as reviewed by erikj (Reviewer).

PR: https://git.openjdk.java.net/jdk18/pull/45

From smarks at openjdk.java.net  Wed Dec 22 19:00:22 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Wed, 22 Dec 2021 19:00:22 GMT
Subject: [jdk18] Integrated: JDK-8278967 rmiregistry fails to start because
 SecurityManager is disabled
In-Reply-To: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
References: <SziE17Iv5XvNQ3fXtIPMLyhyevlw5BMZrqsC2HDhy2o=.39c1f9fd-22a2-40d0-ac98-8da95f34f52f@github.com>
Message-ID: <gysG0Nmb72FD1H__mYsvemMT2k220M3Pd2qvQpPZ_0k=.46182bd6-4427-424a-bdbc-566c50808b8f@github.com>

On Fri, 17 Dec 2021 20:01:27 GMT, Stuart Marks <smarks at openjdk.org> wrote:

> Enable the security manager in rmiregistry's launcher arguments.

This pull request has now been integrated.

Changeset: 04ee9211
Author:    Stuart Marks <smarks at openjdk.org>
URL:       https://git.openjdk.java.net/jdk18/commit/04ee9211fcc59178b3bfdfdda5e0def9b0f29ada
Stats:     7 lines in 2 files changed: 4 ins; 0 del; 3 mod

8278967: rmiregistry fails to start because SecurityManager is disabled

Reviewed-by: alanb, erikj

-------------

PR: https://git.openjdk.java.net/jdk18/pull/45

From valeriep at openjdk.java.net  Wed Dec 22 19:02:13 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 22 Dec 2021 19:02:13 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <dt5h49veziXUzwFEpXg4Xq6ea7SKR3eSOgB3qhwBA7s=.0cc4a075-d859-4c16-8fa5-f30376c2aea3@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
 <dt5h49veziXUzwFEpXg4Xq6ea7SKR3eSOgB3qhwBA7s=.0cc4a075-d859-4c16-8fa5-f30376c2aea3@github.com>
Message-ID: <zIYO1TY9o7OlPXoP-KTPKcH2fPh_P59Powi6rfBaP18=.6523e5e9-3333-4cca-9b8c-34f1d1f99a26@github.com>

On Wed, 22 Dec 2021 00:40:35 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> What about here?
> 
> https://github.com/openjdk/jdk/blob/a5d7de235101696463dba22792703c6809ff7fc4/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java#L280

Well, this bug is about PKCS11 SecretKey. Maybe this line in P11RSAKeyFactory.java needs to be updated as well, but best to do it separately after trying the NSS behavior out first.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From valeriep at openjdk.java.net  Wed Dec 22 19:13:12 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 22 Dec 2021 19:13:12 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <Kz4P23Ke21RT7GuEEdY5tkEqG-ptUfQbhYpa6dBhh4E=.b9c9ab8a-975d-4e29-9280-564416946c2b@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
 <Kz4P23Ke21RT7GuEEdY5tkEqG-ptUfQbhYpa6dBhh4E=.b9c9ab8a-975d-4e29-9280-564416946c2b@github.com>
Message-ID: <vHm-UvhyTBY7802mken7cH8SSpNeV3Ti4is5yDcQRlU=.228888f4-122b-41f6-bf4f-2b5cbdf4fbf6@github.com>

On Wed, 22 Dec 2021 00:46:32 GMT, Weijun Wang <weijun at openjdk.org> wrote:

> Since the return error code is PKCS11 CKR_ATTRIBUTE_SENSITIVE, does it make sense to assign `sensitive = true` right at the beginning? I'm not a PKCS11 expert and not sure if this has any negative effect on
> 
> https://github.com/openjdk/jdk/blob/ea8d3c92c69c393cdbc6c62398f1e9c6adc708d3/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#L1394
> (where the `sensitive` flag is used).

I debated about it, my current thought is to reflect the same value returned by underlying PKCS11 library. Otherwise, it may look confusing to users - why C returns false but Java shows it to be true. This consistency comes with a cost of extra maintenance/code to check and special handle vendor-specific behavior like this NSS token key, i.e. queried to be non-sensitive and extractable , but yet errors out if trying to retrieve the key values.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From weijun at openjdk.java.net  Wed Dec 22 19:34:12 2021
From: weijun at openjdk.java.net (Weijun Wang)
Date: Wed, 22 Dec 2021 19:34:12 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <U2AAC0yM6Kd7BPcvQY6yAau0yMSvh_OmNrjIEzBp9pw=.30ad7e61-1014-460f-b57e-e419cc8aee62@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

Marked as reviewed by weijun (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From valeriep at openjdk.java.net  Wed Dec 22 19:54:13 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 22 Dec 2021 19:54:13 GMT
Subject: RFR: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <VW0nzfo0hCMpWT0jay-mtJrQ4RS95mseGKm6wq6QhFY=.177f374e-cc79-4fba-87da-f065a67b0626@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

Thanks HaiMay and Weijun for review~~

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From valeriep at openjdk.java.net  Wed Dec 22 19:54:13 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Wed, 22 Dec 2021 19:54:13 GMT
Subject: Integrated: 8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
 failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
In-Reply-To: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
References: <WvEPUh_cR894VmyOsxKlgXWYTT3xBMRV9tj7cjVWcvY=.5d051301-5155-4c2a-9a34-b7c0ec024085@github.com>
Message-ID: <gsnzlwqAJhvLXfYXBihHtT5x0yEcGBl-C_zv0y_zZ9o=.e56ad729-8d89-4786-86c0-f504d4bef20b@github.com>

On Tue, 14 Dec 2021 18:33:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

> Can someone help review this small fix? NSS returns PKCS11 CKR_ATTRIBUTE_SENSITIVE error when trying to retrieve CKA_VALUE out of its token keys. So this fix is to add special handling for NSS token secret keys. There is already an existing regression test which detects this and disabled in ProblemList.txt. Removing that test from ProblemList.txt to verify this fix.
> 
> Thanks,
> Valerie

This pull request has now been integrated.

Changeset: d64820df
Author:    Valerie Peng <valeriep at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/d64820dfefc0bac578df43fe58d2bce8577ec94e
Stats:     9 lines in 2 files changed: 4 ins; 2 del; 3 mod

8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"

Reviewed-by: hchao, weijun

-------------

PR: https://git.openjdk.java.net/jdk/pull/6837

From myano at openjdk.java.net  Thu Dec 23 12:07:48 2021
From: myano at openjdk.java.net (Masanori Yano)
Date: Thu, 23 Dec 2021 12:07:48 GMT
Subject: RFR: 8255739: x509Certificate returns =?UTF-8?B?77+9?= for invalid
 subjectAlternativeNames
Message-ID: <asBcdBBAhog87FzLP0wFU1UAxY6MOGVFHPXTpXnq4Jg=.7bd62829-36db-422f-8b3a-a0f53595238d@github.com>

Could you please review the JDK-8255739 bug fix?

I think sun.security.x509.SubjectAlternativeNameExtension() should throw an exception for incorrect SubjectAlternativeNames instead of returning the substituted characters, which is explained in the description of BugDB.

I modified DerValue.readStringInternal() not to read incorrect SubjectAlternativeNames and throw an IOException. sun.security.x509.X509CertInfo.parse() catch the IOExcepton and ignore it if SAN is a non-ciritical extension like the behavior of the IOException in readStringInternal(). So I added a test with -Djava.security.debug=x509 to confirm that.

-------------

Commit messages:
 - 8255739: x509Certificate returns ? for invalid subjectAlternativeNames

Changes: https://git.openjdk.java.net/jdk/pull/6928/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6928&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8255739
  Stats: 159 lines in 2 files changed: 158 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6928.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6928/head:pull/6928

PR: https://git.openjdk.java.net/jdk/pull/6928

From shade at openjdk.java.net  Thu Dec 23 13:42:44 2021
From: shade at openjdk.java.net (Aleksey Shipilev)
Date: Thu, 23 Dec 2021 13:42:44 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660
Message-ID: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>

SonarCloud reports:
 A "Map<ServiceKey, Service>" cannot contain a "String" in a "ServiceKey" type.


     // clean up old alias if present
     Service prevAliasService = legacyMap.get(aliasAlg);


Should be `aliasKey`, like other accesses to `legacyMap`. This code is introduced by [JDK-8276660](https://bugs.openjdk.java.net/browse/JDK-8276660), so it affects JDK 18.

Additional testing:
 - [x] Linux x86_64 fastdebug `jdk_security`

-------------

Commit messages:
 - Fix

Changes: https://git.openjdk.java.net/jdk18/pull/70/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk18&pr=70&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8279222
  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/70.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/70/head:pull/70

PR: https://git.openjdk.java.net/jdk18/pull/70

From alanb at openjdk.java.net  Thu Dec 23 13:46:12 2021
From: alanb at openjdk.java.net (Alan Bateman)
Date: Thu, 23 Dec 2021 13:46:12 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660
In-Reply-To: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
References: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
Message-ID: <DO57qsClAqxzZfO9Jr23kwnxx-LUGw3PqZo266cFbpQ=.2e9d51f3-6d35-4dd0-848c-dd937e37f9f7@github.com>

On Thu, 23 Dec 2021 13:33:26 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:

> SonarCloud reports:
>  A "Map<ServiceKey, Service>" cannot contain a "String" in a "ServiceKey" type.
> 
> 
>      // clean up old alias if present
>      Service prevAliasService = legacyMap.get(aliasAlg);
> 
> 
> Should be `aliasKey`, like other accesses to `legacyMap`. This code is introduced by [JDK-8276660](https://bugs.openjdk.java.net/browse/JDK-8276660), so it affects JDK 18.
> 
> Additional testing:
>  - [x] Linux x86_64 fastdebug `jdk_security`

src/java.base/share/classes/java/security/Provider.java line 1152:

> 1150:                 case ADD:
> 1151:                     // clean up old alias if present
> 1152:                     Service prevAliasService = legacyMap.get(aliasKey);

The change looks okay but I'm surprised this wasn't caught by tests. 
@valeriepeng - would it be feasible to have a test that removes an old alias so that this code is exercised by tests?

-------------

PR: https://git.openjdk.java.net/jdk18/pull/70

From shade at openjdk.java.net  Thu Dec 23 16:31:03 2021
From: shade at openjdk.java.net (Aleksey Shipilev)
Date: Thu, 23 Dec 2021 16:31:03 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660 [v2]
In-Reply-To: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
References: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
Message-ID: <MWFrzL4iR2GIw24fDMJhHrbCu9koCnWrmskTwdrm5pI=.b4bce5d4-f83d-46a3-801b-05936a666c3d@github.com>

> SonarCloud reports:
>  A "Map<ServiceKey, Service>" cannot contain a "String" in a "ServiceKey" type.
> 
> 
>      // clean up old alias if present
>      Service prevAliasService = legacyMap.get(aliasAlg);
> 
> 
> Should be `aliasKey`, like other accesses to `legacyMap`. This code is introduced by [JDK-8276660](https://bugs.openjdk.java.net/browse/JDK-8276660), so it affects JDK 18.
> 
> Additional testing:
>  - [x] Linux x86_64 fastdebug `jdk_security`

Aleksey Shipilev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains two additional commits since the last revision:

 - Merge branch 'master' into JDK-8279222-jsp-get
 - Fix

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk18/pull/70/files
  - new: https://git.openjdk.java.net/jdk18/pull/70/files/4fccd981..9c6af4bb

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk18&pr=70&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk18&pr=70&range=00-01

  Stats: 625 lines in 42 files changed: 341 ins; 186 del; 98 mod
  Patch: https://git.openjdk.java.net/jdk18/pull/70.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk18 pull/70/head:pull/70

PR: https://git.openjdk.java.net/jdk18/pull/70

From valeriep at openjdk.java.net  Thu Dec 23 18:54:29 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 23 Dec 2021 18:54:29 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660 [v2]
In-Reply-To: <DO57qsClAqxzZfO9Jr23kwnxx-LUGw3PqZo266cFbpQ=.2e9d51f3-6d35-4dd0-848c-dd937e37f9f7@github.com>
References: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
 <DO57qsClAqxzZfO9Jr23kwnxx-LUGw3PqZo266cFbpQ=.2e9d51f3-6d35-4dd0-848c-dd937e37f9f7@github.com>
Message-ID: <Ioz_Dx-_aELhbjHdqPqhlk8ofkXPiWk1zfy-zkeG57s=.1592014b-7f73-49a6-9b52-72132f0b0cd0@github.com>

On Thu, 23 Dec 2021 13:42:41 GMT, Alan Bateman <alanb at openjdk.org> wrote:

>> Aleksey Shipilev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains two additional commits since the last revision:
>> 
>>  - Merge branch 'master' into JDK-8279222-jsp-get
>>  - Fix
>
> src/java.base/share/classes/java/security/Provider.java line 1152:
> 
>> 1150:                 case ADD:
>> 1151:                     // clean up old alias if present
>> 1152:                     Service prevAliasService = legacyMap.get(aliasKey);
> 
> The change looks okay but I'm surprised this wasn't caught by tests. 
> @valeriepeng - would it be feasible to have a test that removes an old alias so that this code is exercised by tests?

Hmm, this "ADD" case should be covered by existing regression tests. I will take a look. Thanks.

-------------

PR: https://git.openjdk.java.net/jdk18/pull/70

From valeriep at openjdk.java.net  Thu Dec 23 21:11:12 2021
From: valeriep at openjdk.java.net (Valerie Peng)
Date: Thu, 23 Dec 2021 21:11:12 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660 [v2]
In-Reply-To: <Ioz_Dx-_aELhbjHdqPqhlk8ofkXPiWk1zfy-zkeG57s=.1592014b-7f73-49a6-9b52-72132f0b0cd0@github.com>
References: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
 <DO57qsClAqxzZfO9Jr23kwnxx-LUGw3PqZo266cFbpQ=.2e9d51f3-6d35-4dd0-848c-dd937e37f9f7@github.com>
 <Ioz_Dx-_aELhbjHdqPqhlk8ofkXPiWk1zfy-zkeG57s=.1592014b-7f73-49a6-9b52-72132f0b0cd0@github.com>
Message-ID: <n0aDv18E-vXk34SqgW3rf7HOhpbG81pi5ERLoRcOaWc=.a6f3d68e-152d-4e84-aa88-d5d619a388e5@github.com>

On Thu, 23 Dec 2021 18:51:22 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/java.base/share/classes/java/security/Provider.java line 1152:
>> 
>>> 1150:                 case ADD:
>>> 1151:                     // clean up old alias if present
>>> 1152:                     Service prevAliasService = legacyMap.get(aliasKey);
>> 
>> The change looks okay but I'm surprised this wasn't caught by tests. 
>> @valeriepeng - would it be feasible to have a test that removes an old alias so that this code is exercised by tests?
>
> Hmm, this "ADD" case should be covered by existing regression tests. I will take a look. Thanks.

Hmm, existing test does add an alias, the legacyMap.get() would returns null upon 'aliasAlg' (type: String). To test this particular scenario, I enhanced existing regression to re-assign an alias and then check if the returned impl is as expected. Here is the proposed test patch:

> diff --git a/test/jdk/java/security/Provider/CaseSensitiveServices.java b/test/jdk/java/security/Provider/CaseSensitiveServices.java
index 2a6676b4f58..5b0e0f1fb0c 100644
--- a/test/jdk/java/security/Provider/CaseSensitiveServices.java
+++ b/test/jdk/java/security/Provider/CaseSensitiveServices.java
@@ -36,9 +36,12 @@ public class CaseSensitiveServices extends Provider {
         super("Foo", "1.0", null);
         put("MessageDigest.Foo", "com.Foo");
         put("mESSAGEdIGEST.fOO xYz", "aBc");
-        put("ALg.aliaS.MESSAGEdigest.Fu", "FoO");
+        // first assign the DEF alias to algorithm Foo
+        put("ALg.aliaS.MESSAGEdigest.DEF", "FoO");
         put("messageDigest.Bar", "com.Bar");
         put("MESSAGEDIGEST.BAZ", "com.Baz");
+        // reassign the DEF alias to algorithm Bar
+        put("ALg.aliaS.MESSAGEdigest.DEF", "Bar");
     }

     public static void main(String[] args) throws Exception {
@@ -47,12 +50,18 @@ public class CaseSensitiveServices extends Provider {
         if (p.getServices().size() != 3) {
             throw new Exception("services.size() should be 3");
         }
+
         Service s = testService(p, "MessageDigest", "fOO");
         String val = s.getAttribute("Xyz");
         if ("aBc".equals(val) == false) {
             throw new Exception("Wrong value: " + val);
         }
-        testService(p, "MessageDigest", "fU");
+
+        // test Service alias DEF and its associated impl is Bar
+        s = testService(p, "MessageDigest", "DeF");
+        if (s.getAttribute("Xyz") != null) {
+            throw new Exception("DEF mapped to the wrong impl");
+        }
         testService(p, "MessageDigest", "BAR");
         testService(p, "MessageDigest", "baz");
         System.out.println("OK");
@@ -67,5 +76,4 @@ public class CaseSensitiveServices extends Provider {
         }
         return s;
     }
-
 }

-------------

PR: https://git.openjdk.java.net/jdk18/pull/70

From duke at openjdk.java.net  Thu Dec 23 21:27:17 2021
From: duke at openjdk.java.net (Andrey Turbanov)
Date: Thu, 23 Dec 2021 21:27:17 GMT
Subject: RFR: 8274809: Update java.base classes to use try-with-resources
 [v4]
In-Reply-To: <utLSSDhXdbWhBZRhL5Ti1a_GiJaaLQ3H3_0D7hrIVhg=.642bdd9e-ed2a-4a96-a485-20ffad9c6e2b@github.com>
References: <NIhcEALtWMfPW2z9M3VQHhpg1OXK1nHocQ-mWpiuXdw=.ae6caa99-1bfd-44ff-9e94-6dbc1b4947e8@github.com>
 <FZuIidy72Sp0Bj9To9eH5dUGHDyF_kd20Dyqw-fPPAA=.61a14a85-d5ab-4268-97f3-3d6e511e5988@github.com>
 <L9Zz_IBZIJtBFKlbVip42MuYHUSBGp4qYyJbvPSRBH8=.02d0af5e-783c-4090-8af0-25fcc6cc3029@github.com>
 <6HwkNRRJdJHU0_LhA4KHZ0egZ3zd7mDMwARP1EnCdFk=.3f2e8083-6a74-4284-8f74-aae7cc0093ff@github.com>
 <ClH8-9AbObS-iQPzN019S9vCW01-ngDKxSVej6XlTWY=.91a65b9b-85b4-4872-ab6d-92f1a2ca5029@github.com>
 <utLSSDhXdbWhBZRhL5Ti1a_GiJaaLQ3H3_0D7hrIVhg=.642bdd9e-ed2a-4a96-a485-20ffad9c6e2b@github.com>
Message-ID: <bIdj0hL03Lu08ZCS7Umccak7JofZDKcW4vpjVk5N3Fw=.b42cf20b-3691-4cd3-88a0-5f6bbc19d1e3@github.com>

On Fri, 10 Dec 2021 18:18:02 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> This is legacy code with probably poor testing coverage. Usually we don't print anything on the console directly and unconditionally - except in some well identified cases. Ignoring exceptions thrown by `close` is a common idiom. That said - it does seem that this method is indeed never called - so for the sake of simplification I'd agree to keep this change as proposed.
>> Remind me to sponsor this after the fork.
>
>>Remind me to sponsor this after the fork.
> 
> fork is done :)

Looks like `/sponsor` in comment is not considered as a command by bot

-------------

PR: https://git.openjdk.java.net/jdk/pull/5818

From xliu at openjdk.java.net  Thu Dec 23 21:40:16 2021
From: xliu at openjdk.java.net (Xin Liu)
Date: Thu, 23 Dec 2021 21:40:16 GMT
Subject: RFR: 8279134: Fix Amazon copyright in various files
In-Reply-To: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
References: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
Message-ID: <VMO_WPDzUzxBDvJo0JLH1uOKZbtEpZeuAxEVFKbQezw=.3c2df08e-4e8d-4988-9926-706656e462b6@github.com>

On Wed, 22 Dec 2021 09:07:24 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> This bug is similar to https://bugs.openjdk.java.net/browse/JDK-8244094
> 
> Currently, some of the files in the OpenJDK repo have Amazon copyright notices which are all slightly different and do not conform to Amazons preferred copyright notice which is simply (intentionally without copyright year):
> 
> "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved." 
> 
> @simonis @phohensee

LGTM.  I am not a reviewer. Need other reviewers to approve it.

-------------

Marked as reviewed by xliu (Committer).

PR: https://git.openjdk.java.net/jdk/pull/6915

From duke at openjdk.java.net  Thu Dec 23 21:47:53 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Thu, 23 Dec 2021 21:47:53 GMT
Subject: RFR: 8277881 Missing SessionID in TLS1.3 resumption in
 compatibility mode [v2]
In-Reply-To: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
References: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
Message-ID: <3x7QCTG3AoZd_SDj-prJE3POK03Cb8KIn88nW93XaRc=.a99bf4e6-a3ea-4f22-80b9-8cca7d4a5721@github.com>

> All TLS 1.3 handshakes in compatibility mode must send a non-empty SessionID field. Currently TLS1.3 session resumptions are sending empty session ID. This patch fixes that problem.
> 
> All jdk_core tests passed. The newly added check passes with the patch, fails without it.

Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision:

  Update copyright year

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6583/files
  - new: https://git.openjdk.java.net/jdk/pull/6583/files/a01a3070..f62fb604

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6583&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6583&range=00-01

  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6583.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6583/head:pull/6583

PR: https://git.openjdk.java.net/jdk/pull/6583

From duke at openjdk.java.net  Thu Dec 23 21:54:16 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Thu, 23 Dec 2021 21:54:16 GMT
Subject: RFR: 8277881 Missing SessionID in TLS1.3 resumption in
 compatibility mode [v2]
In-Reply-To: <v5OlJWcrhq-y_0BDB9512q45-Mid_lMKrJ9wal6p5bs=.805e9264-286d-4ec4-a146-4edbb97cff48@github.com>
References: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
 <v5OlJWcrhq-y_0BDB9512q45-Mid_lMKrJ9wal6p5bs=.805e9264-286d-4ec4-a146-4edbb97cff48@github.com>
Message-ID: <j2db0MWyGU-O9ssAcq7fdUt0VKU7WPHmNYxcVbsUm3A=.5a8d3fbb-00ab-4298-aa85-a0816f39f9ec@github.com>

On Tue, 21 Dec 2021 21:25:53 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Update copyright year
>
> Please add " 2021," to the copyright of ResumeTLS13withSNI.java.
> I have run all the tests and they pass.
> 
> Have you run this fix on your customer's setup or similar setup to confirm this fixed their problem?

Thanks @ascarpino for reviewing. Copyright year updated.

Yes I confirmed that the updated version fixes the problem.

Interestingly, aside from the empty SessionID there were no other differences between the initial and resumption ClientHello messages, i.e. pre_shared_key extension was absent in both. I suppose the server didn't send any NewSessionTicket, but didn't investigate it further.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6583

From ascarpino at openjdk.java.net  Thu Dec 23 22:36:12 2021
From: ascarpino at openjdk.java.net (Anthony Scarpino)
Date: Thu, 23 Dec 2021 22:36:12 GMT
Subject: RFR: 8277881 Missing SessionID in TLS1.3 resumption in
 compatibility mode [v2]
In-Reply-To: <3x7QCTG3AoZd_SDj-prJE3POK03Cb8KIn88nW93XaRc=.a99bf4e6-a3ea-4f22-80b9-8cca7d4a5721@github.com>
References: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
 <3x7QCTG3AoZd_SDj-prJE3POK03Cb8KIn88nW93XaRc=.a99bf4e6-a3ea-4f22-80b9-8cca7d4a5721@github.com>
Message-ID: <IhuMwVJJssGVpDhv8d0hWNrpmXI_pjInB2-q1PzQWaY=.b2bce8c2-cee6-415e-bd56-a8892ea0ae63@github.com>

On Thu, 23 Dec 2021 21:47:53 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

>> All TLS 1.3 handshakes in compatibility mode must send a non-empty SessionID field. Currently TLS1.3 session resumptions are sending empty session ID. This patch fixes that problem.
>> 
>> All jdk_core tests passed. The newly added check passes with the patch, fails without it.
>
> Daniel Jeli?ski has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Update copyright year

Approved

-------------

Marked as reviewed by ascarpino (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6583

From phh at openjdk.java.net  Thu Dec 23 22:47:11 2021
From: phh at openjdk.java.net (Paul Hohensee)
Date: Thu, 23 Dec 2021 22:47:11 GMT
Subject: RFR: 8279134: Fix Amazon copyright in various files
In-Reply-To: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
References: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
Message-ID: <7ozNgn5YKtgY8XsZYqexriYLPTVz-yZJJcEs2cxSfuQ=.d731d200-f8ef-4999-9e14-f6be115bdf14@github.com>

On Wed, 22 Dec 2021 09:07:24 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> This bug is similar to https://bugs.openjdk.java.net/browse/JDK-8244094
> 
> Currently, some of the files in the OpenJDK repo have Amazon copyright notices which are all slightly different and do not conform to Amazons preferred copyright notice which is simply (intentionally without copyright year):
> 
> "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved." 
> 
> @simonis @phohensee

Lgtm.

-------------

Marked as reviewed by phh (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/6915

From duke at openjdk.java.net  Fri Dec 24 00:05:18 2021
From: duke at openjdk.java.net (Daniel =?UTF-8?B?SmVsacWEc2tp?=)
Date: Fri, 24 Dec 2021 00:05:18 GMT
Subject: Integrated: 8277881 Missing SessionID in TLS1.3 resumption in
 compatibility mode
In-Reply-To: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
References: <OSdmLyXOjDALwV-MtAJCo6-yErvMQwLbjblvbOxCTa4=.29adf113-d39d-4f45-8c08-6310049e7757@github.com>
Message-ID: <2WTPdU3DVle2MZpOBYgjFVHLRBoZSBGW2JZReV20Fyg=.540c64fc-c82a-4e0a-85ce-a41848d1cbd5@github.com>

On Mon, 29 Nov 2021 08:42:22 GMT, Daniel Jeli?ski <duke at openjdk.java.net> wrote:

> All TLS 1.3 handshakes in compatibility mode must send a non-empty SessionID field. Currently TLS1.3 session resumptions are sending empty session ID. This patch fixes that problem.
> 
> All jdk_core tests passed. The newly added check passes with the patch, fails without it.

This pull request has now been integrated.

Changeset: 9d99a377
Author:    Daniel Jelinski <djelinski1 at gmail.com>
Committer: Anthony Scarpino <ascarpino at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/9d99a377bfb6ffa890db049aee575e97914fc2a1
Stats:     15 lines in 3 files changed: 4 ins; 1 del; 10 mod

8277881: Missing SessionID in TLS1.3 resumption in compatibility mode

Reviewed-by: ascarpino

-------------

PR: https://git.openjdk.java.net/jdk/pull/6583

From serb at openjdk.java.net  Fri Dec 24 00:50:57 2021
From: serb at openjdk.java.net (Sergey Bylokhov)
Date: Fri, 24 Dec 2021 00:50:57 GMT
Subject: RFR: 8279134: Fix Amazon copyright in various files [v2]
In-Reply-To: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
References: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
Message-ID: <4TylKnNJehPUtdh9y0wh4Cgq93jq4y4mEQfHEKBJdmA=.907bb3ab-9b11-40da-8957-dfef5f3e21e4@github.com>

> This bug is similar to https://bugs.openjdk.java.net/browse/JDK-8244094
> 
> Currently, some of the files in the OpenJDK repo have Amazon copyright notices which are all slightly different and do not conform to Amazons preferred copyright notice which is simply (intentionally without copyright year):
> 
> "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved." 
> 
> @simonis @phohensee

Sergey Bylokhov has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains two additional commits since the last revision:

 - Merge branch 'master' into JDK-8279134
 - Initial fix JDK-8279134

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/6915/files
  - new: https://git.openjdk.java.net/jdk/pull/6915/files/cb05f5bb..52c5d9c3

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6915&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6915&range=00-01

  Stats: 619 lines in 42 files changed: 446 ins; 100 del; 73 mod
  Patch: https://git.openjdk.java.net/jdk/pull/6915.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/6915/head:pull/6915

PR: https://git.openjdk.java.net/jdk/pull/6915

From shade at openjdk.java.net  Fri Dec 24 11:50:25 2021
From: shade at openjdk.java.net (Aleksey Shipilev)
Date: Fri, 24 Dec 2021 11:50:25 GMT
Subject: [jdk18] RFR: 8279222: Incorrect legacyMap.get in
 java.security.Provider after JDK-8276660 [v2]
In-Reply-To: <n0aDv18E-vXk34SqgW3rf7HOhpbG81pi5ERLoRcOaWc=.a6f3d68e-152d-4e84-aa88-d5d619a388e5@github.com>
References: <HoDZ8OeleHhfHFnljC9Y3ZkF3LGE6PcBuAcrDVM2tTc=.1c9d39b0-b6c1-4484-ad9f-d41f3b740ab8@github.com>
 <DO57qsClAqxzZfO9Jr23kwnxx-LUGw3PqZo266cFbpQ=.2e9d51f3-6d35-4dd0-848c-dd937e37f9f7@github.com>
 <Ioz_Dx-_aELhbjHdqPqhlk8ofkXPiWk1zfy-zkeG57s=.1592014b-7f73-49a6-9b52-72132f0b0cd0@github.com>
 <n0aDv18E-vXk34SqgW3rf7HOhpbG81pi5ERLoRcOaWc=.a6f3d68e-152d-4e84-aa88-d5d619a388e5@github.com>
Message-ID: <BZwiilgkFnaxIHp32_-IDiapzDYDeSeolnKYbJIEyjc=.9552a390-e080-49da-8f72-65bfbafbc4c5@github.com>

On Thu, 23 Dec 2021 21:06:51 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Hmm, this "ADD" case should be covered by existing regression tests. I will take a look. Thanks.
>
> Hmm, existing test does add an alias, the legacyMap.get() would returns null upon 'aliasAlg' (type: String). To test this particular scenario, I enhanced existing regression test to re-assign an alias and then check if the returned impl is as expected. The proposed test patch is attached. If we are including this test patch into this PR, then good to add the bug id to the test too.
> [patch.txt](https://github.com/openjdk/jdk18/files/7771389/patch.txt)

Thanks, @valeriepeng! Do you see the current JDK 18 failing with that test addition? Because this still passes for me without the fix from this PR: `CONF=linux-x86_64-server-fastdebug make run-test TEST=java/security/Provider/CaseSensitiveServices.java`

-------------

PR: https://git.openjdk.java.net/jdk18/pull/70

From smarks at openjdk.java.net  Fri Dec 24 20:17:22 2021
From: smarks at openjdk.java.net (Stuart Marks)
Date: Fri, 24 Dec 2021 20:17:22 GMT
Subject: RFR: 8272317: jstatd has dependency on Security Manager which
 needs to be removed
In-Reply-To: <3cQSjb-g6SOf8drmfEzfycclauKcJgOYvYS9PM7XdnU=.dff055e4-7e61-46b1-bc20-b58eb45fe834@github.com>
References: <aA0YN4W1HA8HZu6CLMp7igVfwid4bYSVYAMPrxe5BUM=.87232d4e-2f84-4b1c-8adf-334644048f94@github.com>
 <3Z6pFX6xVhKhEjki2Hoyniz26-vYZNd4IfN7-xkzduc=.1ff636ec-749c-4ed7-8a9b-db206d4191e1@github.com>
 <3cQSjb-g6SOf8drmfEzfycclauKcJgOYvYS9PM7XdnU=.dff055e4-7e61-46b1-bc20-b58eb45fe834@github.com>
Message-ID: <rIE4uAJAWczo3mITLGaInmXg1bDl5IMC2m_RBV8PqPA=.6f20cfed-97b3-4aa4-8fac-00493143d460@github.com>

On Wed, 22 Dec 2021 22:01:00 GMT, Kevin Walls <kevinw at openjdk.org> wrote:

>> src/jdk.jstatd/share/classes/sun/tools/jstatd/Jstatd.java line 51:
>> 
>>> 49:     private static RemoteHost remoteHost;
>>> 50: 
>>> 51:     private static final String rmiFilterPattern = "sun.jvmstat.monitor.remote.RemoteVm;com.sun.proxy.jdk.proxy1.$Proxy1;com.sun.proxy.jdk.proxy1.$Proxy2;java.lang.reflect.Proxy;java.rmi.server.RemoteObjectInvocationHandler;java.rmi.server.RemoteObject;!*";
>> 
>> The class name of the dynamic proxy is generated at runtime and can be different.   As Bernd commented, the proxy classes cannot/should not be listed in the filter pattern.
>
> OK thanks - I was trying the minimal pattern to overcome rejections such as the following, captured in logs on different runs:
> 
> <message>ObjectInputFilter REJECTED: class com.sun.proxy.jdk.proxy1.$Proxy1, array length: -1, nRefs: 2, depth: 1, bytes: 84, ex: n/a</message>
> 
> <message>ObjectInputFilter REJECTED: class com.sun.proxy.jdk.proxy1.$Proxy2, array length: -1, nRefs: 2, depth: 1, bytes: 84, ex: n/a</message>

I think the proxy classes need to be there. The `RemoteHost` API has a parameter of type `RemoteVm` which is a stub to an RMI remote object, which consists of a proxy and a handler. The proxy's interface list is filtered by the serialization filter so somebody can't just pass a proxy for anything.

The name of the proxy class probably does need to be wildcarded though.

-------------

PR: https://git.openjdk.java.net/jdk/pull/6919

From duke at openjdk.java.net  Sun Dec 26 20:10:10 2021
From: duke at openjdk.java.net (=?UTF-8?B?0KHQtdGA0LPQtdC5?= =?UTF-8?B?IA==?= =?UTF-8?B?0KbRi9C/0LDQvdC+0LI=?=)
Date: Sun, 26 Dec 2021 20:10:10 GMT
Subject: RFR: 8274811: Remove superfluous use of boxing in java.base
In-Reply-To: <KzR5MeAXRP5JToOBbUvQnySh-BuzdHU8e_E3futzSrA=.bff2bc38-cecf-42a2-92b7-538fadbed808@github.com>
References: <KzR5MeAXRP5JToOBbUvQnySh-BuzdHU8e_E3futzSrA=.bff2bc38-cecf-42a2-92b7-538fadbed808@github.com>
Message-ID: <EcDyByb6rKUGoedo9lICM7Arz2xXv4ybJYlBxbfM4us=.f13f742a-2ed1-4eaf-a0ef-aa51e0157538@github.com>

On Sat, 11 Sep 2021 12:11:50 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

> Usages of primitive types should be preferred and makes code easier to read.
> Similar cleanups:
> 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop
> 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset

Marked as reviewed by stsypanov at github.com (no known OpenJDK username).

-------------

PR: https://git.openjdk.java.net/jdk/pull/5481

From serb at openjdk.java.net  Sun Dec 26 22:14:15 2021
From: serb at openjdk.java.net (Sergey Bylokhov)
Date: Sun, 26 Dec 2021 22:14:15 GMT
Subject: Integrated: 8279134: Fix Amazon copyright in various files
In-Reply-To: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
References: <JcaV2Md2ympuLnRHpecLgQWMYT0JipOgDHapxBMctvA=.c84bd6a1-5bf7-4b35-b668-a2890499bb09@github.com>
Message-ID: <Yqh6Q3To6ZJ0yiD-eoUPnKD4Vn23Gy8ivvp66wdiNdM=.17ed9926-2a4f-46e9-91a1-4d40856a10a2@github.com>

On Wed, 22 Dec 2021 09:07:24 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:

> This bug is similar to https://bugs.openjdk.java.net/browse/JDK-8244094
> 
> Currently, some of the files in the OpenJDK repo have Amazon copyright notices which are all slightly different and do not conform to Amazons preferred copyright notice which is simply (intentionally without copyright year):
> 
> "Copyright Amazon.com Inc. or its affiliates. All Rights Reserved." 
> 
> @simonis @phohensee

This pull request has now been integrated.

Changeset: 7fea1032
Author:    Sergey Bylokhov <serb at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/7fea10327ed27fcf8eae474ca5b15c3b4bafff2a
Stats:     15 lines in 14 files changed: 0 ins; 1 del; 14 mod

8279134: Fix Amazon copyright in various files

Reviewed-by: xliu, phh

-------------

PR: https://git.openjdk.java.net/jdk/pull/6915

From lancea at openjdk.java.net  Mon Dec 27 18:12:12 2021
From: lancea at openjdk.java.net (Lance Andersen)
Date: Mon, 27 Dec 2021 18:12:12 GMT
Subject: RFR: 8274811: Remove superfluous use of boxing in java.base
In-Reply-To: <KzR5MeAXRP5JToOBbUvQnySh-BuzdHU8e_E3futzSrA=.bff2bc38-cecf-42a2-92b7-538fadbed808@github.com>
References: <KzR5MeAXRP5JToOBbUvQnySh-BuzdHU8e_E3futzSrA=.bff2bc38-cecf-42a2-92b7-538fadbed808@github.com>
Message-ID: <y-T2j9Cuoi5S6qUihx-FbhhIkPZ6e9HIbt8i3NnnvVs=.09771803-cd05-46a2-ac63-19f710127792@github.com>

On Sat, 11 Sep 2021 12:11:50 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

> Usages of primitive types should be preferred and makes code easier to read.
> Similar cleanups:
> 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop
> 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset

Marked as reviewed by lancea (Reviewer).

-------------

PR: https://git.openjdk.java.net/jdk/pull/5481

From duke at openjdk.java.net  Mon Dec 27 20:07:10 2021
From: duke at openjdk.java.net (=?UTF-8?B?0KHQtdGA0LPQtdC5?= =?UTF-8?B?IA==?= =?UTF-8?B?0KbRi9C/0LDQvdC+0LI=?=)
Date: Mon, 27 Dec 2021 20:07:10 GMT
Subject: RFR: 8274811: Remove superfluous use of boxing in java.base
In-Reply-To: <v9rzeOBEguCXoOFqzMfHzK7Tksg9bq0Il6f-2h6gQDk=.f42c7ec5-f09b-4d14-afdb-5f56f222208b@github.com>
References: <KzR5MeAXRP5JToOBbUvQnySh-BuzdHU8e_E3futzSrA=.bff2bc38-cecf-42a2-92b7-538fadbed808@github.com>
 <v9rzeOBEguCXoOFqzMfHzK7Tksg9bq0Il6f-2h6gQDk=.f42c7ec5-f09b-4d14-afdb-5f56f222208b@github.com>
Message-ID: <8IjGbdX2WK-ehSvj8t2tOXFwizmWpqX_iXIvErThatQ=.e201c353-ed8a-4789-9c8e-3d6b37097b42@github.com>

On Sat, 27 Nov 2021 17:41:58 GMT, Andrey Turbanov <duke at openjdk.java.net> wrote:

>> Usages of primitive types should be preferred and makes code easier to read.
>> Similar cleanups:
>> 1. [JDK-8273168](https://bugs.openjdk.java.net/browse/JDK-8273168) java.desktop
>> 2. [JDK-8274234](https://bugs.openjdk.java.net/browse/JDK-8274234) java.sql.rowset
>
> let's wait for review a bit more

@turbanoff I think now you can integrate the PR

-------------

PR: https://git.openjdk.java.net/jdk/pull/5481

From duke at openjdk.java.net  Fri Dec 31 10:42:16 2021
From: duke at openjdk.java.net (duke)
Date: Fri, 31 Dec 2021 10:42:16 GMT
Subject: Withdrawn: 8273977: Reduce unnecessary BadPaddingExceptions in
 RSAPadding
In-Reply-To: <9cF2-qWd03Rzdud6517knyJWGhxxSuv1VwZgvFY43L8=.02b4a0d2-59be-46ab-a857-13271679097e@github.com>
References: <9cF2-qWd03Rzdud6517knyJWGhxxSuv1VwZgvFY43L8=.02b4a0d2-59be-46ab-a857-13271679097e@github.com>
Message-ID: <riiJqz28DNkyNz7s0KuA7JrzlEwrBYC7U5mmRwJE0X8=.9442bdd4-3dd5-4a23-bbc0-b387727d2e1a@github.com>

On Mon, 20 Sep 2021 08:38:18 GMT, Lari Hotari <duke at openjdk.java.net> wrote:

> ### Motivation
> 
> When profiling an application that uses JWT token authentication, it was noticed that a high number of `javax.crypto.BadPaddingException`s were created. When investigating the code in RSAPadding, one can see that BadPaddingException is created in all cases, also on the success path:
> https://github.com/openjdk/jdk/blob/dc7f452acbe3afa5aa6e31d316bd5e669c86d6f6/src/java.base/share/classes/sun/security/rsa/RSAPadding.java#L369-L375
> 
> ### Modifications
> 
> Inline the unnecessary local variable to prevent creating the exception on the success path.

This pull request has been closed without being integrated.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5581