Re: RFR 8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
Looks fine to me. Thanks for the quick fix. —Max > 在 2020年7月25日,12:36,Martin Balao 写道: > > Hello Max, > > I'd like to propose a patch for "8250582: Revert Principal Name type to > NT-UNKNOWN when requesting TGS Kerberos tickets" [1]. > > Webrev.00: > > * http://cr.openjdk.java.net/~mbalao/webrevs/8250582/8250582.webrev.00/ > > This change is trivial and we are reverting to a previous (and known > state). I've run tests under sun/security/krb5 and did not find any > regression (125 passed). I've also run my internal Kerberos-referrals > test -based on a real Active Directory environment- and worked fine. > > Thanks, > Martin.- > > -- > [1] - https://bugs.openjdk.java.net/browse/JDK-8250582 >
RFR 8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
Hello Max, I'd like to propose a patch for "8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets" [1]. Webrev.00: * http://cr.openjdk.java.net/~mbalao/webrevs/8250582/8250582.webrev.00/ This change is trivial and we are reverting to a previous (and known state). I've run tests under sun/security/krb5 and did not find any regression (125 passed). I've also run my internal Kerberos-referrals test -based on a real Active Directory environment- and worked fine. Thanks, Martin.- -- [1] - https://bugs.openjdk.java.net/browse/JDK-8250582
Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set
> On Jul 24, 2020, at 6:54 AM, Weijun Wang wrote: > > I'd suggest changing > > +result = isSigning ? rb.getString("jar.signed.") : > rb.getString("jar.verified."); > +if ((strict) && (!errors.isEmpty())) { > +result = isSigning ? > rb.getString("jar.signed.with.signer.errors.") > + : rb.getString("jar.verified.with.signer.errors."); > +} > > to > > +if ((strict) && (!errors.isEmpty())) { > +result = isSigning ? > rb.getString("jar.signed.with.signer.errors.") > + : rb.getString("jar.verified.with.signer.errors."); > +} else { > +result = isSigning ? rb.getString("jar.signed.") : > rb.getString("jar.verified."); > +} > Webrev updated as suggested. > Everything else looks fine. > > Also, I remember you meant to fix 2 bugs with a single changeset. What should > the full commit message be? Fix in a single changeset, so use this bug as the commit message please. Thanks, Hai-May > > Thanks, > Max > >> On Jul 24, 2020, at 4:25 PM, Hai-May Chao wrote: >> >> >> >>> On Jul 15, 2020, at 12:16 AM, Weijun Wang wrote: >>> >>> The following lines are useless now: >>> >> >> Ok, this is a separate problem from the original bug to be addressed. >> Cleanup/refactoring of the checking on flags is also included in this >> changeset. >> >>> 1053 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType >>> || >>> 1054 notYetValidCert || chainNotValidated || hasExpiredCert >>> || >>> 1055 hasUnsignedEntry || signerSelfSigned || (legacyAlg != >>> 0) || >>> 1056 (disabledAlg != 0) || aliasNotInStore || >>> notSignedByAlias || >>> 1057 tsaChainNotValidated || >>> 1058 (hasExpiredTsaCert && !signerNotExpired)) { >>> >>> 1198 } >>> >>> 1205 if (hasExpiringCert || >>> 1206 (hasExpiringTsaCert && expireDate != null) || >>> 1207 (noTimestamp && expireDate != null) || >>> 1208 (hasExpiredTsaCert && signerNotExpired)) { >>> >>> 1245 } >>> >>> I would even suggest you remove the "result" variable and move the >>> "System.out.println(result)" line into branches of the if-else block on >>> lines 1254-1272. >> >> Current change has the checking for sign and verify. Keep it as-is that you >> agreed. >> >> https://cr.openjdk.java.net/~hchao/8247960/webrev.01/ >> >> Thanks, >> Hai-May >> >> >>> >>> No other comments. >>> >>> Thanks, >>> Max >>> >>> >>> On Jul 15, 2020, at 4:09 AM, Hai-May Chao wrote: Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8247960 Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/ Jarsigner is changed to emit “with signer errors” only when there are errors detected during sign and verify with -strict specified. Thanks, Hai-May >
Re: JDK 16 RFR of JDK-8250246: Address reliance on default constructors in security libs
On 7/24/2020 10:32 AM, Sean Mullan wrote: On 7/24/20 1:18 PM, Joe Darcy wrote: - src/jdk.security.jgss/share/classes/com/sun/security/jgss/GSSUtil.java 37 /** 38 * Do not call. 39 */ 40 @Deprecated(since="16", forRemoval=true) 41 public GSSUtil() {} Is your concern that there may be some code out there that might be erroneously using the default constructor so you want to give some warning first before making this a private ctor after it is removed? (I think I agree, but I want to make sure I understand your thinking). That is my concern here, yes. We've had a number of other cases in the JDK where the default constructor appeared in an static-only class as an attractive nuisance. Before static imports, subclassing such a class was a way to get its names in the namespace of the subclass, but that is an anti-pattern that should not be encouraged. Ok, sounds good. src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java 87 * Creates a {@code NTLoginModule}. s/a/an/ Hmm. If the this is pronounced as "N T Login Module", "N" would be a consonant sound so should be prefixed by the indefinite article "a", no? This might be a question for one of the grammar experts amongst us. But isn't "N" a vowel sound: "en"? I suppose looked at that way it is :-) I'll make the adjustments, copyrights, etc. and push this later today. Thanks, -Joe
Re: JDK 16 RFR of JDK-8250246: Address reliance on default constructors in security libs
On 7/24/20 1:18 PM, Joe Darcy wrote: - src/jdk.security.jgss/share/classes/com/sun/security/jgss/GSSUtil.java 37 /** 38 * Do not call. 39 */ 40 @Deprecated(since="16", forRemoval=true) 41 public GSSUtil() {} Is your concern that there may be some code out there that might be erroneously using the default constructor so you want to give some warning first before making this a private ctor after it is removed? (I think I agree, but I want to make sure I understand your thinking). That is my concern here, yes. We've had a number of other cases in the JDK where the default constructor appeared in an static-only class as an attractive nuisance. Before static imports, subclassing such a class was a way to get its names in the namespace of the subclass, but that is an anti-pattern that should not be encouraged. Ok, sounds good. src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java 87 * Creates a {@code NTLoginModule}. s/a/an/ Hmm. If the this is pronounced as "N T Login Module", "N" would be a consonant sound so should be prefixed by the indefinite article "a", no? This might be a question for one of the grammar experts amongst us. But isn't "N" a vowel sound: "en"? --Sean src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java 359 * Creates a {@code LdapLoginModule}. s/a/an/ Okay. Thanks, -Joe
Re: JDK 16 RFR of JDK-8250246: Address reliance on default constructors in security libs
Hi Sean, On 7/24/2020 4:52 AM, Sean Mullan wrote: Hi Joe, On 7/24/20 1:17 AM, Joe Darcy wrote: Hello, Please review a set of changes to add explicit constructors to replace default (implicit) constructors in various classes in security libs across several modules: JDK-8250246: Address reliance on default constructors in security libs http://cr.openjdk.java.net/~darcy/8250246.0/ CSR: https://bugs.openjdk.java.net/browse/JDK-8250248 (This is a companion to similar changes being made across other libraries in preparation for creating a new javac lint warning.) One of the classes seems to only accidentally have a constructor, so I added that one as terminally deprecated. You have not updated the copyright dates; not sure if that is necessary for this type of change. Right; I run a script that handles the copyright updates before a push -- less clutter in a review like this where the per-file changes is small and reduces the possibility of spurious merge conflicts for the copyright line during the review period. - src/jdk.security.jgss/share/classes/com/sun/security/jgss/GSSUtil.java 37 /** 38 * Do not call. 39 */ 40 @Deprecated(since="16", forRemoval=true) 41 public GSSUtil() {} Is your concern that there may be some code out there that might be erroneously using the default constructor so you want to give some warning first before making this a private ctor after it is removed? (I think I agree, but I want to make sure I understand your thinking). That is my concern here, yes. We've had a number of other cases in the JDK where the default constructor appeared in an static-only class as an attractive nuisance. Before static imports, subclassing such a class was a way to get its names in the namespace of the subclass, but that is an anti-pattern that should not be encouraged. - src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java 87 * Creates a {@code NTLoginModule}. s/a/an/ Hmm. If the this is pronounced as "N T Login Module", "N" would be a consonant sound so should be prefixed by the indefinite article "a", no? - src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java 359 * Creates a {@code LdapLoginModule}. s/a/an/ Okay. Thanks, -Joe
Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set
I'd suggest changing +result = isSigning ? rb.getString("jar.signed.") : rb.getString("jar.verified."); +if ((strict) && (!errors.isEmpty())) { +result = isSigning ? rb.getString("jar.signed.with.signer.errors.") + : rb.getString("jar.verified.with.signer.errors."); +} to +if ((strict) && (!errors.isEmpty())) { +result = isSigning ? rb.getString("jar.signed.with.signer.errors.") + : rb.getString("jar.verified.with.signer.errors."); +} else { +result = isSigning ? rb.getString("jar.signed.") : rb.getString("jar.verified."); +} Everything else looks fine. Also, I remember you meant to fix 2 bugs with a single changeset. What should the full commit message be? Thanks, Max > On Jul 24, 2020, at 4:25 PM, Hai-May Chao wrote: > > > >> On Jul 15, 2020, at 12:16 AM, Weijun Wang wrote: >> >> The following lines are useless now: >> > > Ok, this is a separate problem from the original bug to be addressed. > Cleanup/refactoring of the checking on flags is also included in this > changeset. > >> 1053 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || >> 1054 notYetValidCert || chainNotValidated || hasExpiredCert >> || >> 1055 hasUnsignedEntry || signerSelfSigned || (legacyAlg != >> 0) || >> 1056 (disabledAlg != 0) || aliasNotInStore || >> notSignedByAlias || >> 1057 tsaChainNotValidated || >> 1058 (hasExpiredTsaCert && !signerNotExpired)) { >> >> 1198 } >> >> 1205 if (hasExpiringCert || >> 1206 (hasExpiringTsaCert && expireDate != null) || >> 1207 (noTimestamp && expireDate != null) || >> 1208 (hasExpiredTsaCert && signerNotExpired)) { >> >> 1245 } >> >> I would even suggest you remove the "result" variable and move the >> "System.out.println(result)" line into branches of the if-else block on >> lines 1254-1272. > > Current change has the checking for sign and verify. Keep it as-is that you > agreed. > > https://cr.openjdk.java.net/~hchao/8247960/webrev.01/ > > Thanks, > Hai-May > > >> >> No other comments. >> >> Thanks, >> Max >> >> >> >>> On Jul 15, 2020, at 4:09 AM, Hai-May Chao wrote: >>> >>> Hi, >>> >>> I’d like to request a review for: >>> >>> JBS: https://bugs.openjdk.java.net/browse/JDK-8247960 >>> Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/ >>> >>> Jarsigner is changed to emit “with signer errors” only when there are >>> errors detected during sign and verify with -strict specified. >>> >>> Thanks, >>> Hai-May
Re: JDK 16 RFR of JDK-8250246: Address reliance on default constructors in security libs
Hi Joe, On 7/24/20 1:17 AM, Joe Darcy wrote: Hello, Please review a set of changes to add explicit constructors to replace default (implicit) constructors in various classes in security libs across several modules: JDK-8250246: Address reliance on default constructors in security libs http://cr.openjdk.java.net/~darcy/8250246.0/ CSR: https://bugs.openjdk.java.net/browse/JDK-8250248 (This is a companion to similar changes being made across other libraries in preparation for creating a new javac lint warning.) One of the classes seems to only accidentally have a constructor, so I added that one as terminally deprecated. You have not updated the copyright dates; not sure if that is necessary for this type of change. - src/jdk.security.jgss/share/classes/com/sun/security/jgss/GSSUtil.java 37 /** 38 * Do not call. 39 */ 40 @Deprecated(since="16", forRemoval=true) 41 public GSSUtil() {} Is your concern that there may be some code out there that might be erroneously using the default constructor so you want to give some warning first before making this a private ctor after it is removed? (I think I agree, but I want to make sure I understand your thinking). - src/jdk.security.auth/share/classes/com/sun/security/auth/module/NTLoginModule.java 87 * Creates a {@code NTLoginModule}. s/a/an/ - src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java 359 * Creates a {@code LdapLoginModule}. s/a/an/ --Sean
Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set
> On Jul 15, 2020, at 12:16 AM, Weijun Wang wrote: > > The following lines are useless now: > Ok, this is a separate problem from the original bug to be addressed. Cleanup/refactoring of the checking on flags is also included in this changeset. > 1053 if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || > 1054 notYetValidCert || chainNotValidated || hasExpiredCert || > 1055 hasUnsignedEntry || signerSelfSigned || (legacyAlg != 0) > || > 1056 (disabledAlg != 0) || aliasNotInStore || > notSignedByAlias || > 1057 tsaChainNotValidated || > 1058 (hasExpiredTsaCert && !signerNotExpired)) { > > 1198 } > > 1205 if (hasExpiringCert || > 1206 (hasExpiringTsaCert && expireDate != null) || > 1207 (noTimestamp && expireDate != null) || > 1208 (hasExpiredTsaCert && signerNotExpired)) { > > 1245 } > > I would even suggest you remove the "result" variable and move the > "System.out.println(result)" line into branches of the if-else block on lines > 1254-1272. Current change has the checking for sign and verify. Keep it as-is that you agreed. https://cr.openjdk.java.net/~hchao/8247960/webrev.01/ Thanks, Hai-May > > No other comments. > > Thanks, > Max > > > >> On Jul 15, 2020, at 4:09 AM, Hai-May Chao wrote: >> >> Hi, >> >> I’d like to request a review for: >> >> JBS: https://bugs.openjdk.java.net/browse/JDK-8247960 >> Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/ >> >> Jarsigner is changed to emit “with signer errors” only when there are errors >> detected during sign and verify with -strict specified. >> >> Thanks, >> Hai-May >> >