RFR: 8160655 Fix denyAfter and usage types for security properties

2017-01-23 Thread Anthony Scarpino
Hi, I need a code review of this change that brings more detail constraints checking and control to certpath and jar disabled algorithm Security properties. http://cr.openjdk.java.net/~ascarpino/8160655/webrev/ thanks Tony

RFR[9] 8062731: Cipher object can be created without calling Cipher.getInstance

2017-01-23 Thread Valerie Peng
Hi Brad, Would you have time to review this? I changed the code to base the trust decision on the immediate caller of Cipher(CipherSpi, Provider, String). In addition, the specified Provider object is only taken into account when it shares the same origin (codebase or module) with the caller.

Re: RFR 8168075: Custom system class loader + security manager + malformed policy file = recursive initialization

2017-01-23 Thread Mandy Chung
> On Jan 19, 2017, at 7:28 AM, Adam Petcher wrote: > > My last attempt to solve this problem didn't work because some classes needed > for string formatting were not loaded by init level 3 in some cases. So I had > to backtrack and try a different approach. > > This patch avoids localization

Re: RFR 8168075: Custom system class loader + security manager + malformed policy file = recursive initialization

2017-01-23 Thread Sean Mullan
On 1/19/17 10:28 AM, Adam Petcher wrote: My last attempt to solve this problem didn't work because some classes needed for string formatting were not loaded by init level 3 in some cases. So I had to backtrack and try a different approach. This patch avoids localization and message formatting wh

Re: Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth

2017-01-23 Thread Mandy Chung
> On Jan 23, 2017, at 6:59 AM, Adam Petcher wrote: > > Comments below. > > On 1/21/2017 11:02 PM, Mandy Chung wrote: >>> On Jan 21, 2017, at 6:37 PM, Weijun Wang >>> wrote: >>> >>> >>> >>> On 01/22/2017 09:18 AM, Mandy Chung wrote: AFAIK, no permission

Re: Review Request: JDK-8173024 Replace direct use of AuthResources resource bundle from jdk.security.auth

2017-01-23 Thread Adam Petcher
Comments below. On 1/21/2017 11:02 PM, Mandy Chung wrote: On Jan 21, 2017, at 6:37 PM, Weijun Wang wrote: On 01/22/2017 09:18 AM, Mandy Chung wrote: AFAIK, no permission check from RB::getBundle loading this resource bundle. The implementation should wrap all security sensitive calls wit

RFR[9] JDK-8171900: javax/net/ssl/SSLSession/SessionTimeOutTests.java failed with "SSLHandshakeException: Remote host terminated the handshake"

2017-01-23 Thread John Jiang
Hi, The patch takes some code patterns from SSLSocketTemplate.java to try to resolve the following issues: JDK-8171900: javax/net/ssl/SSLSession/SessionTimeOutTests.java failed with "SSLHandshakeException: Remote host terminated the handshake" JDK-8173142: javax/net/ssl/SSLSession/SessionTimeOut

RFR 8171319: keytool should print out warnings when reading or generating cert/cert req using weak algorithms

2017-01-23 Thread Weijun Wang
Hi All Please take a review at http://cr.openjdk.java.net/~weijun/8171319/webrev.00/ Warnings are printed to System.err when weak algorithms/keysizes are detected during the execution, this includes input, output, and any certs used. The detection applies to many keytool functions: - ge