et" ,
security-dev
Cc: "Langer, Christoph"
Subject: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC
algorithms
Hi,
JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly.
Bug:
https://bugs.openjdk.java.net/browse
toph"
Subject: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC
algorithms
Hi,
JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly.
Bug:
https://bugs.openjdk.java.net/browse/JDK-8153005
CSR covering 11u:
https://bugs.openj
Hi,
JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly.
Bug:
https://bugs.openjdk.java.net/browse/JDK-8153005
CSR covering 11u:
https://bugs.openjdk.java.net/browse/JDK-8228481
Original change:
On 11/24/20 11:28 AM, Weijun Wang wrote:
Is “keystore.pkcs12.*” better? Or, maybe more clear?
See the security properties starting with `keystore.pkcs12` in the
`java.security` file for detailed information.
"starting with" should be sufficient, I think. No need for the asterisk.
--Sean
Is “keystore.pkcs12.*” better? Or, maybe more clear?
See the security properties starting with `keystore.pkcs12` in the
`java.security` file for detailed information.
Thanks,
Max
> On Nov 24, 2020, at 11:23 AM, Sean Mullan wrote:
>
> On 11/17/20 4:38 PM, Weijun Wang wrote:
>>> On Apr 10,
On 11/17/20 4:38 PM, Weijun Wang wrote:
On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote:
Please take a review at
CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms
Release note : https://bugs.openjdk.java.net/browse/JDK-8242069
I forget if the release note
> On Apr 10, 2020, at 5:03 AM, Weijun Wang wrote:
>
> Please take a review at
>
> CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms
> Release note : https://bugs.openjdk.java.net/browse/JDK-8242069
I forget if the release note has been reviewed before. If not,
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Weijun Wang has updated the pull request with a new target base due to a merge
or a rebase. The incremental webrev excludes the
On Fri, 9 Oct 2020 01:33:38 GMT, Weijun Wang wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> Weijun Wang has updated the pull request incrementally with one
On Fri, 9 Oct 2020 00:07:39 GMT, Weijun Wang wrote:
>> I tried but cannot find a way to tell if a system is Windows Server 2016 or
>> 2019. Their os.version is all 10.0. I've
>> filed an enhancement at https://bugs.openjdk.java.net/browse/JDK-8254241 for
>> it. That said, I did try running the
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Weijun Wang has updated the pull request incrementally with one additional
commit since the last revision:
update README and
On Fri, 9 Oct 2020 00:04:17 GMT, Weijun Wang wrote:
>> Are you still planning, or is it possible to add a test for Windows 2019?
>> Also, have you considered adding a test that
>> checks if the JDK can read OpenSSL PKCS#12 files and vice versa? Maybe we
>> can do that later as a follow-on
On Thu, 8 Oct 2020 16:34:59 GMT, Sean Mullan wrote:
>> New commit updating ic to 1. I also created separate constants for
>> DEFAULT_CERT_PBE_ITERATION_COUNT and
>> DEFAULT_KEY_PBE_ITERATION_COUNT. I haven't made the change for
>> LEGACY_PBE_ITERATION_COUNT since they will never change.
>
On Thu, 8 Oct 2020 14:21:09 GMT, Weijun Wang wrote:
>> CSR updated. More description, and iteration counts lowered to 1. Will
>> update code soon.
>
> New commit updating ic to 1. I also created separate constants for
> DEFAULT_CERT_PBE_ITERATION_COUNT and
>
On Wed, 7 Oct 2020 22:49:09 GMT, Weijun Wang wrote:
>> CSR looks good. In "Sepcification" section: a typo in 'Thr iteration counts
>> used by'. At the end, it describes the new
>> system property will override the security properties and use the older and
>> weaker algorithms, so suggest we
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Weijun Wang has updated the pull request incrementally with one additional
commit since the last revision:
change ic to 1
On Wed, 7 Oct 2020 22:08:19 GMT, Hai-May Chao wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> Looks good. Only minor comments.
CSR looks good. In "Sepcification"
On Wed, 7 Oct 2020 22:20:07 GMT, Hai-May Chao wrote:
>> Looks good. Only minor comments.
>
> CSR looks good. In "Sepcification" section: a typo in 'Thr iteration counts
> used by'. At the end, it describes the new
> system property will override the security properties and use the older and
>
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
Looks good. Only minor comments.
On Wed, 7 Oct 2020 22:06:28 GMT, Hai-May Chao wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> test/jdk/sun/security/mscapi/VeryLongAlias.java line 48:
>
>> 46:
>>
On Tue, 6 Oct 2020 18:34:34 GMT, Sean Mullan wrote:
>> I only know Windows Server 2019 can accept the new algorithms.
>
> Ok, but maybe we can split this test in two and use the jtreg @requires tag
> to run the newer algorithms on Windows
> Server 2019? It would be a useful test if this is the
On Fri, 2 Oct 2020 19:07:20 GMT, Weijun Wang wrote:
>> test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
>>
>>> 49: public static void main(String[] args) throws Throwable {
>>> 50:
>>> 51: // Using the old algorithms to make sure the file is recognized
>>
>> Do we also want
On Fri, 2 Oct 2020 18:44:48 GMT, Sean Mullan wrote:
>> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
>> Please also review the CSR at
>> https://bugs.openjdk.java.net/browse/JDK-8228481.
>
> test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
>
>> 49:
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
test/lib/jdk/test/lib/security/DerUtils.java line 1:
> 1: /*
Is this test
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
test/jdk/sun/security/mscapi/VeryLongAlias.java line 51:
> 49: public
On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote:
> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
> Please also review the CSR at
> https://bugs.openjdk.java.net/browse/JDK-8228481.
TBD: We bumped iteration counts for PBE and HMAC to 5 and 10 when we
Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256.
Please also review the CSR at
https://bugs.openjdk.java.net/browse/JDK-8228481.
-
Commit messages:
- 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Changes:
Please take a review at
CSR : 8228481: Upgrade the default PKCS12 encryption/MAC algorithms
Release note : https://bugs.openjdk.java.net/browse/JDK-8242069
webrev : http://cr.openjdk.java.net/~weijun/8153005/webrev.00/
The default pkcs12 algorithms are bumped into PBE and
28 matches
Mail list logo
