Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Hi Max, Please review the new webrev: http://cr.openjdk.java.net/~jjiang/8164639/webrev.01/ The new system property has been renamed to test.nss.lib.paths, and it supports multiple paths. Currently, it cannot download the artifacts outside Oracle network. This affects the test executions on W

Re: Code Review Request, JDK-8207009 SSLEngine#closeInbound mentions SSLException when no close_notify is received

Hi Brad, Good points! Here is the updated webrev: http://cr.openjdk.java.net/~xuelei/8207009/webrev.06/ Please let me know if you have more comments by 11:30AM today. Thanks, Xuelei On 8/13/2018 4:43 PM, Bradford Wetmore wrote: Hi Xuelei, > Let's use two to emphasize the behaviors: > 1

Re: RFR 8209416: Refactoring GetPropertyAction calls in JGSS

Thanks for the update! On 8/13/2018 11:39 PM, Weijun Wang wrote: Updated webrev at http://cr.openjdk.java.net/~weijun/8209416/webrev.01/ You can look at [1] to see what has changed. Mostly it's a case in other security libs. I also change the calling style to put property name in the same

Re: [12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

Hi Max, On 8/14/2018 12:29 AM, Weijun Wang wrote: On Aug 7, 2018, at 10:57 PM, Roger Riggs wrote: Hi Max, It may be useful to include in the descriptions a reminder that if no ObjectInputFilter is supplied the global filter is used. Details in ObjectInputStream. The new getObject() methods

Re: [12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

Hi Max, On 8/14/2018 1:33 AM, Weijun Wang wrote: Here is the change for both classes. I use "original object" so a caller would know what the filter should expect. ok diff --git a/src/java.base/share/classes/java/security/SignedObject.java b/src/java.base/share/classes/java/security/SignedO

Re: RFR 8209416: Refactoring GetPropertyAction calls in JGSS

On 8/14/18 1:04 AM, Weijun Wang wrote: On Aug 14, 2018, at 3:11 AM, Sean Mullan wrote: I think this should be an enhancement, and not a bug. Is this mainly for a performance improvement? Yes it's an enhancement. Performance can be gained. Also, the privilegedGetProperty() method is alrea

Re: RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider

Hi Valerie, Here it is Webrev.07: * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.07/ * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.07.zip * p11_convert.c: * L530 and 834: masterKeyDeriveParamToCKMasterKeyDeriveParam and keyMatParamToCKKeyMatParam

Re: [12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

> On Aug 14, 2018, at 10:18 PM, Roger Riggs wrote: >> >> * >> + * In this example, the {@link ObjectInputFilter} object is used during >> + * deserialization to check the contents of the stream. If {@link >> #getObject()} >> + * is called, the {@link ObjectInputFilter.Config#getSerialFilter(

Re: [12] RFR 8193859: Allow user provided ObjectInputFilter in SealedObject and SignedObject

Hi, On 8/14/2018 10:59 AM, Weijun Wang wrote: s/initial process-wide filter/system filter/? yes Roger --Max [1] 8202675   Replace process-wide terminology in serial filtering to be consistent Regards, Roger

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Few minor comments on README: - Please leave an empty line after each numbered section - I would suggest to update #2 to have general instruction on use of artifactory. Something like 2. Pre-built NSS libraries from artifactory server If the value of system property test.nss.lib.paths is nu

RFR: 8209452: VerifyCACerts.java failed with "At least one cacert test failed"

Please review this fix to allow test to pass if expired certificate is allowed by exception list. Webrev: http://cr.openjdk.java.net/~rhalade/8209452/webrev.00/ Thanks, Rajan

Re: RFR: 8209452: VerifyCACerts.java failed with "At least one cacert test failed"

Looks good. When you push the changeset, can you add a Summary line with more details of the fix, ex: Summary: allow expired certificates on exception list to pass after they expire Thanks, Sean On 8/14/18 12:22 PM, Rajan Halade wrote: Please review this fix to allow test to pass if expired

Re: CSR Review: 8208641: SSLSocket should throw an exception when configuring DTLS

On 08/13/2018 12:42 PM, Sean Mullan wrote: On 8/10/18 3:49 PM, Anthony Scarpino wrote: On 8/9/2018 4:25 AM, Sean Mullan wrote: On 8/8/18 5:29 PM, Xuelei Fan wrote: The "Default" algorithm defined in the SunJSSE provider is for TLS protocols. What if I set DTLS to be the default, though? Ex:

Re: CSR Review: 8208641: SSLSocket should throw an exception when configuring DTLS

On 8/14/18 1:56 PM, Anthony Scarpino wrote: On 08/13/2018 12:42 PM, Sean Mullan wrote: On 8/10/18 3:49 PM, Anthony Scarpino wrote: On 8/9/2018 4:25 AM, Sean Mullan wrote: On 8/8/18 5:29 PM, Xuelei Fan wrote: The "Default" algorithm defined in the SunJSSE provider is for TLS protocols. What

Re: CSR Review: 8208641: SSLSocket should throw an exception when configuring DTLS

On 08/14/2018 11:27 AM, Sean Mullan wrote: On 8/14/18 1:56 PM, Anthony Scarpino wrote: On 08/13/2018 12:42 PM, Sean Mullan wrote: On 8/10/18 3:49 PM, Anthony Scarpino wrote: On 8/9/2018 4:25 AM, Sean Mullan wrote: On 8/8/18 5:29 PM, Xuelei Fan wrote: The "Default" algorithm defined in the Sun

RFR: 8209506: Add Google Trust Services GlobalSign root certificates

Please review this fix to add Google issued root certificates to cacerts file. I have started jdk11 late enhancement request and will wait for approval to push this fix. Also, release note is available at JDK-8209512. After this fix is pushed, we will need to update release note 8207255 to remo

Re: RFR: 8209506: Add Google Trust Services GlobalSign root certificates

Looks good. --Sean On 8/14/18 5:06 PM, Rajan Halade wrote: Please review this fix to add Google issued root certificates to cacerts file. I have started jdk11 late enhancement request and will wait for approval to push this fix. Also, release note is available at JDK-8209512. After this fix i

RFR: 8206176: Remove the temporary tls13VN

Please review this fix to remove "jdk.tsl13.version" system property we had as interim solution for testing TLSv1.3 implementation. Webrev: http://cr.openjdk.java.net/~rhalade/8206176/webrev.00/ Thanks, Rajan

Re: RFR: 8206176: Remove the temporary tls13VN

Looks fine to me. Thanks! Xuelei On 8/14/2018 4:10 PM, Rajan Halade wrote: Please review this fix to remove "jdk.tsl13.version" system property we had as interim solution for testing TLSv1.3 implementation. Webrev: http://cr.openjdk.java.net/~rhalade/8206176/webrev.00/ Thanks, Rajan

Re: RFR: 8206176: Remove the temporary tls13VN

Looks good. Brad On 8/14/2018 4:14 PM, Xue-Lei Fan wrote: Looks fine to me.  Thanks! Xuelei On 8/14/2018 4:10 PM, Rajan Halade wrote: Please review this fix to remove "jdk.tsl13.version" system property we had as interim solution for testing TLSv1.3 implementation. Webrev: http://cr.openj

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Thanks for the comments! Please take a look the updated webrev: http://cr.openjdk.java.net/~jjiang/8164639/webrev.02/ Only README was adjusted. Best regards, John Jiang On 2018/8/14 23:48, Rajan Halade wrote: Few minor comments on README: - Please leave an empty line after each numbered sect

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Looks good to me! Thanks, Rajan On 8/14/18 7:13 PM, sha.ji...@oracle.com wrote: Thanks for the comments! Please take a look the updated webrev: http://cr.openjdk.java.net/~jjiang/8164639/webrev.02/ Only README was adjusted. Best regards, John Jiang On 2018/8/14 23:48, Rajan Halade wrote:

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Two comments on PKCS11Test.java: First, 865 private static String fetchNssLib(Class clazz) { 866 try { 867 String path = ArtifactResolver.resolve(clazz).entrySet().stream() 868 .findAny().get().getValue() + File.separator + "nsslib" 869

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

Hi Max, Thanks for your comments very much! Please review this version: http://cr.openjdk.java.net/~jjiang/8164639/werbrev.03/ All of your comments are addressed. Assume external developers have no JIB jar, the artifact resolving fails quickly. The tests will be skipped for this case. Best

Re: RFR JDK-8164639: Configure PKCS11 tests to use user-supplied NSS libraries

I notice one behavior change in PKCS11Test.java. 693 private static String[] getNssLibPaths(String osId) { 694 String[] preferablePaths = getPreferableNssLibPaths(osId); 695 if (preferablePaths.length != 0) { 696 return preferablePaths; 697 } else { 69