Hi,
May I have this test update reviewed?
The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
case failed on one of the test setups. The test runs gc in a loop and expects
the GC to have garbage collected contents of a WeakHashMap. The loop runs for
10 iterations.
Brief comment on ECC attack below, the code download can be prevented by
granting DownloadPermission only to code signers and not user
principals. In this case the imposter service would only be able to
cause a signed code source to class-load. Since Java serialization is
disabled, the
On Thu, 28 Apr 2022 01:34:19 GMT, Joe Darcy wrote:
>> To enable more complete doclint checking (courtesy @jonathan-gibbons),
>> please review this PR to add type-level @param tags where they are missing.
>>
>> To the maintainers of java.util.concurrent, those changes could be separated
>> out
On Wed, 27 Apr 2022 16:22:38 GMT, Xue-Lei Andrew Fan wrote:
>> Please review this password cleanup enhancement in the PasswordCallback
>> implementation. This is one of the effort to clean up the buffered
>> passwords.
>>
>> The PasswordCallback.setPassword() clones the password, but is not
On Thu, 28 Apr 2022 06:31:30 GMT, Jaikiran Pai wrote:
> More of a FYI - the CheckCleanerBound test failed on one of the test setups.
> So I've created https://bugs.openjdk.java.net/browse/JDK-8285785 to track
> that failure.
Thank you! I will add the sleep back.
-
PR:
On Wed, 27 Apr 2022 14:03:15 GMT, Daniel Jeliński wrote:
> Please review this follow up to #8349.
>
> As JCK pointed out, `permits` is supposed to throw IAE on null input.
> However, now that we're looking up the result in a `ConcurrentHashMap`, a
> `NullPointerException` is thrown. This
On Wed, 27 Apr 2022 21:04:59 GMT, Weijun Wang wrote:
>> Changes requested by mullan (Reviewer).
>
> @seanjmullan Since we use symmetric keys to encrypt entries and add integrity
> check, should this enhancement cover them as well? For example, if a PKCS12
> keystore is created with
On Wed, 27 Apr 2022 19:35:04 GMT, Sean Mullan wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> SecretKeyConstraintsParameters subclass created and property description
>> updated
>
> Changes requested by mullan
On Thu, 28 Apr 2022 01:34:19 GMT, Joe Darcy wrote:
>> To enable more complete doclint checking (courtesy @jonathan-gibbons),
>> please review this PR to add type-level @param tags where they are missing.
>>
>> To the maintainers of java.util.concurrent, those changes could be separated
>> out
On Thu, 28 Apr 2022 07:01:25 GMT, Xue-Lei Andrew Fan wrote:
> Hi,
>
> May I have this test update reviewed?
>
> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
> case failed on one of the test setups. The test runs gc in a loop and
> expects the GC to have
> Please review these changes to add DES/3DES/MD5 to
> `jdk.security.legacyAlgorithms` security property, and to add the legacy
> algorithm constraint checking to `keytool` commands that are associated with
> secret key entries stored in the keystore. These `keytool` commands are
> -genseckey,
On Wed, 27 Apr 2022 19:34:04 GMT, Sean Mullan wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> SecretKeyConstraintsParameters subclass created and property description
>> updated
>
>
On Thu, 28 Apr 2022 06:46:35 GMT, Hai-May Chao wrote:
>> Please review these changes to add DES/3DES/MD5 to
>> `jdk.security.legacyAlgorithms` security property, and to add the legacy
>> algorithm constraint checking to `keytool` commands that are associated with
>> secret key entries stored
On Wed, 27 Apr 2022 19:35:04 GMT, Sean Mullan wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> SecretKeyConstraintsParameters subclass created and property description
>> updated
>
> Changes requested by mullan
On Thu, 28 Apr 2022 07:01:25 GMT, Xue-Lei Andrew Fan wrote:
> Hi,
>
> May I have this test update reviewed?
>
> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
> case failed on one of the test setups. The test runs gc in a loop and
> expects the GC to have
On Thu, 28 Apr 2022 07:01:25 GMT, Xue-Lei Andrew Fan wrote:
> Hi,
>
> May I have this test update reviewed?
>
> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
> case failed on one of the test setups. The test runs gc in a loop and
> expects the GC to have
On Thu, 28 Apr 2022 12:19:35 GMT, Sean Mullan wrote:
>> Hi,
>>
>> May I have this test update reviewed?
>>
>> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java
>> test case failed on one of the test setups. The test runs gc in a loop and
>> expects the GC to have
On Wed, 27 Apr 2022 20:22:42 GMT, Mark Powers wrote:
>> JDK-6725221 is about obtaining boolean properties, so not an exact match.
>> The suggested change is so easy, I'm going to do it.
>
> sun.security.action.GetPropertyAction::privilegedGetProperty doesn't trim the
> return value. Could this
On Thu, 28 Apr 2022 02:33:49 GMT, Mark Powers wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8285504
>>
>> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
>> a single code review, so it was decided to split into smaller chunks. This
>> is one such chunk:
>>
On Thu, 28 Apr 2022 02:33:49 GMT, Mark Powers wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8285504
>>
>> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
>> a single code review, so it was decided to split into smaller chunks. This
>> is one such chunk:
>>
On Thu, 28 Apr 2022 16:14:01 GMT, Bradford Wetmore wrote:
>> src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java line 70:
>>
>>> 68: String type;
>>> 69: type = GetPropertyAction.privilegedGetProperty(
>>> 70: "ssl.KeyManagerFactory.algorithm");
>>
>>
On Thu, 28 Apr 2022 15:45:58 GMT, Weijun Wang wrote:
>> Mark Powers has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains eight additional
>> commits
On Thu, 28 Apr 2022 17:29:53 GMT, Bradford Wetmore wrote:
>> My mistake. It's only the trim that you wanted removed, line 94.
>
> No, the API for Security.getProperty doesn't specify trimming, so suggest
> leaving the trim() part also.
Okay. Line 94 is back.
-
PR:
On Thu, 28 Apr 2022 15:47:44 GMT, Weijun Wang wrote:
>> Mark Powers has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains eight additional
>> commits
On Thu, 28 Apr 2022 16:22:43 GMT, Bradford Wetmore wrote:
>> src/java.base/share/classes/javax/net/ssl/SSLSocketFactory.java line 92:
>>
>>> 90: static String getSecurityProperty(final String name) {
>>> 91: return AccessController.doPrivileged((PrivilegedAction)
>>> () -> {
>>>
On Thu, 28 Apr 2022 06:46:35 GMT, Hai-May Chao wrote:
>> Please review these changes to add DES/3DES/MD5 to
>> `jdk.security.legacyAlgorithms` security property, and to add the legacy
>> algorithm constraint checking to `keytool` commands that are associated with
>> secret key entries stored
On Wed, 27 Apr 2022 20:01:26 GMT, Sean Mullan wrote:
>> I don't see the ProviderException being mentioned?
>> Per the description under JDK-8209038, the requests are:
>> 1) describe the returned parameters following what's in Signature class,
>> i.e. if this object has been initialized with
> To enable more complete doclint checking (courtesy @jonathan-gibbons), please
> review this PR to add type-level @param tags where they are missing.
>
> To the maintainers of java.util.concurrent, those changes could be separated
> out in another bug if that would ease maintenance of that
On Thu, 28 Apr 2022 13:34:04 GMT, Roger Riggs wrote:
>> Hi,
>>
>> May I have this test update reviewed?
>>
>> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java
>> test case failed on one of the test setups. The test runs gc in a loop and
>> expects the GC to have
On Thu, 28 Apr 2022 07:01:25 GMT, Xue-Lei Andrew Fan wrote:
> Hi,
>
> May I have this test update reviewed?
>
> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
> case failed on one of the test setups. The test runs gc in a loop and
> expects the GC to have
On Thu, 28 Apr 2022 08:08:37 GMT, Alan Bateman wrote:
>> Joe Darcy has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Respond to more review feedback.
>
> src/java.base/share/classes/java/nio/file/SecureDirectoryStream.java line 55:
>
>>
We added a new system property back in
https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe it
in the `java.security` file as well.
Please review the text. I especially added the last sentence so that people
won't set `-Dkeystore.pkcs12.legacy=false`.
-
> To enable more complete doclint checking (courtesy @jonathan-gibbons), please
> review this PR to add type-level @param tags where they are missing.
>
> To the maintainers of java.util.concurrent, those changes could be separated
> out in another bug if that would ease maintenance of that
On Thu, 28 Apr 2022 04:34:36 GMT, Xue-Lei Andrew Fan wrote:
>> Please review the update to remove finalizer method in the
>> java.security.jgss module. It is one of the efforts to clean up the use of
>> finalizer method in JDK.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally
On Thu, 28 Apr 2022 16:27:08 GMT, Bradford Wetmore wrote:
>> Just found the same. This needs to be reverted. You can set a Security
>> Property to an "empty" string which won't work here. Suggest you revert to
>> previous code, possibly using a lambda if that was the original intent.
>
>
On Thu, 28 Apr 2022 08:10:38 GMT, Alan Bateman wrote:
>> Joe Darcy has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Respond to more review feedback.
>
> src/java.base/share/classes/java/nio/file/WatchEvent.java line 51:
>
>> 49: /**
On Thu, 28 Apr 2022 16:58:40 GMT, Joe Darcy wrote:
>> To enable more complete doclint checking (courtesy @jonathan-gibbons),
>> please review this PR to add type-level @param tags where they are missing.
>>
>> To the maintainers of java.util.concurrent, those changes could be separated
>> out
On Thu, 28 Apr 2022 16:37:35 GMT, Mark Powers wrote:
>> `Security.getProperty()` does not specify the value will be `trim()`.
>
> My mistake. It's only the trim that you wanted removed, line 94.
No, the API for Security.getProperty doesn't specify trimming, so suggest
leaving the trim() part
On Thu, 28 Apr 2022 16:58:40 GMT, Joe Darcy wrote:
>> To enable more complete doclint checking (courtesy @jonathan-gibbons),
>> please review this PR to add type-level @param tags where they are missing.
>>
>> To the maintainers of java.util.concurrent, those changes could be separated
>> out
On Tue, 26 Apr 2022 22:24:26 GMT, Joe Darcy wrote:
> To enable more complete doclint checking (courtesy @jonathan-gibbons), please
> review this PR to add type-level @param tags where they are missing.
>
> To the maintainers of java.util.concurrent, those changes could be separated
> out in
On Thu, 28 Apr 2022 04:34:36 GMT, Xue-Lei Andrew Fan wrote:
>> Please review the update to remove finalizer method in the
>> java.security.jgss module. It is one of the efforts to clean up the use of
>> finalizer method in JDK.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally
On Thu, 28 Apr 2022 04:34:36 GMT, Xue-Lei Andrew Fan wrote:
>> Please review the update to remove finalizer method in the
>> java.security.jgss module. It is one of the efforts to clean up the use of
>> finalizer method in JDK.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally
> Please review the update to remove finalizer method in the java.security.jgss
> module. It is one of the efforts to clean up the use of finalizer method in
> JDK.
Xue-Lei Andrew Fan has updated the pull request incrementally with one
additional commit since the last revision:
add sleep
> Anyone can help review this javadoc update? The main change is the wording
> for the method javadoc of
> Cipher.getParameters()/CipherSpi.engineGetParameters(). The original wording
> is somewhat restrictive and request is to broaden this to accommodate more
> scenarios such as when null can
On Thu, 28 Apr 2022 19:54:36 GMT, Weijun Wang wrote:
>> src/java.base/share/conf/security/java.security line 1174:
>>
>>> 1172: # If the property is not set or empty, a default value will be used.
>>> 1173: #
>>> 1174: # For compatibility, the system property "keystore.pkcs12.legacy" can
>>>
On Thu, 28 Apr 2022 16:23:25 GMT, Bradford Wetmore wrote:
>> src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java line 82:
>>
>>> 80: String type;
>>> 81: type = GetPropertyAction.privilegedGetProperty(
>>> 82: "ssl.TrustManagerFactory.algorithm");
>>
On Thu, 28 Apr 2022 04:34:36 GMT, Xue-Lei Andrew Fan wrote:
>> Please review the update to remove finalizer method in the
>> java.security.jgss module. It is one of the efforts to clean up the use of
>> finalizer method in JDK.
>
> Xue-Lei Andrew Fan has updated the pull request incrementally
On Thu, 28 Apr 2022 18:29:35 GMT, Mark Powers wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8285504
>>
>> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
>> a single code review, so it was decided to split into smaller chunks. This
>> is one such chunk:
>>
On Thu, 28 Apr 2022 18:24:33 GMT, Andrey Turbanov wrote:
>> Joe Darcy has updated the pull request with a new target base due to a merge
>> or a rebase. The incremental webrev excludes the unrelated changes brought
>> in by the merge/rebase. The pull request contains seven additional commits
On Thu, 28 Apr 2022 07:01:25 GMT, Xue-Lei Andrew Fan wrote:
> Hi,
>
> May I have this test update reviewed?
>
> The javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java test
> case failed on one of the test setups. The test runs gc in a loop and
> expects the GC to have
On Thu, 28 Apr 2022 19:11:23 GMT, Valerie Peng wrote:
>> Anyone can help review this javadoc update? The main change is the wording
>> for the method javadoc of
>> Cipher.getParameters()/CipherSpi.engineGetParameters(). The original wording
>> is somewhat restrictive and request is to broaden
On Thu, 28 Apr 2022 18:29:35 GMT, Mark Powers wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8285504
>>
>> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
>> a single code review, so it was decided to split into smaller chunks. This
>> is one such chunk:
>>
On Thu, 28 Apr 2022 17:48:20 GMT, Weijun Wang wrote:
> I see you removed the `Thread.sleep(100)` calls. Given the failure of another
> similar test, maybe it's safer to add them back?
Yes. I'm evaluating if other proposal works or not. Otherwise, I will add the
sleep back.
-
> https://bugs.openjdk.java.net/browse/JDK-8285504
>
> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
> a single code review, so it was decided to split into smaller chunks. This is
> one such chunk:
>
> open/src/java.base/share/classes/java/net
Mark Powers has
On Thu, 28 Apr 2022 19:48:38 GMT, Sean Mullan wrote:
>> We added a new system property back in
>> https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe
>> it in the `java.security` file as well.
>>
>> Please review the text. I especially added the last sentence so that
On Mon, 25 Apr 2022 17:40:13 GMT, Mark Powers wrote:
> https://bugs.openjdk.java.net/browse/JDK-8285504
>
> JDK-8273046 is the umbrella bug for this bug. The changes were too large for
> a single code review, so it was decided to split into smaller chunks. This is
> one such chunk:
>
>
On Thu, 28 Apr 2022 18:05:39 GMT, Joe Darcy wrote:
>> To enable more complete doclint checking (courtesy @jonathan-gibbons),
>> please review this PR to add type-level @param tags where they are missing.
>>
>> To the maintainers of java.util.concurrent, those changes could be separated
>> out
On Thu, 28 Apr 2022 14:35:54 GMT, Weijun Wang wrote:
> We added a new system property back in
> https://bugs.openjdk.java.net/browse/JDK-8153005 but it's better to describe
> it in the `java.security` file as well.
>
> Please review the text. I especially added the last sentence so that
On Thu, 28 Apr 2022 13:25:13 GMT, Sean Mullan wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> SecretKeyConstraintsParameters subclass created and property description
>> updated
>
>
On Thu, 28 Apr 2022 19:59:07 GMT, Sean Mullan wrote:
>> OpenSSL's help page shows
>>
>> -legacy Use legacy encryption: 3DES_CBC for keys, RC2_CBC for
>> certs
>>
>> Can we also say "To work with legacy PKCS #12 files"?
>
> But isn't it mostly an issue when creating new keystores
On Thu, 28 Apr 2022 04:56:47 GMT, Xue-Lei Andrew Fan wrote:
>>> Can you clarify what is the A and B that you are referring to?
>>
>> The sentence is, “If the required parameters were not supplied and the
>> underlying signature implementation can generate the parameter values, it
>> will be
On Wed, 27 Apr 2022 23:02:28 GMT, Weijun Wang wrote:
>> Right, the user-supplied values takes precedence and provider-specific
>> default/random values should just be supplemental.
>>
>> As for EdDSA, looks like the prehash and context are only in RFC 8032 and
>> NOT RFC 8410. caller has to
On Thu, 28 Apr 2022 23:14:56 GMT, Weijun Wang wrote:
>> I assume you were suggesting this? `"The returned parameters may be the same
>> that were used to initialize this signature, or may contain additional
>> default or random parameter values used by the underlying signature
>>
On Thu, 28 Apr 2022 23:22:30 GMT, Valerie Peng wrote:
>> I suggest the last sentence to be "null is returned if the required
>> parameters were not supplied **or** the underlying signature implementation
>> cannot generate the parameter values." I used "or" because for EdDSA
>> parameters are
On Thu, 14 Apr 2022 15:37:05 GMT, Daniel Jeliński wrote:
> IMO we should not send close_notify in the finalizer. It's the application's
> responsibility to send close_notify when it's done with the socket; we should
> not pretend that it was closed normally when it was not.
@djelinski makes
On Thu, 28 Apr 2022 06:46:35 GMT, Hai-May Chao wrote:
>> Please review these changes to add DES/3DES/MD5 to
>> `jdk.security.legacyAlgorithms` security property, and to add the legacy
>> algorithm constraint checking to `keytool` commands that are associated with
>> secret key entries stored
On Thu, 28 Apr 2022 23:08:17 GMT, Valerie Peng wrote:
>> So, "the underlying signature implementation supports returning the
>> parameters as {@code AlgorithmParameters}" is quite necessary. Xuelei's
>> suggestion is quite good, just change the last "and" to "or".
>
> I assume you were
On Thu, 28 Apr 2022 23:09:00 GMT, Valerie Peng wrote:
> What kind of additional sentence do you have in mind?
It may be fine to put it into the state for 'null" returned value. For example:
The returned parameters may be the same that were used to initialize
this signature, or may contain
68 matches
Mail list logo
