Re: Code Review Request 6203816 and 6720456

2010-11-17 Thread Weijun Wang
On 11/18/2010 07:31 AM, Valerie (Yu-Ching) Peng wrote: Hi, Max, Can you please help reviewing the following two regression test fixes? 6203816: Can not run test/java/security/Security/ClassLoaderDeadlock.sh from the command line Webrev: http://cr.openjdk.java.net/~valeriep/6203816/webrev.00/

Re: Code Review Request 6203816 and 6720456

2010-11-18 Thread Weijun Wang
cs11.jar, maybe their jdk/make/closed is still not updated. Thanks Max Valerie On 11/17/10 17:00, Weijun Wang wrote: On 11/18/2010 07:31 AM, Valerie (Yu-Ching) Peng wrote: Hi, Max, Can you please help reviewing the following two regression test fixes? 6203816: Can not r

Re: Code Review Request 6203816 and 6720456

2010-11-19 Thread Weijun Wang
I'm fine with all code changes. Thanks Max On 11/20/2010 08:00 AM, Valerie (Yu-Ching) Peng wrote: On 11/17/10 19:31, Weijun Wang wrote: On 11/18/2010 11:00 AM, Valerie (Yu-Ching) Peng wrote: Thanks for the lightning fast review! TBD means "to be determined at runtime". Dif

hg: jdk7/tl/jdk: 6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1

2010-11-21 Thread weijun . wang
Changeset: c1734c00a8ba Author:weijun Date: 2010-11-22 09:43 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c1734c00a8ba 6979329: CCacheInputStream fails to read ticket cache files from Kerberos 1.8.1 Reviewed-by: valeriep ! src/share/classes/sun/security/krb5/internal/ccach

hg: jdk7/tl/jdk: 7002036: ktab return code changes on a error case

2010-11-23 Thread weijun . wang
Changeset: de402590e18f Author:weijun Date: 2010-11-24 07:43 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/de402590e18f 7002036: ktab return code changes on a error case Reviewed-by: valeriep ! src/windows/classes/sun/security/krb5/internal/tools/Ktab.java + test/sun/securi

code review request: 6894072: always refresh keytab

2010-12-01 Thread Weijun Wang
Hi Valerie The webrev is at -- http://cr.openjdk.java.net/~weijun/6894072/webrev.00/ Changes: 1. New javax..KeyTab, updated sun..KeyTab. As the impl note in javax..KeyTab says: the former is a name with dynamic content, the latter is a snapshot of a file. 2. Now Subject can have private

Fwd: CR 7004035 Updated, P4 java/classes_secu signed jar with only META-INF/* inside is not verifiable

2010-12-03 Thread Weijun Wang
Hi Sean Please review my code changes: http://cr.openjdk.java.net/~weijun/7004035/webrev.00/ After this change, MANIFEST.MF's getSigners() and getCertificates() will be not null. Since every signer of the jar file has a hash of the manifest header, I regard all of them as signers of MANIFES

hg: jdk7/tl/jdk: 7004721: ktarg.sh fails when there's no default realm

2010-12-05 Thread weijun . wang
Changeset: e3dbb8cd8820 Author:weijun Date: 2010-12-06 06:49 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e3dbb8cd8820 7004721: ktarg.sh fails when there's no default realm Reviewed-by: xuelei ! test/sun/security/krb5/tools/ktarg.sh

hg: jdk7/tl/jdk: 5 new changesets

2010-12-05 Thread weijun . wang
Changeset: b8713c88c060 Author:weijun Date: 2010-12-06 10:46 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/b8713c88c060 7004035: signed jar with only META-INF/* inside is not verifiable Reviewed-by: mullan ! src/share/classes/sun/security/tools/JarSigner.java ! src/share/cl

hg: jdk7/tl/jdk: 6986825: policytool can not save file.

2010-12-06 Thread weijun . wang
Changeset: 34f8b6669273 Author:weijun Date: 2010-12-07 09:51 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/34f8b6669273 6986825: policytool can not save file. Reviewed-by: wetmore ! src/share/classes/sun/security/tools/policytool/PolicyTool.java

hg: jdk7/tl/jdk: 6990370: FindBugs scan - Malicious code vulnerability Warnings in com.sun.jndi.ldap.*

2010-12-07 Thread weijun . wang
Changeset: beeea65e79f4 Author:weijun Date: 2010-12-07 17:30 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/beeea65e79f4 6990370: FindBugs scan - Malicious code vulnerability Warnings in com.sun.jndi.ldap.* Reviewed-by: xuelei ! src/share/classes/com/sun/jndi/ldap/BasicCont

hg: jdk7/tl/jdk: 6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102

2010-12-16 Thread weijun . wang
Changeset: 1f0f0737f04e Author:weijun Date: 2010-12-17 11:03 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/1f0f0737f04e 6975866: api/org_ietf/jgss/GSSContext/index.html#wrapUnwrapIOTest started to fail since jdk7 b102 Reviewed-by: valeriep ! src/share/classes/sun/security/

hg: jdk7/tl/jdk: 6996367: improve HandshakeHash

2010-12-21 Thread weijun . wang
Changeset: d2a0e795c1c2 Author:weijun Date: 2010-12-21 17:35 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d2a0e795c1c2 6996367: improve HandshakeHash Reviewed-by: xuelei ! src/share/classes/sun/security/ssl/ClientHandshaker.java ! src/share/classes/sun/security/ssl/Handsha

Re: review request for 7008713: diamond conversion of kerberos5 and security tools

2010-12-22 Thread Weijun Wang
Looks fine. BTW, what are we supposed to review? Besides going through the patch and making sure each change is good, the only thing I can think of is looking for lines need coinification but untouched. Made some simple greps and found none yet. I can review the following files you listed fo

Re: review request for 7005608: diamond conversion of JCA and crypto providers

2010-12-22 Thread Weijun Wang
On 12/23/2010 10:17 AM, Brad Wetmore wrote: You need to update the Copyright updates on these files to include 2010. Not having a lot of experience yet with <>, the only ones I wasn't sure about were the ones in X509Factor.parseX509orPKCS7Cert. (line 415 & 425) I assume it just picks up the

Re: Code Review Request: CR 6976118, version number tolerance in the PreMasterSecret

2010-12-29 Thread Weijun Wang
Hi Xuelei Are you sure these 3 files all need to be changed? Hopefully you can change as few as possible. Also, the message name is not "PreMasterSecret message". I know it should be "ClientKeyExchange" for RSAClientKeyExchange.java. and, "tolerate" is the verb, "tolerant" is an adjective.

Re: Code Review Request: CR 6976118, version number tolerance in the PreMasterSecret

2010-12-30 Thread Weijun Wang
On 12/30/2010 06:07 PM, Xuelei Fan wrote: On 12/30/2010 9:39 AM, Weijun Wang wrote: Hi Xuelei Are you sure these 3 files all need to be changed? Hopefully you can change as few as possible. Yes, we need to change all 3 files. As we discussed before, we'd better to check the version n

Re: review request for 7008713, update 1: diamond conversion of kerberos5 and security tools

2011-01-11 Thread Weijun Wang
Hi Stuart On 01/12/2011 08:06 AM, Stuart Marks wrote: Hi Max, Here, finally, is an updated webrev for 7008713. Like the other updates, this is the automated diamond conversion but with diamonds removed from assignment statements. This is mostly diamonds used in variable initializers. I think th

Re: review request for 7008713, update 1: diamond conversion of kerberos5 and security tools

2011-01-11 Thread Weijun Wang
rs have only one letter. Thanks Max On 01/12/2011 11:04 AM, Stuart Marks wrote: Hi Max, thanks for reviewing the webrev. On 1/11/11 5:25 PM, Weijun Wang wrote: On 01/12/2011 08:06 AM, Stuart Marks wrote: I think there's one in a return statement in there too. You mean this one? pub

Re: review request for 7011998: diamond conversion for jgss and pkcs11

2011-01-13 Thread Weijun Wang
If sunpkcs11.jar includes line number info (which I think yes), then it needs to be updated. Otherwise, line numbers shown in the exception stack info will not match the source code. Max On 01/14/2011 08:15 AM, Stuart Marks wrote: Yes, the byte codes are identical. I compiled with -g:none bef

code review request: 7012160: read SF file in signed jar in streaming mode

2011-01-14 Thread Weijun Wang
Hi Sean http://cr.openjdk.java.net/~weijun/7012160/webrev.00/ I've made changes to the following classes to enable streaming mode SF file reading: - java/util/jar/JarVerifier.java: 1. New verifyBlock method. 2. Change the constructor from JarVerifier(byte[]) to JarVerifier(byte[], Manifest

Request for Comment: adding chain info to keytool -list

2011-01-17 Thread Weijun Wang
Hi All I have a keystore with a bunch of testing root CA, intermediate CA and entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's quite difficult to know who signs who. Therefore I suggest some enhancement for the simple "keytool -list". (by simple, I mean no "-v"). The en

Re: Request for Comment: adding chain info to keytool -list

2011-01-17 Thread Weijun Wang
cert 1 alias + entity cert 2 alias Andrew On 1/17/2011 4:59 PM, Weijun Wang wrote: Hi All I have a keystore with a bunch of testing root CA, intermediate CA and entity certs, some PrivateKeyEntry and some TrustedCertEntry, and it's quite difficult to know who signs who. Theref

Re: Request for Comment: adding chain info to keytool -list

2011-01-19 Thread Weijun Wang
evel of the tree. "CN=l" is not a self-signed cert, so it's listed under "Not self signed". But we still know "CN=l" signs m. 5. x is a SecretKeyEntry so not put inside chained entries. Any suggestions? Thanks Max On 01/18/2011 09:45 AM, Xuelei Fan wrote: On

Re: Request for Comment: adding chain info to keytool -list

2011-01-19 Thread Weijun Wang
sign each other to form a loop. I haven't yet figured out how to best show this in a tree. More description below inline. On 01/19/2011 10:50 PM, Xuelei Fan wrote: I'm not sure I understand the proposal completely. Please read in-lines comments. On 1/19/2011 5:34 PM, Weijun Wang wrote

Relook at 6937978: let keytool -gencert generate the chain

2011-01-20 Thread Weijun Wang
Hi Sean Some time ago we enhanced "keytool -gencert" to generate a cert chain, including certicates from the end-entity to the secondary level CA, except the root CA. I have some different opinion now, and think maybe it's better to include the root CA. 1. There is no spec saying a chain can

Re: Relook at 6937978: let keytool -gencert generate the chain

2011-01-21 Thread Weijun Wang
d different. As described in my number 2 reason below, it won't even make any changes to the "keytool -import -file certs" result. Max Andrew On 1/21/2011 12:25 PM, Weijun Wang wrote: Hi Sean Some time ago we enhanced "keytool -gencert" to generate a cert chain, includi

Re: Relook at 6937978: let keytool -gencert generate the chain

2011-01-25 Thread Weijun Wang
25 PM, Weijun Wang wrote: Hi Sean Some time ago we enhanced "keytool -gencert" to generate a cert chain, including certicates from the end-entity to the secondary level CA, except the root CA. I have some different opinion now, and think maybe it's better to include the root CA. 1. The

Re: Relook at 6937978: let keytool -gencert generate the chain

2011-01-25 Thread Weijun Wang
break; } Now if A signs B and B signs A again, there would be a loop. This should seldom happen I guess. Thanks Max On 01/26/2011 02:50 AM, Sean Mullan wrote: On 1/25/11 10:09 AM, Weijun Wang wrote: On 01/25/2011 10:44 PM, Sean Mullan wrote: Hi Max, For #3 below,

7016698: test sun/security/krb5/runNameEquals.sh failed on Ubuntu

2011-02-09 Thread Weijun Wang
Hi Valerie I just looked into to this bug, the reason is that the failed Ubuntu has a libgssapi_krb5.so.2 but no libgssapi_krb5.so. Turns out that a newly installed Ubuntu only has the GSS/krb5 runtime installed, which include the .so.2 file. On the other hand, the .so file (simply a symlink

Re: code review request: 7012160: read SF file in signed jar in streaming mode

2011-02-10 Thread Weijun Wang
is such a difference and use this static method to precisely mimic the behavior. [661-665]: replace this code with MessageDigest.isEqual. Yes. All changes are trivial except for the new SignerInfo.verify() method. I guess a webrev is not needed. Thanks Max --Sean On 1/14/11 3:31 A

code review request: 7016698: test sun/security/krb5/runNameEquals.sh failed on Ubuntu

2011-02-10 Thread Weijun Wang
prefer to keep it this way for simplicity. So, my preference would be closer to your suggestion#2. Thanks, Valerie On 02/09/11 05:47 PM, Weijun Wang wrote: Hi Valerie I just looked into to this bug, the reason is that the failed Ubuntu has a libgssapi_krb5.so.2 but no libgssapi_krb5.so. Turns out t

hg: jdk7/tl/jdk: 6742654: Code insertion/replacement attacks against signed jars; ...

2011-02-11 Thread weijun . wang
Changeset: 8860e17db3bd Author:weijun Date: 2011-02-12 05:09 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8860e17db3bd 6742654: Code insertion/replacement attacks against signed jars 6911041: JCK api/signaturetest tests fails for Mixed Code PIT builds (b91) for all trains

hg: jdk7/tl/jdk: 7016698: test sun/security/krb5/runNameEquals.sh failed on Ubuntu

2011-02-11 Thread weijun . wang
Changeset: de923c0ec3c4 Author:weijun Date: 2011-02-12 07:30 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/de923c0ec3c4 7016698: test sun/security/krb5/runNameEquals.sh failed on Ubuntu Reviewed-by: valeriep ! src/share/classes/sun/security/jgss/wrapper/SunNativeProvider.ja

code review request: 7018928: test failure: sun/security/krb5/auto/SSL.java

2011-02-13 Thread Weijun Wang
Hi Valerie http://cr.openjdk.java.net/~weijun/7018928/webrev.00/ There was a failure of krb5 test SSL.java for jdk7b130 PIT. The exception thrown is a java.net.NoRouteToHostException. The test uses an internal DNS service and starts its own KDC and HTTPS server. I cannot replay the error so

Re: code review request: 7018928: test failure: sun/security/krb5/auto/SSL.java

2011-02-14 Thread Weijun Wang
On 02/15/2011 05:51 AM, Valerie (Yu-Ching) Peng wrote: So, the test failures are intermittent? I think so. The changes look fine. Thanks Max Valerie On 02/13/11 11:49 PM, Weijun Wang wrote: Hi Valerie http://cr.openjdk.java.net/~weijun/7018928/webrev.00/ There was a failure of

hg: jdk7/tl/jdk: 7018928: test failure: sun/security/krb5/auto/SSL.java

2011-02-14 Thread weijun . wang
Changeset: 9024288330c4 Author:weijun Date: 2011-02-15 12:11 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9024288330c4 7018928: test failure: sun/security/krb5/auto/SSL.java Reviewed-by: valeriep ! test/sun/security/krb5/auto/BadKdc1.java ! test/sun/security/krb5/auto/BadK

hg: jdk7/tl/jdk: 7021789: Remove jarsigner -crl option

2011-02-28 Thread weijun . wang
Changeset: f4613b378874 Author:weijun Date: 2011-02-28 23:02 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f4613b378874 7021789: Remove jarsigner -crl option Reviewed-by: mullan ! src/share/classes/com/sun/jarsigner/ContentSignerParameters.java ! src/share/classes/java/secu

hg: jdk7/tl/jdk: 7020531: test: java/security/cert/CertificateFactory/openssl/OpenSSLCert.java file not closed after run

2011-03-01 Thread weijun . wang
Changeset: f8bf888edf20 Author:weijun Date: 2011-03-01 16:22 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f8bf888edf20 7020531: test: java/security/cert/CertificateFactory/openssl/OpenSSLCert.java file not closed after run Reviewed-by: alanb, smarks ! test/ProblemList.txt

Re: code review request: 7012160: read SF file in signed jar in streaming mode

2011-03-02 Thread Weijun Wang
e"? I think that matches the description of the method better. [138]: Same comment as above. I think setSignatureFile is a better name. Also can you add a comment describing what this method does? * JarVerifier [267]: this should be printed in debug only --Sean On 2/10/11 3:08 AM, Weijun

Re: code review request: 7012160: read SF file in signed jar in streaming mode

2011-03-04 Thread Weijun Wang
Small non-functional changes: http://cr.openjdk.java.net/~weijun/7012160/webrev.02/ 1. comments 2. some new language usage, say, <> operator 3. Vector->List, Hashtable->Map Thanks Max On 03/03/2011 08:32 AM, Weijun Wang wrote: Webrev updated http://cr.openjdk.java.net/~we

Re: Krb5LoginModule verify TGT?

2011-03-10 Thread Weijun Wang
Hi Christopher I'm not familiar with that function. So it reads the user's secret key from a keytab and try to decrypt the TGT to see if it can successfully get the session key inside? This is a part of the Krb5LoginModule login process: it receives a TGT from the KDC and use either the pass

Re: Krb5LoginModule verify TGT?

2011-03-10 Thread Weijun Wang
re a change in the openjdk code. -Christopher On Thu, Mar 10, 2011 at 6:36 PM, Weijun Wang mailto:weijun.w...@oracle.com>> wrote: Hi Christopher I'm not familiar with that function. So it reads the user's secret key from a keytab and try to decrypt the TGT to see if it

hg: jdk7/tl/jdk: 6990848: JGSS/windows security code native code compiler warnings

2011-03-13 Thread weijun . wang
Changeset: d901560d70a7 Author:weijun Date: 2011-03-13 17:09 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d901560d70a7 6990848: JGSS/windows security code native code compiler warnings Reviewed-by: valeriep ! src/windows/native/sun/security/krb5/NativeCreds.c

Re: code review request: 6894072: always refresh keytab

2011-03-15 Thread Weijun Wang
or KeyTab(File) does not throw NPE when null is specified. Fixed. getInstance(file) now throws NPE when file == null. 2) why not leverage getEncryptionKeys(PrincipalName) for the code of line 148-155? They seem similar enough. Updated. I've also added @run main/othervm to all jgss/krb

Re: code review request: 6894072: always refresh keytab

2011-03-20 Thread Weijun Wang
On 03/19/2011 07:54 AM, Valerie (Yu-Ching) Peng wrote: Max, Krb5AcceptCredential.java 1) you changed it to not extending KerberosKey, potential compatibility concern? Not compatibility concern. I only think that now Krb5AcceptCredential can be something else other than simply KerberosKey. I

Re: code review request: 6894072: always refresh keytab

2011-03-23 Thread Weijun Wang
Hi Valerie Updated webrev: http://cr.openjdk.java.net/~weijun/6894072/webrev.02 Changes since last version: 1. A KerberosPrincipal inside javax..KeyTab class. New getInstance() arguments, new getPrincipal() method. It can only be non-null now, but I didn't say anything in the spec. I'm

hg: jdk7/tl/jdk: 7028490: better suggestion for jarsigner when TSA is not accessible

2011-03-23 Thread weijun . wang
Changeset: c43811a602a8 Author:weijun Date: 2011-03-23 18:26 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/c43811a602a8 7028490: better suggestion for jarsigner when TSA is not accessible Reviewed-by: mullan ! src/share/classes/sun/security/tools/JarSigner.java ! src/share/

hg: jdk7/tl/jdk: 7030174: Jarsigner should accept TSACert with an HTTPS id-ad-timeStamping SIA

2011-03-24 Thread weijun . wang
Changeset: 65e7fddf517f Author:weijun Date: 2011-03-24 16:16 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/65e7fddf517f 7030174: Jarsigner should accept TSACert with an HTTPS id-ad-timeStamping SIA Reviewed-by: xuelei ! src/share/classes/sun/security/tools/TimestampedSigner

code review request: 7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build

2011-03-24 Thread Weijun Wang
Hi Sean This is a regression made by my former treat-MANIFEST.MF-as-signed code change. Webrev here: http://cr.openjdk.java.net/~weijun/7023056/webrev.00/ For the reason, see the evaluation below. === *Description* Running a Maven build of

Re: Code Review Request for translatability bugs

2011-03-24 Thread Weijun Wang
AuthResources.java: === 1. {"expected.", "expected "}, -{".read.end.of.file", ", read end of file"}, +{"expected.expect.read.end.of.file.", +"expected {0}, read end of file"}, The "expected." is now useless. At least I grep thru all jdk/s

hg: jdk7/tl/jdk: 7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build

2011-03-24 Thread weijun . wang
Changeset: 4a64eefbfd7a Author:weijun Date: 2011-03-25 11:58 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/4a64eefbfd7a 7023056: NPE from sun.security.util.ManifestEntryVerifier.verify during Maven build Reviewed-by: mullan ! src/share/classes/java/util/jar/JarVerifier.jav

Re: Code Review Request for translatability bugs

2011-03-24 Thread Weijun Wang
Another thing, maybe you can also combine the JarSigner TSA-unavailable warnings like you did for KeyTool integrity-not-checked ones? I've attached a diff and you can directly apply it at jdk level. Thanks Max On 03/25/2011 09:35 AM, Weijun Wang wrote: AuthResources

code review request: 7019384: Realm.getRealmsList returns realms list in wrong (reverse) order

2011-03-27 Thread Weijun Wang
Hi Xuelei We fixed an [capaths] bug some time ago: 6789935: cross-realm capath search error http://hg.openjdk.java.net/jdk7/tl/jdk/rev/33bc32405045 Unfortunately, it's still not correct. Here is a new webrev: http://cr.openjdk.java.net/~weijun/7019384/webrev.00/ As described in the b

code review request: 7031536: test/sun/security/krb5/auto/HttpNegotiateServer.java should not use static ports

2011-03-28 Thread Weijun Wang
Hi Xuelei This webrev includes 2 kinds of code changes: http://cr.openjdk.java.net/~weijun/7031536/webrev.00/ 1. HttpNegotiateServer: now servers open on port 0. 2. Others: I add run/othervm for all tests in jgss and krb5 that call System.setProperty Thanks Max Original Messag

hg: jdk7/tl/jdk: 2 new changesets

2011-03-28 Thread weijun . wang
Changeset: 86ace035d04d Author:weijun Date: 2011-03-28 18:04 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/86ace035d04d 7019384: Realm.getRealmsList returns realms list in wrong (reverse) order Reviewed-by: xuelei ! src/share/classes/sun/security/krb5/Realm.java ! test/sun/

Re: Exception while processing 'no-addresses' flag in KrbApReq.java

2011-03-28 Thread Weijun Wang
Sorry for the late reply. I suppose your client side program is not in Java? Because in JDK a service ticker's addresses field is always null. Thanks Max On 03/25/2011 07:53 PM, Szabolcs Pota wrote: [+ adding back security-dev] Hi Henry, Thank you for your reply. My answers are below.

Re: Code Review Request for translatability bugs

2011-03-28 Thread Weijun Wang
, Weijun Wang wrote: Another thing, maybe you can also combine the JarSigner TSA-unavailable warnings like you did for KeyTool integrity-not-checked ones? I've attached a diff and you can directly apply it at jdk level. Thanks Max On 03/25/2011 09:35 AM, Weijun Wang wrote: AuthResources

Re: Exception while processing 'no-addresses' flag in KrbApReq.java

2011-03-29 Thread Weijun Wang
na] at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ~[na:na] Regards, Szabolcs On Mon, Mar 28, 2011 at 2:21 PM, Weijun Wang mailto:weijun.w...@oracle.com>> wrote: Sorry for the late reply. I suppose your client side program is not in J

Re: Exception while processing 'no-addresses' flag in KrbApReq.java

2011-03-29 Thread Weijun Wang
5Context.acceptSecContext(Krb5Context.java:761) ~[na:na] Regards, Szabolcs On Mon, Mar 28, 2011 at 2:21 PM, Weijun Wang mailto:weijun.w...@oracle.com>> wrote: Sorry for the late reply. I suppose your client side program is not in Java? Because in JDK a service ticker's addresses field is

code review request: 7032354: no-addresses should not be used on acceptor side

2011-03-29 Thread Weijun Wang
Hi Valerie http://cr.openjdk.java.net/~weijun/7032354/webrev.00/ I've removed the use of this setting on the acceptor side, now host address check is only performed if caddr is inside service ticket and the acceptor has a way to get the initiator's address (currently, thru channel binding onl

Re: code review request: 6894072: always refresh keytab

2011-03-31 Thread Weijun Wang
ired by 6894072. I'll continue to review your webrev, but just want to kick this idea off w/ you and see if it may work. Valerie On 03/23/11 02:00 AM, Weijun Wang wrote: Hi Valerie Updated webrev: http://cr.openjdk.java.net/~weijun/6894072/webrev.02 Changes since last version: 1. A Kerber

code review request: 7030180: AES 128/256 decrypt exception

2011-03-31 Thread Weijun Wang
Hi Valerie http://cr.openjdk.java.net/~weijun/7030180/webrev.00/ A bug in MIT krb5 1.8 triggers this exception (read evaluation below). They will fix it in 1.8.4 and 1.9. At the mean time, we can check both the session key and the subkey on the acceptor side. I think this does not deserve a

Re: code review request: 6894072: always refresh keytab

2011-04-02 Thread Weijun Wang
st an idea. Valerie On 04/01/11 02:14 AM, Weijun Wang wrote: Hi Valerie Updated again: http://cr.openjdk.java.net/~weijun/6894072/webrev.04/ 1. KeyTab can be used by anyone 2. The two compatibility support As for adding keys (from keytab) into private credentials set, I haven't cleaned up

Re: code review request: 6894072: always refresh keytab

2011-04-02 Thread Weijun Wang
On 04/02/2011 05:18 PM, Weijun Wang wrote: Updated again: http://cr.openjdk.java.net/~weijun/6894072/webrev.05/ Changes: 1. New Krb5Util.KeysFromKeyTab as a special kind of KerebrosKey we will add to and remove from private credentials set. Add and remove are only done when

Re: code review request: 6894072: always refresh keytab

2011-04-09 Thread Weijun Wang
nish > 56 *b. Builder will not wipe it for you I'll remove lines 54-56. Maybe I meant to do that some time ago. Thanks Max > > I am still looking at the rest of changes, just want to send what I have now, > so you don't wait too long. > > Thanks, >

code review request: 7036157: TCP connection does not use kdc_timeout

2011-04-12 Thread Weijun Wang
Hi Valerie http://cr.openjdk.java.net/~weijun/7036157/webrev.00/ There is no regression test because it's not easy to simulate a connection timeout in a regression test. On my home machine, I set KDC to facebook.com. Thanks to the Great Firewall of China that all connections to facebook are

Re: Code review request for 7035115

2011-04-14 Thread Weijun Wang
Changes look fine. Are you going to backport the fix to earlier JDKs? Otherwise, you can simplify cons = clazz.getConstructor(new Class[] {String.class}); Object obj = cons.newInstance(new Object[] {configFile}); to cons = clazz.getConstructor(String.class); cons.newInstance(conf

Re: code review request: 6894072: always refresh keytab

2011-04-18 Thread Weijun Wang
Thanks for the careful review. It has been a long one. Max On 04/19/2011 02:58 AM, Valerie (Yu-Ching) Peng wrote: Ok, I have no more comments. Thanks, Valerie On 04/13/11 09:36 PM, Weijun Wang wrote: webrev updated at http://cr.openjdk.java.net/~weijun/6894072/webrev.06/ changes: 1

hg: jdk7/tl/jdk: 6894072: always refresh keytab

2011-04-20 Thread weijun . wang
Changeset: f8956ba13b37 Author:weijun Date: 2011-04-20 18:41 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/f8956ba13b37 6894072: always refresh keytab Reviewed-by: valeriep ! src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java + src/share/classes/javax/secu

code review request: 6950929: Failures on Solaris sparc 64bit sun/security/krb5/auto/BadKdc4.java (and linux?)

2011-04-25 Thread Weijun Wang
Hi Valerie Code change for the BadKdc.java test: http://cr.openjdk.java.net/~weijun/6950929/webrev.00/ As described in the lines 44-69 of the new file, the test might fail due to 2 reasons: 1. KDC port opened by some other process (1%) 2. KDC cannot receive the first UDP packet (99%) Th

Re: code review request: 6894072: always refresh keytab

2011-04-26 Thread Weijun Wang
ting the set, and I cannot predict what they will do with the set. Thanks Max On 04/01/2011 10:23 AM, Weijun Wang wrote: On 04/01/2011 10:09 AM, Valerie (Yu-Ching) Peng wrote: Max, I like this new approach of yours better. As for compatibility, you mentioned only one aspect, i.e. apps wh

hg: jdk7/tl/jdk: 7032354: no-addresses should not be used on acceptor side

2011-04-26 Thread weijun . wang
Changeset: 06c7ee973e05 Author:weijun Date: 2011-04-07 08:51 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/06c7ee973e05 7032354: no-addresses should not be used on acceptor side Reviewed-by: valeriep ! src/share/classes/sun/security/krb5/KrbApReq.java ! test/sun/security/kr

Re: code review request: 6894072: always refresh keytab

2011-04-26 Thread Weijun Wang
here at the beginning and refresh them whenever a getKeys() is called. This should be harmless because we don't really use the keys if keytab objects (not keytab files) exist. I can do that. Thanks Max Valerie On 03/31/11 03:41 AM, Weijun Wang wrote: Hi Valerie Sorry for the la

hg: jdk7/tl/jdk: 2 new changesets

2011-04-26 Thread weijun . wang
Changeset: 4de90f390a48 Author:weijun Date: 2011-04-11 10:22 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/4de90f390a48 7012160: read SF file in signed jar in streaming mode Reviewed-by: mullan ! src/share/classes/java/util/jar/JarFile.java ! src/share/classes/java/util/jar

Re: code review request: 6894072: always refresh keytab

2011-04-26 Thread Weijun Wang
Handshaker and ServerHandsshaker (mentioned in your other mail) Comments inline below: On 04/14/2011 09:45 AM, Valerie (Yu-Ching) Peng wrote: On 04/09/11 03:00 AM, Weijun Wang wrote: src/share/classes/sun/security/jgss/krb5/Krb5Util.java => 1) So, since when do we populate the Subjec

hg: jdk7/tl/jdk: 7036157: TCP connection does not use kdc_timeout

2011-04-26 Thread weijun . wang
Changeset: e9ae2178926a Author:weijun Date: 2011-04-14 12:40 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/e9ae2178926a 7036157: TCP connection does not use kdc_timeout Reviewed-by: valeriep ! src/share/classes/sun/security/krb5/internal/NetClient.java

hg: jdk7/tl/jdk: 6950929: Failures on Solaris sparc 64bit sun/security/krb5/auto/BadKdc4.java (and linux?)

2011-04-27 Thread weijun . wang
Changeset: 0e0db3421e8f Author:weijun Date: 2011-04-27 17:11 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/0e0db3421e8f 6950929: Failures on Solaris sparc 64bit sun/security/krb5/auto/BadKdc4.java (and linux?) Reviewed-by: xuelei ! test/sun/security/krb5/auto/BadKdc.java

hg: jdk7/tl/jdk: 7037201: regression: invalid signed jar file not detected

2011-04-28 Thread weijun . wang
Changeset: 76703c84b3a2 Author:weijun Date: 2011-04-28 20:34 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/76703c84b3a2 7037201: regression: invalid signed jar file not detected Reviewed-by: mullan ! src/share/classes/java/util/jar/JarFile.java ! src/share/classes/java/util

code review request: 7040916: DynamicKeyTab test fails on Windows

2011-04-30 Thread Weijun Wang
Hi Andrew http://cr.openjdk.java.net/~weijun/7040916/webrev.00/ The keytab file cannot be removed and the test fails. The file was opened twice and both not closed: 1. once inside the test 2. once inside KeyTab and not closed because it's not a valid keytab Also, I change File.delete() c

hg: jdk7/tl/jdk: 7040916: DynamicKeyTab test fails on Windows

2011-05-01 Thread weijun . wang
Changeset: aa7c361144bb Author:weijun Date: 2011-05-01 14:22 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/aa7c361144bb 7040916: DynamicKeyTab test fails on Windows Reviewed-by: xuelei ! src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java ! test/sun/security/krb5/

hg: jdk7/tl/jdk: 7040151: SPNEGO GSS code does not parse tokens in accordance to RFC 2478

2011-05-02 Thread weijun . wang
Changeset: d08d77ad2d7b Author:weijun Date: 2011-05-03 02:48 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/d08d77ad2d7b 7040151: SPNEGO GSS code does not parse tokens in accordance to RFC 2478 Reviewed-by: valeriep ! src/share/classes/sun/security/jgss/spnego/NegTokenInit.j

hg: jdk7/tl/jdk: 7041635: GSSContextSpi.java copyright notice error

2011-05-09 Thread weijun . wang
Changeset: 9f56fbc8b6be Author:weijun Date: 2011-05-10 07:00 +0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/9f56fbc8b6be 7041635: GSSContextSpi.java copyright notice error Reviewed-by: valeriep ! src/share/classes/sun/security/jgss/spi/GSSContextSpi.java

Code review request: 7043737: klist does not detect non-existing keytab

2011-05-11 Thread Weijun Wang
Hi Valerie http://cr.openjdk.java.net/~weijun/7043737/webrev.00/ Not only a missing keytab is detected, but also an invalid one, where I use a similar error message like the native klist: $ klist -k ASSEMBLY_EXCEPTION Keytab name: WRFILE:ASSEMBLY_EXCEPTION klist: Unsupported key table format

Re: Code review request: 7043737: klist does not detect non-existing keytab

2011-05-12 Thread Weijun Wang
Thanks Max > Valerie > > On 05/11/11 00:35, Weijun Wang wrote: >> Hi Valerie >> >> http://cr.openjdk.java.net/~weijun/7043737/webrev.00/ >> >> Not only a missing keytab is detected, but also an invalid one, where I use >> a similar error

hg: jdk8/tl/jdk: 7048466: Move sun.misc.JavaxSecurityAuthKerberosAccess to sun.security.krb5 package

2011-05-26 Thread weijun . wang
Changeset: b8bcb12acea6 Author:weijun Date: 2011-05-27 09:01 +0800 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/b8bcb12acea6 7048466: Move sun.misc.JavaxSecurityAuthKerberosAccess to sun.security.krb5 package Reviewed-by: weijun, alanb Contributed-by: Mandy Chung ! src/share/

hg: jdk8/tl/jdk: 7043737: klist does not detect non-existing keytab

2011-06-07 Thread weijun . wang
Changeset: 9b678733fa51 Author:weijun Date: 2011-06-08 14:01 +0800 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/9b678733fa51 7043737: klist does not detect non-existing keytab Reviewed-by: valeriep ! src/windows/classes/sun/security/krb5/internal/tools/Klist.java + test/sun/secu

code review request: NTLM SASL mech JCK conformance bugs

2011-06-13 Thread Weijun Wang
Hi Vinnie http://cr.openjdk.java.net/~weijun/7043847/webrev.00/ There are 5 bugs, you can see them in the webrev. This fix is for JDK 8. I guess I'll need >=2 reviewers for backporting to JDK 7u2. Thanks Max

code review request: 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error

2011-06-14 Thread Weijun Wang
Hi Alan The last excluded test in jdk_security1: http://cr.openjdk.java.net/~weijun/7054428/webrev.00/ I'm not an NIO expert, but the test looks too wrong. Is there any chance for it to pass in the last 8 years? Thanks Max Original Message *Change Request ID*: 7054428

Re: code review request: 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error

2011-06-14 Thread Weijun Wang
ass loader get used. http://cr.openjdk.java.net/~weijun/7054428/webrev.01 JPRT also OK at -- http://jprt-web.us.oracle.com/archive/2011/06/2011-06-14-140902.ww155710.jdk//JobStatus.txt Thanks Max On 06/14/2011 08:53 PM, Alan Bateman wrote: Weijun Wang wrote: Hi Alan The last excluded test i

Re: Code review request for 7041252 Use j.u.Objects.equals in security classes

2011-06-14 Thread Weijun Wang
Code changes look fine. Thanks Max On 06/15/2011 10:28 AM, Joe Darcy wrote: Hello. Please review this change to replace use of private two-argument equals methods with the platform Objects.equals method introduced in JDK 7: 7041252 Use j.u.Objects.equals in security classes http://cr.openjdk.

test/java/security/spec/EllipticCurveMatch.java othervm?

2011-06-15 Thread Weijun Wang
Hi Vinnie Why does this test run in /othervm mode? Thanks Max

Re: test/java/security/spec/EllipticCurveMatch.java othervm?

2011-06-15 Thread Weijun Wang
Oh, is it possible to use a non-Secure Random? Thanks Max On 06/15/2011 05:00 PM, Vincent Ryan wrote: On 06/15/11 09:45, Weijun Wang wrote: Hi Vinnie Why does this test run in /othervm mode? Thanks Max It was failing due to SecureRandom problems on some platforms when run in samevm mode

Re: code review request: 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error

2011-06-15 Thread Weijun Wang
7;s main method. The reason the original test failed in samevm is that buffers[DIRECT_BUFFER].flip() is not called and its remaining() is zero, and causes the error: java.lang.ClassFormatError: Truncated class file Thanks Max On 06/15/2011 06:56 PM, Alan Bateman wrote: Weijun Wang wrote

Re: code review request: 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error

2011-06-15 Thread Weijun Wang
sable? Thanks Max On 06/15/2011 07:26 PM, Alan Bateman wrote: Weijun Wang wrote: But the current test passes without closing the stream, even on Windows. I guess it's because the file opened is not in scratch directory and needs not be cleaned up. If we have to close the stream/channel

hg: jdk8/tl/jdk: 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error

2011-06-20 Thread weijun . wang
Changeset: 82706552f7a3 Author:weijun Date: 2011-06-20 17:38 +0800 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/82706552f7a3 7054428: test/java/security/SecureClassLoader/DefineClassByteBuffer.java error Reviewed-by: alanb ! test/ProblemList.txt ! test/java/security/SecureClassL

hg: jdk8/tl/jdk: 7054918: jdk_security1 test target cleanup

2011-06-20 Thread weijun . wang
Changeset: a015dda3bdc6 Author:weijun Date: 2011-06-20 19:17 +0800 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/a015dda3bdc6 7054918: jdk_security1 test target cleanup Reviewed-by: alanb, smarks, vinnie ! test/ProblemList.txt ! test/java/security/BasicPermission/PermClass.java !

Re: Fix for: 6415637: PKCS#12 key stores with empty passwords

2011-06-20 Thread Weijun Wang
Hi Florian Thanks for looking into this. The following bug is for this special purpose: 6879539: enable empty password support for pkcs12 keystore http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6879539 and it's now still in code review mode: http://cr.openjdk.java.net/~weijun/687

hg: jdk8/tl/jdk: 7055362: jdk_security2 test target cleanup

2011-06-22 Thread weijun . wang
Changeset: febb7f557135 Author:weijun Date: 2011-06-23 09:27 +0800 URL: http://hg.openjdk.java.net/jdk8/tl/jdk/rev/febb7f557135 7055362: jdk_security2 test target cleanup Reviewed-by: alanb ! test/Makefile ! test/ProblemList.txt ! test/com/sun/crypto/provider/Cipher/DES/Sealtest.ja

code review request: 6330275: Rework the PaddingTest regression test. (was Re: Fwd: jdk_security2 tests)

2011-06-23 Thread Weijun Wang
http://cr.openjdk.java.net/~weijun/6330275/webrev.00/ Thanks Max On 06/23/2011 08:03 AM, Brad Wetmore wrote: No, feel free to take it. Brad On 6/21/2011 2:24 AM, Weijun Wang wrote: Hi Brad # Timed out, Solaris 10 64bit sparcv9 com/sun/crypto/provider/Cipher/DES/PaddingTest.java generic

<    1   2   3   4   5   6   7   8   9   10   >