Re: RFR JDK-8219989 : Retire the com.sun.net.ssl.internal.ssl.Provider name

Hi Xuelei, Looks good to me. Hai-May > On Mar 12, 2020, at 10:39 AM, Xuelei Fan wrote: > > Hi, > > Could I get the following update reviewed? > > Bug#: https://bugs.openjdk.java.net/browse/JDK-8219989 > Webrev: http://cr.openjdk.java.net/~xuelei/8219989/webrev.00/ > Release note task:

Re: RFR JDK-8227024 : Remove the deprecated javax.security.cert APIs

Hi Xuelei, Looks good to me. Hai-May > On Mar 12, 2020, at 10:34 AM, Xuelei Fan wrote: > > And the release note task: > https://bugs.openjdk.java.net/browse/JDK-8240968 > > Xuelei > > On 3/12/2020 9:47 AM, Xuelei Fan wrote: >> Hi, >> Could I get the following update reviewed? >> CSR:

Re: RFR 8242811: AlgorithmId::getDefaultAlgorithmParameterSpec returns incompatible PSSParameterSpec for an RSASSA-PSS key

Changes good to me. Hai-May > On Apr 17, 2020, at 3:27 PM, Valerie Peng wrote: > > > Changes look good~ > > Valerie > > On 4/15/2020 3:34 AM, Weijun Wang wrote: >> Please take a review at >> >>https://cr.openjdk.java.net/~weijun/8242811/webrev.00/ >> >> The

Re: RFR 8242184: CRL generation error with RSASSA-PSS

Hi Max, Changes look good to me. Hai-May > On Apr 6, 2020, at 8:11 PM, Weijun Wang wrote: > > Please review the fix at > > http://cr.openjdk.java.net/~weijun/8242184/webrev.00/ > > The major change is inside X509CRLImpl.java to allow params setting and > reading. > > I also take this

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

ze(key)); > 1349 } > 1350 } > > You can move line 1335 before line 1334 since the size is also used in the > else block on lines 1342-1344. > > Thanks, > Max > >> On Apr 6, 2020, at 12:51 AM, Hai-May Chao wrote: >> >> Here is the webrev: >

Re: RFR 8242260: Remove customizable ContentSigner from jarsigner

Hi Max, Changes look good to me. Is there a man page bug being filed for this? Thanks, Hai-May > On Apr 7, 2020, at 1:04 AM, Weijun Wang wrote: > > I am thinking about removing the `jarsigner -altsigner -altsignerpath` > options and underlying classes: > >JBS :

RFR[15]: 8186143: keytool -ext option doesn’t accept wildcards for DNS subject alternatives names

Hi, I need a code review for - Bug: https://bugs.openjdk.java.net/browse/JDK-8186143 Webrev: http://cr.openjdk.java.net/~weijun/8186143/webrev.00/ The keytool -ext option doesn’t accept wildcards for DNS subject alternatives names in certificates. Certificates with wildcarded domains are

Re: RFR[15]: 8186143: keytool -ext option doesn’t accept wildcards for DNS subject alternatives names

nd hyphens’. Line 95 test case will give us a different error from “a*.com”. That is, ‘DNSName with blank components is not permitted’. The existing badNames test case does not have “a*.com”, and I will add it too. Thanks, Hai-May > --Jamil > > On 3/13/2020 9:25 AM, Hai-May Chao wrote:

RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

Hi, I'd like to request a review for: Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 CSR: https://bugs.openjdk.java.net/browse/JDK-8238640 It’d be useful to start warning users that

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

Here is the webrev: http://cr.openjdk.java.net/~weijun/8172404/webrev.00/ Thanks, Hai-May > On Apr 4, 2020, at 11:41 PM, Hai-May Chao wrote: > > Hi, > > I'd like to request a review for: > > Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 > <https://bugs.

RFR[15] 8242060: Add revocation checking to jarsigner

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8242060 CSR: https://bugs.openjdk.java.net/browse/JDK-8244046 Webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.00/ The jarsigner command currently does certificate chain validation, but does not check

Re: RFR[15] 8242060: Add revocation checking to jarsigner

he whole test is finishing very fast now. > > Looks good otherwise. Please add a release-note and open a follow-on issue to > update the man page with the new option. Done (Release note: JDK-8244285, and man page: JDK-8244274). Updated webrev: https://cr.openjdk.java.net/~hchao/8

Re: RFR[15] 8242060: Add revocation checking to jarsigner

use 0.0.0.0 for both OCSP and CRLDP? I assume it will return > immediately, just hope it's not an uncaught RuntimeException. > > --Max > >> >> Looks good otherwise. Please add a release-note and open a follow-on issue >> to update the man page with the new option. >&g

Re: RFR[15] 8242060: Add revocation checking to jarsigner

uggested), for OCSP, by the time when OCSP.getOCSPBytes() comes in to report the OCSP event, the reporter has been cleared. And this would be same problem for CRL. So it cannot be called immediately. Thanks, Hai-May > > Thanks, > Max > >> On May 3, 2020, at 2:19 AM, Hai-May Cha

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 4, 2020, at 6:01 PM, Weijun Wang wrote: > > > >> On May 5, 2020, at 3:48 AM, Hai-May Chao wrote: >> >> Hi Max, >> >>> On May 2, 2020, at 5:25 PM, Weijun Wang wrote: >>> >>> In jarsigner/Main, you can just ca

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 4, 2020, at 10:23 PM, Weijun Wang wrote: > > > >> On May 5, 2020, at 12:36 PM, Hai-May Chao wrote: >> >> >> >>> On May 4, 2020, at 6:01 PM, Weijun Wang wrote: >>> >>> >>> >>>> On May 5,

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 5, 2020, at 6:16 AM, Sean Mullan wrote: > > On 5/2/20 2:19 PM, Hai-May Chao wrote: >>> Looks good otherwise. Please add a release-note and open a follow-on issue >>> to update the man page with the new option. >> Done (Release note: JDK-8244285, a

RFR[15] 8245151: jarsigner should not raise duplicate warnings on verification

Hi, I’d like to request a review for - JBS: https://bugs.openjdk.java.net/browse/JDK-8245151 Webrev: https://cr.openjdk.java.net/~hchao/8245151/webrev.00/ The change is to provide a distinct warning for jarsigner -verify command when it detects weak timestamp digest algorithms are used (by

RFR[15] 8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA

Hi, I’d like to request q review for - JBS: https://bugs.openjdk.java.net/browse/JDK-8245665 Webrev: https://cr.openjdk.java.net/~hchao/8245665/webrev.00/ Keytool only emits warnings for the root CA in cacerts using the weak key, but not for using the weak algorithm. So test case WeakAlg.java

Re: RFR[15] 8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA

o see how it works. > > Thanks, > Max > >> On May 23, 2020, at 11:01 AM, Hai-May Chao wrote: >> >> Hi, >> >> I’d like to request q review for - >> >> JBS: https://bugs.openjdk.java.net/browse/JDK-8245665 >> Webrev: https://cr.openjdk.java

Re: RFR[15] 8242060: Add revocation checking to jarsigner

Hi, With small change added to ‘Usages.java' test, here is the updated webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.01/ Thanks, Hai-May > On Apr 30, 2020, at 4:29 PM, Hai-May Chao wrote: > > Hi, > > I’d like to request a review for: > > JBS: https://

Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

On Wed, 7 Oct 2020 22:08:19 GMT, Hai-May Chao wrote: >> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. >> Please also review the CSR at >> https://bugs.openjdk.java.net/browse/JDK-8228481. > > Looks good. Only minor comments. CSR looks

Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote: > Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. Looks good. Only minor comments.

Re: RFR: 8238157: Remove intermittent key from AmazonCA.java

Looks good. Thanks, Hai-May > On Aug 26, 2020, at 10:13 AM, Rajan Halade wrote: > > Please review this update to remove key intermittent from AmazonCA test. This > test no longer fails intermittently. > > @@ -24,7 +24,6 @@ > /* > * @test > * @bug 8233223 > - * @key intermittent > *

Re: RFR: 8250968: Symlinks attributes not preserved when using jarsigner on zip files

JarSigner.java #953: The output debug message can be removed from the code. JavaUtilZipFileAccess.java #44: Change posixPerms to extraAttrs. ZipFile.java #661: Suggest to keep the comment and update it with the additional 4 bits for symlink. The rest of code changes and CSR look good. Thanks,

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v2]

> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated test case to use

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v2]

On Fri, 25 Sep 2020 00:45:09 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Updated test case to use DerUtils > > src/java.base/share/classes/sun/security/

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v3]

> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Added comment for RFC -

Integrated: 8252377: Incorrect encoding for EC AlgorithmIdentifier

On Tue, 22 Sep 2020 22:21:20 GMT, Hai-May Chao wrote: > This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. This pull request has now been integrated. Changeset: 0e855fe5 Author: Hai-May Chao Committe

RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier

This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the parameters field instead of encoding a Null tag. - Commit messages: - 8252377: Incorrect encoding for EC AlgorithmIdentifier Changes: https://git.openjdk.java.net/jdk/pull/312/files Webrev:

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier

On Wed, 23 Sep 2020 02:49:29 GMT, Weijun Wang wrote: >> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the >> parameters field instead of encoding a >> Null tag. > > I don't quite understand what the test is for. The bug is about encoding but > the test seems to be

RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8244148 CSR: https://bugs.openjdk.java.net/browse/JDK-8246269 Webrev: http://cr.openjdk.java.net/~hchao/8244148/webrev.00/ The change is to add the support of -trustcacerts and -keystore options to -printcert

Re: RFR: 8007632: DES/3DES keys support in PKCS12 keystore [v3]

On Tue, 27 Oct 2020 17:59:38 GMT, Weijun Wang wrote: >> Alexey Bakhtin has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Fix order of OIDs > > Marked as reviewed by weijun (Reviewer). Change looks good. - PR:

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

Bugid added. Thanks, Hai-May > On Jul 15, 2020, at 12:06 PM, Sean Mullan wrote: > > I'll defer to Max on the code changes, but I noticed one thing on the test - > you should add the bugid to the @bug line of the test. > > --Sean > > On 7/14/20 4:09 PM, Hai-May C

Re: RFR [16] [JDK-8248745] Add jarsigner and keytool tests for restricted algorithms

gt; > On 04/08/20 11:58 pm, Hai-May Chao wrote: >> Hi Muneer, >> >> Looks good with one minor comment. >> >> #58: suggest that the SECURITY_WARNING will also include “and is disabled” >> at the end to make it clear. >> >> Thanks, >

Re: RFR [16] [JDK-8248745] Add jarsigner and keytool tests for restricted algorithms

Hi Muneer, Looks good with one minor comment. #58: suggest that the SECURITY_WARNING will also include “and is disabled” at the end to make it clear. Thanks, Hai-May > On Jul 27, 2020, at 9:15 AM, abdul.kolarku...@oracle.com wrote: > > Hi All, > > This is a new test int the area of

Re: [RFR] 8246806: Incorrect copyright header in KeyAgreementTest.java, GroupName.java

Hi Tony, Looks good. Hai-May > On Jul 7, 2020, at 5:01 PM, Anthony Scarpino > wrote: > > Hi, > > I need a code review to fix some copyright headers. The diffs are below > > thanks > > Tony > > -- > > +++ b/test/jdk/java/security/KeyAgreement/KeyAgreementTest.java > - * Copyright

RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8247960 Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/ Jarsigner is changed to emit “with signer errors” only when there are errors detected during sign and verify with -strict specified.

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

> and line 133 are exactly the same, line 109 and line 138 are exactly the > same, and you haven't made any change to these 2 files in between. > > Same for line 80 and line 96 of TrustedCRL.java. > > Everything else is fine. > > Thanks, > Max > > &g

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

de the exact diff of the man page files > either inside the CSR itself or as a comment. > Included the diff of the manpage in the CSR. Thanks, Hai-May > Thanks, > Max > >> On Jun 9, 2020, at 10:51 PM, Hai-May Chao wrote: >> >> >> >>

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

g a certificate reply would not work. >> It turns out that its caks.size() is zero detected at establishCertChain() >> in keytool/Main.java after root cert has been imported to that cacerts. At >> this point I’d like to suggest a separate bug be filed to cover the cacerts >> enha

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Hai-May > > Thanks, > Max > >> On Jun 8, 2020, at 4:01 AM, Hai-May Chao wrote: >> >> Updated webrev - >> >> https://cr.openjdk.java.net/~hchao/8244148/webrev.02/ >> >> Thanks, >> Hai-May >> >> >>> On Jun 5, 2020, at 1

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

when a certificate is not trusted and uses weak >> algorithms". Precisely, it's "uses a weak signature algorithm". >> >> --Max >> >> >>> On Jun 10, 2020, at 5:31 PM, Hai-May Chao wrote: >>> >>> >>> >>>

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Hi John, Updated Webrev - https://cr.openjdk.java.net/~hchao/8244148/webrev.03/ > On Jun 11, 2020, at 1:45 AM, sha.ji...@oracle.com wrote: > > Hi Hai-May, > > On 2020/6/8 04:01, Hai-May Chao wrote: >> Updated webrev - >> >> https://cr.openjdk.java.net/~hc

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

o suggest a separate bug be filed to cover the cacerts enhancement that you suggested. Thanks, Hai-May > Thanks, > Max > > >> On Jun 2, 2020, at 2:37 AM, Hai-May Chao wrote: >> >> Hi, >> >> I’d like to request a review for: >> >&g

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

ied."); > +} > Webrev updated as suggested. > Everything else looks fine. > > Also, I remember you meant to fix 2 bugs with a single changeset. What should > the full commit message be? Fix in a single changeset, so use this bug as the commit message please. Tha

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

intln(result)" line into branches of the if-else block on lines > 1254-1272. Current change has the checking for sign and verify. Keep it as-is that you agreed. https://cr.openjdk.java.net/~hchao/8247960/webrev.01/ Thanks, Hai-May > > No other comments. > > Thanks

RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol…

This enhancement adds support for the nonce extension in OCSP request extensions by system property jdk.security.certpath.ocspNonce. Please review the CSR at: https://bugs.openjdk.java.net/browse/JDK-8257766 - Commit messages: - 8256895: Add support for RFC 8954: Online

RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si…

The jarsigner tool currently provides warning associated with the signer’s cert when it uses weak algorithms, but not for the CA certs. This change is to process the signer’s cert chain to warn if CA certs use weak algorithms. - Commit messages: - 8259401: Add checking to

Re: RFR: 8257788: Class fields could be local in the SunJSSE provider

On Fri, 4 Dec 2020 22:58:07 GMT, Xue-Lei Andrew Fan wrote: > In the SunJSSE provider implementation, there are a few class fields are not > used other than the constructors. Those fields could be removed and replaced > with local variables. > > Bug:

RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch t…

This is a spec change with noreg-doc label. - Commit messages: - 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior Changes: https://git.openjdk.java.net/jdk/pull/1701/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk=1701=00 Issue:

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch t… [v2]

On Tue, 8 Dec 2020 18:08:38 GMT, Xue-Lei Andrew Fan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Updated with implSpec tag > > src/java.base/share/classes/java/security/KeySto

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch t… [v2]

> This is a spec change with noreg-doc label. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated with implSpec tag - Changes: - all: https://git.openjdk.java.net/jdk/pull/1701/files - new: ht

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v2]

On Tue, 8 Dec 2020 20:16:35 GMT, Sean Mullan wrote: >> src/java.base/share/classes/java/security/KeyStoreSpi.java line 322: >> >>> 320: * @throwsCertificateException if any of the certificates >>> included in >>> 321: * the keystore data could not be stored >>> 322:

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v2]

On Tue, 8 Dec 2020 20:24:51 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Updated with implSpec tag > > src/java.base/share/classes/java/security/KeySto

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v3]

> This is a spec change with noreg-doc label. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: white space after throw tag added - Changes: - all: https://git.openjdk.java.net/jdk/pull/1701/files - new: ht

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v4]

> This is a spec change with noreg-doc label. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: updated spec text and included typo fix - Changes: - all: https://git.openjdk.java.net/jdk/pull/1701/files - new: ht

Integrated: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior

On Tue, 8 Dec 2020 17:52:34 GMT, Hai-May Chao wrote: > This is a spec change with noreg-doc label. This pull request has now been integrated. Changeset: b0b70df4 Author: Hai-May Chao Committer: Xue-Lei Andrew Fan URL: https://git.openjdk.java.net/jdk/commit/b0b70df4 Stats:

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v2]

On Tue, 8 Dec 2020 18:52:05 GMT, Sean Mullan wrote: >> Marked as reviewed by xuelei (Reviewer). > > This will also require a CSR since you are making some specification changes. > I'm not sure if you were trying to get this into 16, but it is probably too > late to make JDK 16 since RDP is a

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v2]

On Fri, 11 Dec 2020 18:35:27 GMT, Hai-May Chao wrote: >> This will also require a CSR since you are making some specification >> changes. I'm not sure if you were trying to get this into 16, but it is >> probably too late to make JDK 16 since RDP is a couple of days away

Re: RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

On Thu, 19 Nov 2020 17:13:00 GMT, Lance Andersen wrote: >> Small change to retrieve the raw bytes of manifest during verifying signed >> JAR. > > Marked as reviewed by lancea (Reviewer). Thank you all for the review. I added the noreg-trivial label to the bug. - PR:

Re: RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

On Thu, 19 Nov 2020 17:20:58 GMT, Hai-May Chao wrote: >> Marked as reviewed by lancea (Reviewer). > > Thank you all for the review. I added the noreg-trivial label to the bug. Lance, I've entered /integrate. Thank you for sponsoring this! - PR: https://git.openjdk.

Integrated: 8253299: Manifest bytes are read twice when verifying a signed JAR

On Wed, 18 Nov 2020 21:59:01 GMT, Hai-May Chao wrote: > Small change to retrieve the raw bytes of manifest during verifying signed > JAR. This pull request has now been integrated. Changeset: 9bb82232 Author: Hai-May Chao Committer: Lance Andersen URL: https://git.openjdk.ja

RFR: 8253299: Manifest bytes are read twice when verifying a signed JAR

Small change to retrieve the raw bytes of manifest during verifying signed JAR. - Commit messages: - 8253299: Manifest bytes are read twice when verifying a signed JAR Changes: https://git.openjdk.java.net/jdk/pull/1299/files Webrev:

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Wed, 28 Oct 2020 21:35:25 GMT, Valerie Peng wrote: > Could someone please help review this PKCS#11 v3.0 header files update? > > Changes are straight-forward as below: > 1) Updated pkcs11.h, pkcs11f.h, pkcs11t.h to v3.0 > 2) Updated java side w/ the new constants definitions and name/error

Re: RFR: 8255494: PKCS7 should use digest algorithm to verify the signature

On Wed, 28 Oct 2020 21:01:44 GMT, Weijun Wang wrote: > This is a regression made by > [JDK-8242068](https://bugs.openjdk.java.net/browse/JDK-8242068). When the > digest algorithm is not the same as the hash part of the signature algorithm, > we used to combine the digest algorithm with the

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Fri, 30 Oct 2020 21:39:42 GMT, Valerie Peng wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java >> line 1095: >> >>> 1093: addMech(CKM_SP800_108_FEEDBACK_KDF, >>> "CKM_SP800_108_FEEDBACK_KDF"); >>> 1094:

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Fri, 30 Oct 2020 21:44:00 GMT, Valerie Peng wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java >> line 987: >> >>> 985: public static final long CKM_SP800_108_FEEDBACK_KDF = >>> 0x03adL; >>> 986: public static final long

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files [v3]

On Wed, 4 Nov 2020 21:06:35 GMT, Weijun Wang wrote: >> Valerie Peng has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Updated the javadoc comments of PKCS11Constants class with additional >> typedef info >> Updated the legal file to

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v4]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v3]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v7]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v6]

On Wed, 20 Jan 2021 21:40:12 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Change to save memory by List.of > > src/java.base/share/classes/sun/security/provider/c

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v5]

On Wed, 20 Jan 2021 20:57:49 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Add nonce to the list of extensions > > src/java.base/share/classes/

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v4]

On Wed, 20 Jan 2021 13:46:58 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Nonce creation is done in checkOCSP method > > src/java.base/share/classes/

Integrated: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension

On Mon, 11 Jan 2021 21:41:56 GMT, Hai-May Chao wrote: > This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 This p

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v4]

On Wed, 20 Jan 2021 13:41:04 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Nonce creation is done in checkOCSP method > > src/java.base/share/classes/

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v5]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v6]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol (OCSP) Nonce Extension [v2]

On Thu, 14 Jan 2021 14:35:25 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> update to use List.of() and typo changes > > src/java.base/share/classes/

Re: RFR: 8260286: Manual Test "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java" fails

On Mon, 25 Jan 2021 17:08:45 GMT, Fernando Guallini wrote: > Fixing manual Test > "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java". > It was not handling "weak algorithm" warning during jarsigner output > verification Change copyright year to 2021

Re: RFR: 8260286: Manual Test "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java" fails

On Mon, 25 Jan 2021 22:45:31 GMT, Hai-May Chao wrote: >> Marked as reviewed by rhalade (Reviewer). > > Looks good. One comment: Add bug id to the changed test. Thanks. - PR: https://git.openjdk.java.net/jdk/pull/2224

Re: RFR: 8260286: Manual Test "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java" fails

On Mon, 25 Jan 2021 21:51:19 GMT, Rajan Halade wrote: >> Fixing manual Test >> "ws/open/test/jdk/sun/security/tools/jarsigner/compatibility/Compatibility.java". >> It was not handling "weak algorithm" warning during jarsigner output >> verification > > Marked as reviewed by rhalade

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]

On Wed, 13 Jan 2021 20:25:53 GMT, Sean Mullan wrote: >> src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line >> 1484: >> >>> 1482: // If the cert is trusted, only check its key size, >>> but not its >>> 1483: // signature algorithm. This is

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in signer’s cert chain [v2]

On Wed, 13 Jan 2021 20:26:17 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > Marked as reviewed

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in signer’s cert chain [v2]

On Wed, 13 Jan 2021 15:17:22 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > src/jdk.jartool/sh

Integrated: 8259401: Add checking to jarsigner to warn weak algorithms used in signer’s cert chain

On Tue, 12 Jan 2021 03:34:00 GMT, Hai-May Chao wrote: > The jarsigner tool currently provides warning associated with the signer’s > cert when it uses weak algorithms, but not for the CA certs. This change is > to process the signer’s cert chain to warn if CA certs use weak a

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v3]

> The jarsigner tool currently provides warning associated with the signer’s > cert when it uses weak algorithms, but not for the CA certs. This change is > to process the signer’s cert chain to warn if CA certs use weak algorithms. Hai-May Chao has updated the pull request incr

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol… [v2]

> This enhancement adds support for the nonce extension in OCSP request > extensions by system property jdk.security.certpath.ocspNonce. > > Please review the CSR at: > https://bugs.openjdk.java.net/browse/JDK-8257766 Hai-May Chao has updated the pull request incrementally with

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol… [v2]

On Tue, 12 Jan 2021 20:10:34 GMT, Rajan Halade wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> update to use List.of() and typo changes > > test/jdk/security/infra/java/s

Re: RFR: 8256895: Add support for RFC 8954: Online Certificate Status Protocol… [v2]

On Tue, 12 Jan 2021 16:26:11 GMT, Jamil Nimeh wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> update to use List.of() and typo changes > > In general it looks pretty good. Just a

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]

> The jarsigner tool currently provides warning associated with the signer’s > cert when it uses weak algorithms, but not for the CA certs. This change is > to process the signer’s cert chain to warn if CA certs use weak algorithms. Hai-May Chao has updated the pull request incr

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]

On Tue, 12 Jan 2021 20:57:41 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > Changes requested

Re: RFR: 8259401: Add checking to jarsigner to warn weak algorithms used in si… [v2]

On Tue, 12 Jan 2021 22:22:55 GMT, Rajan Halade wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> No warning for trusted cert's SHA1, and added debug output to test > > test/jd

Re: RFR: 8246005: KeyStoreSpi::engineStore(LoadStoreParameter) spec mismatch to its behavior [v2]

On Fri, 11 Dec 2020 19:59:17 GMT, Xue-Lei Andrew Fan wrote: >> Thanks for the review. Updated CSR to backtick the >> UnsupportedOperationException text. I thought about placing the diff in >> Specification section, but decided to keep the document change in this >> format which is same as our

Re: RFR: 8256421: Add 2 HARICA roots to Oracle Root CA Program

On Thu, 28 Jan 2021 01:22:52 GMT, Rajan Halade wrote: > Following two roots are added to cacerts store - > > CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic > Academic and Research Institutions Cert. Authority, L=Athens, C=GR > > CN=Hellenic Academic and Research

Re: RFR: 8256421: Add 2 HARICA roots to Oracle Root CA Program

On Thu, 28 Jan 2021 01:22:52 GMT, Rajan Halade wrote: > Following two roots are added to cacerts store - > > CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic > Academic and Research Institutions Cert. Authority, L=Athens, C=GR > > CN=Hellenic Academic and Research

Re: RFR: 8266182: Create a manual test for jdk/sun/security/pkcs12/ParamsTest.java [v3]

On Fri, 18 Jun 2021 13:24:17 GMT, Abdul Kolarkunnu wrote: >> ParamsTest is an interop test between keytool <-> openssl. There are some >> manual steps listed in jdk/sun/security/pkcs12/params/README to perform >> after the execution of jtreg execution. So this test is to perform that >>

Re: [jdk17] RFR: 8267100: [BACKOUT] JDK-8196415 Disable SHA-1 Signed JARs

On Mon, 21 Jun 2021 22:43:58 GMT, Weijun Wang wrote: > This is a copy of https://github.com/openjdk/jdk17/pull/100 so that I can > integrate the fix for @seanjmullan. Marked as reviewed by hchao (Committer). - PR: https://git.openjdk.java.net/jdk17/pull/113

RFR: 8266225: jarsigner is using incorrect security property to show weakness of certs

Please review the change to jarsigner so it uses certpath security property in order to properly display the weakness of the certificate algorithms. - Commit messages: - 8266225:jarsigner is using incorrect security property to show weakness of certs Changes:

  1   2   3   >