Re: contribute to the OpenJDK security group

2018-02-09 Thread Tomas Gustavsson 

Awesome.

I just posted in another thread to the mailing list with some examples
where more flexibility would be needed. "PKCS#11 provider issues with
min and max size".

Another example would be to add flexibility to be more crypto "agile".
I.e. when new algorithms come out, for example SHA3. It will be included
in the PKCS#11 spec eventually, and then it takes a decent round-trip
time before it's possible to use through SunPKCS#11. So an example would
be to be able to configure new mechanisms, that does not affect any
other code in SunPKCS11, dynamically.

Yet another example, AWS CloudHSM requires you to use
CKM_RSA_X9_31_KEY_PAIR_GEN instead of CKM_RSA_PKCS_KEY_PAIR_GEN.
Patching SunPKCS11 to use it is trivial (for java programmers that is),
just replace one string with another. If it could be done dynamically
without patching java files it would be much nicer...and more stable as
it survives JDK upgrades.

Cheers,
Tomas

On 2018-02-01 20:25, Martin Balao wrote:
> Hi Tomas,
> 
> As Andrew said, I've been working on some SunPKCS11 improvements related
> to native memory leaking. You can find details of this work here [1].
> Feedback is always welcomed.
> 
> What do you mean with "more flexibility"?
> 
> --
> [1]
> - http://mail.openjdk.java.net/pipermail/security-dev/2017-October/016400.html
> 
> On Wed, Jan 24, 2018 at 8:06 AM, Andrew Haley  > wrote:
> 
> On 24/01/18 10:39, Tomas Gustavsson wrote:
> > Imho the P11 layer always needs attention. To work properly we're
> > relying on some patches, where parts was recently merged into OpenJDK.
> > We just started testing the Amazon CloudHSM, and that requires changes
> > to SunPKCS11 as well to work. Not always bad in SunPKCS11 as some P11
> > libraries out there do strange non-conforming stuff, but there's room
> > for more flexibility nevertheless.
> 
> Martin Balao has been heavily reworking this layer because it leaks
> native memory.  I'll let him fill you in on the details.
> 
> --
> Andrew Haley
> Java Platform Lead Engineer
> Red Hat UK Ltd. 
> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671
> 
>

Re: contribute to the OpenJDK security group

2018-02-01 Thread Martin Balao 
Hi Tomas,

As Andrew said, I've been working on some SunPKCS11 improvements related to
native memory leaking. You can find details of this work here [1]. Feedback
is always welcomed.

What do you mean with "more flexibility"?

--
[1] -
http://mail.openjdk.java.net/pipermail/security-dev/2017-October/016400.html

On Wed, Jan 24, 2018 at 8:06 AM, Andrew Haley  wrote:

> On 24/01/18 10:39, Tomas Gustavsson wrote:
> > Imho the P11 layer always needs attention. To work properly we're
> > relying on some patches, where parts was recently merged into OpenJDK.
> > We just started testing the Amazon CloudHSM, and that requires changes
> > to SunPKCS11 as well to work. Not always bad in SunPKCS11 as some P11
> > libraries out there do strange non-conforming stuff, but there's room
> > for more flexibility nevertheless.
>
> Martin Balao has been heavily reworking this layer because it leaks
> native memory.  I'll let him fill you in on the details.
>
> --
> Andrew Haley
> Java Platform Lead Engineer
> Red Hat UK Ltd. 
> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671
>

Re: contribute to the OpenJDK security group

2018-01-24 Thread Andrew Haley 
On 24/01/18 10:39, Tomas Gustavsson wrote:
> Imho the P11 layer always needs attention. To work properly we're
> relying on some patches, where parts was recently merged into OpenJDK.
> We just started testing the Amazon CloudHSM, and that requires changes
> to SunPKCS11 as well to work. Not always bad in SunPKCS11 as some P11
> libraries out there do strange non-conforming stuff, but there's room
> for more flexibility nevertheless.

Martin Balao has been heavily reworking this layer because it leaks
native memory.  I'll let him fill you in on the details.

-- 
Andrew Haley
Java Platform Lead Engineer
Red Hat UK Ltd. 
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

Re: contribute to the OpenJDK security group

2018-01-24 Thread Tomas Gustavsson 

Sorry for jumping in :-)

Imho the P11 layer always needs attention. To work properly we're
relying on some patches, where parts was recently merged into OpenJDK.
We just started testing the Amazon CloudHSM, and that requires changes
to SunPKCS11 as well to work. Not always bad in SunPKCS11 as some P11
libraries out there do strange non-conforming stuff, but there's room
for more flexibility nevertheless.

Cheers,
Tomas

On 2018-01-17 20:09, Leo Grove wrote:
> Thanks Sean, I've filled out the OCA and sent it in. I'll take a gander
> around after reading up on the link you posted and see where we might be
> able to jump in and assist.
> 
> Leo
> 
> 
> On 1/17/2018 7:53 AM, Sean Mullan wrote:
>> Hi Leo,
>>
>> Thanks for the offer to help and contribute! I would suggest you start
>> by reading the OpenJDK contribution page (if you have not done so
>> already):
>>
>> http://openjdk.java.net/contribute/
>>
>> which has some tips and other helpful advice. You will also need to
>> sign an OCA (Oracle Contributor Agreement) before we can accept any
>> contributions.
>>
>> Thanks,
>> Sean
>>
>> On 1/16/18 9:03 PM, Leo Grove wrote:
>>> Hello Everyone,
>>>
>>> I'd like to introduce myself. I'm Leo Grove, founder of SSL.com and
>>> also Java Certified Programmer ('98). Although I'm not so much into
>>> coding these days, I'm always looking for ways to contribute to
>>> internet security and the public WebPKI. We do have some very sharp
>>> java developers that specialize in PKI and certs, so if there is
>>> something you need a hand with (or a pair of eyeballs on), please let
>>> me know, thanks.
>>
>>
>

Re: contribute to the OpenJDK security group

2018-01-17 Thread Leo Grove 
Thanks Sean, I've filled out the OCA and sent it in. I'll take a gander 
around after reading up on the link you posted and see where we might be 
able to jump in and assist.


Leo


On 1/17/2018 7:53 AM, Sean Mullan wrote:

Hi Leo,

Thanks for the offer to help and contribute! I would suggest you start 
by reading the OpenJDK contribution page (if you have not done so 
already):


http://openjdk.java.net/contribute/

which has some tips and other helpful advice. You will also need to 
sign an OCA (Oracle Contributor Agreement) before we can accept any 
contributions.


Thanks,
Sean

On 1/16/18 9:03 PM, Leo Grove wrote:

Hello Everyone,

I'd like to introduce myself. I'm Leo Grove, founder of SSL.com and 
also Java Certified Programmer ('98). Although I'm not so much into 
coding these days, I'm always looking for ways to contribute to 
internet security and the public WebPKI. We do have some very sharp 
java developers that specialize in PKI and certs, so if there is 
something you need a hand with (or a pair of eyeballs on), please let 
me know, thanks.

Re: contribute to the OpenJDK security group

2018-01-17 Thread Sean Mullan 

Hi Leo,

Thanks for the offer to help and contribute! I would suggest you start 
by reading the OpenJDK contribution page (if you have not done so already):


http://openjdk.java.net/contribute/

which has some tips and other helpful advice. You will also need to sign 
an OCA (Oracle Contributor Agreement) before we can accept any 
contributions.


Thanks,
Sean

On 1/16/18 9:03 PM, Leo Grove wrote:

Hello Everyone,

I'd like to introduce myself. I'm Leo Grove, founder of SSL.com and also 
Java Certified Programmer ('98). Although I'm not so much into coding 
these days, I'm always looking for ways to contribute to internet 
security and the public WebPKI. We do have some very sharp java 
developers that specialize in PKI and certs, so if there is something 
you need a hand with (or a pair of eyeballs on), please let me know, 
thanks.