On Fri, 19 Jan 2024 01:57:40 GMT, Julian Waters wrote:
>> I regret not actually addressing the issues with the goto labels in
>> https://github.com/openjdk/jdk/pull/15996, where initialization of locals in
>> sspi were jumped over by gotos to a certain label. I changed the
>> initializations i
Hi,
I'd like to propose a fix for "8328556: Do not extract large CKO_SECRET_KEY
keys from the NSS Software Token". See more details in the JBS ticket [1].
No regressions observed in jdk/sun/security/pkcs11.
Thanks,
Martin.-
--
[1] - https://bugs.openjdk.org/browse/JDK-8328556
-
C
Existing legacy mechanism check disables mechanism(s) when the support is
partial, e.g. supports decryption but not encryption, or supports verification
but not signing. Some mechanisms can be used for both encryption/decryption and
sign/verify such as RSA related ones. If the particular mechani
Hi Kevin,
I implemented a prototype for HKDF derivation with SunPKCS11. This was
tested with the NSS Software Token v3.90, both in FIPS and non-FIPS
configurations. Testing includes the 7 vectors in RFC 5869 (*),
derivation of a DH base key, derivation of a ECDH base key and use of
derived ke
> This code change adds an alternative implementation of user-based
> authorization `Subject` APIs that doesn't depend on Security Manager APIs.
> Depending on if the Security Manager is allowed, the methods store the
> current subject differently. See the spec change in the `Subject.java` file
Hi Tony,
find my replies inline...
On Mon, Mar 11, 2024 at 6:13 AM Anthony Scarpino
wrote:
>
>
>
> On Mar 9, 2024, at 8:09 AM, Karl Scheibelhofer
> wrote:
>
>
> ... try again from from my subscribed mail account...
>
>> Hi Tony,
>>
>> in my jdk fork, I created a branch named pem-feedback-kar
> This task addresses an essential aspect of our testing infrastructure: the
> proper handling and cleanup of temporary files and socket files created
> during test execution. The motivation behind these changes is to prevent the
> accumulation of unnecessary files in the default temporary direc
Well I think AES-CCM is a decent candidate to start.
OK, I will probably take time to see if this is something within my reach.
(I have limited time by week to give on that and not an expert on this
topic, so this will be mid/long term task)
Regarding PSK API, if you could put together a more
> For context, I am writing tests to check for accurate use of `@since` tags in
> documentation comments in source code.
> We're following these rules for now:
>
> if there's no `@since`:
>
> - for methods, look at the `@since` from the method from supertype this
> method overrides. If there's
On Tue, 19 Mar 2024 15:23:39 GMT, rebarbora-mckvak wrote:
>> This fixes the defect described at
>> https://bugs.openjdk.org/browse/JDK-8313367
>>
>> If the process does not have write permissions, the store is opened as
>> read-only (instead of failing).
>>
>> Please note that permissions to
> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>
> If the process does not have write permissions, the store is opened as
> read-only (instead of failing).
>
> Please note that permissions to use a certificate in a local machine store
> must be granted - in a m
> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367
>
> If the process does not have write permissions, the store is opened as
> read-only (instead of failing).
>
> Please note that permissions to use a certificate in a local machine store
> must be granted - in a m
On Fri, 23 Feb 2024 23:07:07 GMT, Alexey Bakhtin wrote:
>> Please review the proposed fix.
>>
>> The patch loads system root certificates from the MacOS Keychain with
>> TrustSettings.
>> It allows to build a trusted certificate path using the MacOS Keychain store
>> only.
>
> Alexey Bakhtin h
On Tue, 19 Mar 2024 11:15:56 GMT, Nizar Benalla wrote:
> The override of `getParams` in these interfaces was added in java 22 has an
> `@since 22`, but the method has been inherited to these interfaces for a long
> times,
> As pointed out by my mentor Jan,
>
>
> import javax.crypto.interface
On Mon, 4 Mar 2024 09:14:23 GMT, Guoxiong Li wrote:
>> At the beginning of a iteration, `km.chooseServerAlias` or
>> `km.chooseEngineServerAlias` tries to find an alias. Then, `serverAlias`
>> should be `null` or an existing alias in the key manager.
>> The `serverAlias` assigned by the last it
The override of `getParams` in these interfaces has an `@since 22`, but the
method has been inherited to these interfaces for a long times,
As pointed out by my mentor Jan,
import javax.crypto.interfaces.DHPublicKey;
public class DhkeyTest {
public static void main(DHPublicKey key) {
On Thu, 22 Feb 2024 01:14:24 GMT, Hai-May Chao wrote:
> For the PKIX KeyManager and PKCS12 Keystore, when the TLS server sends the
> ServerHello message and ultimately calls the
> X509KeyManagerImpl.chooseEngineServerAlias() method, it retrieves the private
> key from the keystore, decrypts it
On Tue, 19 Mar 2024 08:43:38 GMT, Prasadrao Koppula
wrote:
>> src/java.base/share/classes/sun/security/ssl/ServerHello.java line 804:
>>
>>> 802: shc.conContext.outputRecord.changeWriteCiphers(
>>> 803: SSLWriteCipher.nullTlsWriteCipher(),
>>> 804:
On Tue, 19 Mar 2024 08:13:02 GMT, Daniel Jeliński wrote:
>> JDK server does not send a dummy change_cipher_spec record after
>> HelloRetryRequest message.
>>
>> According to RFC 8446 (Middlebox Compatibility Mode), if the client sends a
>> non-empty session ID in the ClientHello message, the s
On Tue, 19 Mar 2024 07:13:19 GMT, Prasadrao Koppula
wrote:
> JDK server does not send a dummy change_cipher_spec record after
> HelloRetryRequest message.
>
> According to RFC 8446 (Middlebox Compatibility Mode), if the client sends a
> non-empty session ID in the ClientHello message, the ser
On Thu, 22 Feb 2024 01:14:24 GMT, Hai-May Chao wrote:
> For the PKIX KeyManager and PKCS12 Keystore, when the TLS server sends the
> ServerHello message and ultimately calls the
> X509KeyManagerImpl.chooseEngineServerAlias() method, it retrieves the private
> key from the keystore, decrypts it
JDK server does not send a dummy change_cipher_spec record after
HelloRetryRequest message.
According to RFC 8446 (Middlebox Compatibility Mode), if the client sends a
non-empty session ID in the ClientHello message, the server sends a dummy
change_cipher_spec (CCS) record immediately after its
22 matches
Mail list logo
