Integrated: 8326643: JDK server does not send a dummy change_cipher_spec record after HelloRetryRequest message

2024-03-22 Thread Prasadrao Koppula
On Tue, 19 Mar 2024 07:13:19 GMT, Prasadrao Koppula wrote: > JDK server does not send a dummy change_cipher_spec record after > HelloRetryRequest message. > > According to RFC 8446 (Middlebox Compatibility Mode), if the client sends a > non-empty session ID in the ClientHello message, the ser

Re: RFR: 8328638: Fallback option for POST-only OCSP requests

2024-03-22 Thread Aleksey Shipilev
On Thu, 21 Mar 2024 20:17:29 GMT, Sean Mullan wrote: > Thanks for doing this - I think it is a fine idea to have a fallback option > to use POST. It does need a CSR though since you are introducing a new system > property. All right, good! How do you feel about the option name? Would like to a

Re: RFR: 8328556: Do not extract large CKO_SECRET_KEY keys from the NSS Software Token [v3]

2024-03-22 Thread Daniel JeliƄski
On Thu, 21 Mar 2024 17:23:44 GMT, Martin Balao wrote: >> Hi, >> >> I'd like to propose a fix for "8328556: Do not extract large CKO_SECRET_KEY >> keys from the NSS Software Token". See more details in the JBS ticket [1]. >> >> No regressions observed in jdk/sun/security/pkcs11. >> >> Thanks,

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v3]

2024-03-22 Thread Sean Coffey
On Thu, 21 Mar 2024 20:38:22 GMT, Weijun Wang wrote: >> Sean Coffey has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains 12 additional >> commits sin

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v3]

2024-03-22 Thread Sean Coffey
On Fri, 22 Mar 2024 09:36:35 GMT, Sean Coffey wrote: >> src/java.base/share/classes/sun/security/util/Debug.java line 191: >> >>> 189: if (printDateTime && !dateTimeFormatInitialized) { >>> 190: // trigger loading of Locale service impl now to avoid >>> 191: // po

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v3]

2024-03-22 Thread Weijun Wang
On Fri, 22 Mar 2024 12:18:49 GMT, Sean Coffey wrote: >> It's still necessary I'm afraid. During an early classloader operation, the >> Security class can be triggered which causes security properties to be read. >> If debugging is enabled, this triggers loading of CLDR service. Quite a long >>

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v3]

2024-03-22 Thread Weijun Wang
On Fri, 22 Mar 2024 13:29:06 GMT, Weijun Wang wrote: >> Turns out that it's the >> `java.time.format.DateTimeFormatterBuilder.ZoneTextPrinterParser#format` >> call that triggers the early initialization of the CLDR service (via a >> `getDisplayName` call) >> >> We can avoid this call if we pr

Re: RFR: 8328638: Fallback option for POST-only OCSP requests

2024-03-22 Thread Sean Mullan
On Fri, 22 Mar 2024 07:52:08 GMT, Aleksey Shipilev wrote: > > Thanks for doing this - I think it is a fine idea to have a fallback option > > to use POST. It does need a CSR though since you are introducing a new > > system property. > > All right, good! How do you feel about the option name?

Re: RFR: 8328638: Fallback option for POST-only OCSP requests [v2]

2024-03-22 Thread Aleksey Shipilev
> See the rationale/discussion in the bug. This patch introduces the option > that allows to restore > pre-[JDK-8179503](https://bugs.openjdk.org/browse/JDK-8179503) behavior. The > default behavior does not change. Better suggestions for flag name are > welcome. > > Additional testing: > - [

Re: RFR: 8328638: Fallback option for POST-only OCSP requests [v2]

2024-03-22 Thread Aleksey Shipilev
On Fri, 22 Mar 2024 14:04:34 GMT, Aleksey Shipilev wrote: >> See the rationale/discussion in the bug. This patch introduces the option >> that allows to restore >> pre-[JDK-8179503](https://bugs.openjdk.org/browse/JDK-8179503) behavior. The >> default behavior does not change. Better suggestio

Re: RFR: 8328638: Fallback option for POST-only OCSP requests [v3]

2024-03-22 Thread Aleksey Shipilev
> See the rationale/discussion in the bug. This patch introduces the option > that allows to restore > pre-[JDK-8179503](https://bugs.openjdk.org/browse/JDK-8179503) behavior. The > default behavior does not change. Better suggestions for flag name are > welcome. > > Additional testing: > - [

Integrated: 8328556: Do not extract large CKO_SECRET_KEY keys from the NSS Software Token

2024-03-22 Thread Martin Balao
On Wed, 20 Mar 2024 03:39:58 GMT, Martin Balao wrote: > Hi, > > I'd like to propose a fix for "8328556: Do not extract large CKO_SECRET_KEY > keys from the NSS Software Token". See more details in the JBS ticket [1]. > > No regressions observed in jdk/sun/security/pkcs11. > > Thanks, > Martin

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v4]

2024-03-22 Thread Sean Coffey
> Proposal to improve the `java.security.debug` output so that options exist to > add thread ID, thread name, source of log record and a timestamp information > to the output. > > examples: > format without patch : > > > properties: Initial security property: > package.definition=sun.misc.,su

Re: RFR: 8051959: Add thread and timestamp options to java.security.debug system property [v4]

2024-03-22 Thread Sean Coffey
On Fri, 22 Mar 2024 16:27:38 GMT, Sean Coffey wrote: >> Proposal to improve the `java.security.debug` output so that options exist >> to add thread ID, thread name, source of log record and a timestamp >> information to the output. >> >> examples: >> format without patch : >> >> >> propertie

RFR: 8328825: Google CAInterop test failures

2024-03-22 Thread Rajan Halade
Fix updates these tests to use OCSP or CRL revocation check with failover enabled. Intermediate root CA "WE3" doesn't specify OCSP responder in AIA extension. Check https://good.gsr4.demo.pki.goog/ for example. - Commit messages: - Googles CAInterop test failures Changes: https://

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation

2024-03-22 Thread MustavData
On Thu, 14 Mar 2024 15:53:23 GMT, Weijun Wang wrote: >> This fixes the defect described at >> https://bugs.openjdk.org/browse/JDK-8313367 >> >> If the process does not have write permissions, the store is opened as >> read-only (instead of failing). >> >> Please note that permissions to use a

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation

2024-03-22 Thread Weijun Wang
On Fri, 22 Mar 2024 18:43:11 GMT, MustavData wrote: >> I also noticed a different problem. No matter if privileged or unprivileged, >> `keytool -genkeypair -storetype Windows-My-LOCALMACHINE` works successfully >> but the entries are actually created in Windows-MY-CURRENTUSER. This is >> unrel

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v3]

2024-03-22 Thread rebarbora-mckvak
On Wed, 20 Mar 2024 19:45:32 GMT, Weijun Wang wrote: >> rebarbora-mckvak has updated the pull request with a new target base due to >> a merge or a rebase. The pull request now contains two commits: >> >> - 8313367: signHash finds a key in the local machine store >> - 8313367: Local Computer

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

2024-03-22 Thread rebarbora-mckvak
> This fixes the defect described at https://bugs.openjdk.org/browse/JDK-8313367 > > If the process does not have write permissions, the store is opened as > read-only (instead of failing). > > Please note that permissions to use a certificate in a local machine store > must be granted - in a m

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

2024-03-22 Thread rebarbora-mckvak
On Fri, 22 Mar 2024 22:25:47 GMT, rebarbora-mckvak wrote: >> This fixes the defect described at >> https://bugs.openjdk.org/browse/JDK-8313367 >> >> If the process does not have write permissions, the store is opened as >> read-only (instead of failing). >> >> Please note that permissions to

Re: RFR: 8261433: Better pkcs11 performance for libpkcs11:C_EncryptInit/libpkcs11:C_DecryptInit

2024-03-22 Thread Valerie Peng
On Thu, 21 Mar 2024 09:23:43 GMT, Prajwal Kumaraswamy wrote: > This fix intends to eliminate additional library call to C_EncryptInit or > C_DecryptInit for Ciphers running through the CKM_AES_GCM. > > Background: > > There are two types of CK_GCM_PARAMS struct that are used, one with IV bit

Re: RFR: 8313367: SunMSCAPI cannot read Local Computer certs w/o Windows elevation [v4]

2024-03-22 Thread Bernd
On Fri, 22 Mar 2024 22:25:47 GMT, rebarbora-mckvak wrote: >> This fixes the defect described at >> https://bugs.openjdk.org/browse/JDK-8313367 >> >> If the process does not have write permissions, the store is opened as >> read-only (instead of failing). >> >> Please note that permissions to