Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v6]

2025-02-19 Thread Konanki Sreenath
> Earlier code will trigger NPE if the certificate does not contain the > extensions or if the requested extensions does not exist. The better approach > for hardening **getExtensionValue** here is to to check for NULL explicitly > before calling **getExtensionValue()** and avoding try-catch blo

Re: RFR: 8348561: Add aarch64 intrinsics for ML-DSA [v2]

2025-02-19 Thread Andrew Dinn
On Tue, 4 Feb 2025 18:57:28 GMT, Ferenc Rakoczi wrote: >>> @ferakocz I'm afraid you lucked out on getting your change committed before >>> my reorganization of the stub generation code. If you are unsure of how to >>> do the merge so your new stub is declared and generated following the new >>

Re: RFR: 8347946: Add API note that caller should validate/trust signers to the getCertificates and getCodeSigners methods of JarEntry and JarURLConnection

2025-02-19 Thread Marcono1234
On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan wrote: > This change adds an API note to these methods recommending that the caller > should perform further validation steps on the code signers that signed the > JAR file, such as validating the code signer's certificate chain, and > determining

Re: RFR: 8347946: Add API note that caller should validate/trust signers to the getCertificates and getCodeSigners methods of JarEntry and JarURLConnection

2025-02-19 Thread Jaikiran Pai
On Wed, 19 Feb 2025 10:43:06 GMT, Marcono1234 wrote: >> This change adds an API note to these methods recommending that the caller >> should perform further validation steps on the code signers that signed the >> JAR file, such as validating the code signer's certificate chain, and >> determin

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v4]

2025-02-19 Thread Konanki Sreenath
On Tue, 18 Feb 2025 17:44:12 GMT, Weijun Wang wrote: > There is still one `if (info != null)` check in `getTBSCertificate()`. > > Also, you can combine > > ``` > Objects.requireNonNull(info); > this.info = info; > ``` > > to > > ``` > this.info = Objects.requireNonNull

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1

2025-02-19 Thread Mikhail Yankelevich
On Tue, 18 Feb 2025 20:34:36 GMT, Sean Mullan wrote: > The fix needs a test or you need to add an appropriate `noreg` label to the > JBS issue if it isn't necessary or practical for some reason. Working on a test for it, forgot to change PR to draft, apologies. - PR Comment: https

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v2]

2025-02-19 Thread Mikhail Yankelevich
> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. > This also fixes the issue with conversion in `encode` method, as the input is > always ISO_8859_1. Mikhail Yankelevich has updated the pull request incrementally with one additional commit since the last revision: tests

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v6]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 10:27:26 GMT, Konanki Sreenath wrote: >> Earlier code will trigger NPE if the certificate does not contain the >> extensions or if the requested extensions does not exist. The better >> approach for hardening **getExtensionValue** here is to to check for NULL >> explicitly

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v7]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 14:48:56 GMT, Konanki Sreenath wrote: >> Earlier code will trigger NPE if the certificate does not contain the >> extensions or if the requested extensions does not exist. The better >> approach for hardening **getExtensionValue** here is to to check for NULL >> explicitly

Integrated: 8347946: Add API note that caller should validate/trust signers to the getCertificates and getCodeSigners methods of JarEntry and JarURLConnection

2025-02-19 Thread Sean Mullan
On Thu, 13 Feb 2025 16:27:03 GMT, Sean Mullan wrote: > This change adds an API note to these methods recommending that the caller > should perform further validation steps on the code signers that signed the > JAR file, such as validating the code signer's certificate chain, and > determining

Re: RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v3]

2025-02-19 Thread Artur Barashev
> Currently when a signature scheme constraint is specified with > "jdk.tls.disabledAlgorithms" property we don't differentiate between > signatures used to sign a TLS handshake exchange and the signatures used in > TLS certificates: > https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3

Integrated: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases

2025-02-19 Thread Konanki Sreenath
On Mon, 27 Jan 2025 12:39:45 GMT, Konanki Sreenath wrote: > Earlier code will trigger NPE if the certificate does not contain the > extensions or if the requested extensions does not exist. The better approach > for hardening **getExtensionValue** here is to to check for NULL explicitly > befo

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v2]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 13:42:38 GMT, Mikhail Yankelevich wrote: >> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. >> This also fixes the issue with conversion in `encode` method, as the input >> is always ISO_8859_1. > > Mikhail Yankelevich has updated the pull request increme

Re: RFR: 8349492: Update sun/security/pkcs12/KeytoolOpensslInteropTest.java to use a recent Openssl version [v5]

2025-02-19 Thread Fernando Guallini
> This updates the OpenSSL version that is used by test > `sun/security/pkcs12/KeytoolOpensslInteropTest.java` to the current LTS > version (3.0 series). > There are some differences between the 1.1.x and the current OpenSSL version: > - RC4 is not longer enabled by default, therefore adding the

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v2]

2025-02-19 Thread Mikhail Yankelevich
On Wed, 19 Feb 2025 16:52:36 GMT, Weijun Wang wrote: >> Mikhail Yankelevich has updated the pull request incrementally with one >> additional commit since the last revision: >> >> tests added > > test/jdk/sun/security/util/HexDumpEncoderTests.java line 101: > >> 99: public static voi

Re: RFR: 8349492: Update sun/security/pkcs12/KeytoolOpensslInteropTest.java to use a recent Openssl version [v4]

2025-02-19 Thread Fernando Guallini
On Tue, 18 Feb 2025 17:52:14 GMT, Rajan Halade wrote: >> Fernando Guallini has updated the pull request with a new target base due to >> a merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request contains eight additional >> c

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v3]

2025-02-19 Thread Mikhail Yankelevich
> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. > This also fixes the issue with conversion in `encode` method, as the input is > always ISO_8859_1. Mikhail Yankelevich has updated the pull request incrementally with one additional commit since the last revision: change

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v2]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 17:04:15 GMT, Mikhail Yankelevich wrote: >> test/jdk/sun/security/util/HexDumpEncoderTests.java line 101: >> >>> 99: public static void main(String[] args) throws Exception { >>> 100: >>> 101: try (final FileInputStream fis = new >>> FileInputStream(args

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v4]

2025-02-19 Thread Mikhail Yankelevich
> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. > This also fixes the issue with conversion in `encode` method, as the input is > always ISO_8859_1. Mikhail Yankelevich has updated the pull request incrementally with one additional commit since the last revision: import

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v7]

2025-02-19 Thread duke
On Wed, 19 Feb 2025 14:48:56 GMT, Konanki Sreenath wrote: >> Earlier code will trigger NPE if the certificate does not contain the >> extensions or if the requested extensions does not exist. The better >> approach for hardening **getExtensionValue** here is to to check for NULL >> explicitly

RFR: 8325766: Review seclibs tests for cert expiry

2025-02-19 Thread Matthew Donovan
This PR updates the CertificateBuilder with a new method that creates a new instance with common fields (subject name, public key, serial number, validity, and key uses) filled-in. One test, IPIdentities.java, is updated to show how the method can be used to create various certificates. I attach

Re: RFR: 8342238: Test javax/crypto/CryptoPermissions/InconsistentEntries.java writes files in tested JDK dir

2025-02-19 Thread duke
On Mon, 20 Jan 2025 16:20:27 GMT, Fernando Guallini wrote: > The test javax/crypto/CryptoPermissions/InconsistentEntries.java should not > modify the JDK home directory under test as that could impact the results of > other tests, or it could fail if the JDK home dir is read-only. > > This PR

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v7]

2025-02-19 Thread Sean Coffey
On Wed, 19 Feb 2025 14:48:56 GMT, Konanki Sreenath wrote: >> Earlier code will trigger NPE if the certificate does not contain the >> extensions or if the requested extensions does not exist. The better >> approach for hardening **getExtensionValue** here is to to check for NULL >> explicitly

Re: RFR: 8346094: Harden X509CertImpl.getExtensionValue for NPE cases [v7]

2025-02-19 Thread Konanki Sreenath
> Earlier code will trigger NPE if the certificate does not contain the > extensions or if the requested extensions does not exist. The better approach > for hardening **getExtensionValue** here is to to check for NULL explicitly > before calling **getExtensionValue()** and avoding try-catch blo

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v5]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 18:56:40 GMT, Mikhail Yankelevich wrote: >> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. >> This also fixes the issue with conversion in `encode` method, as the input >> is always ISO_8859_1. > > Mikhail Yankelevich has updated the pull request increme

Re: RFR: 8267068: Incomplete @throws javadoc for various javax.crypto.spec classes [v2]

2025-02-19 Thread Mark Powers
> [JDK-8267068](https://bugs.openjdk.org/browse/JDK-8267068) Mark Powers has updated the pull request incrementally with one additional commit since the last revision: review comments from Valerie and Sean - Changes: - all: https://git.openjdk.org/jdk/pull/23188/files - new:

Re: RFR: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread Claes Redestad
On Thu, 13 Feb 2025 08:35:47 GMT, Nicole Xu wrote: > As is suggested in > [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should > be used consistently in microbenchmarks to 'align with the intuition that > when you use jvmArgsAppend/-Prepend intent is to add to a set of

Re: RFR: 8349759: Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms [v3]

2025-02-19 Thread Sean Mullan
On Thu, 13 Feb 2025 22:29:46 GMT, Jamil Nimeh wrote: >> Also, should it be moved to somewhere else like >> jdk/test/sun/security/provider/certpath? > >> Also, should it be moved to somewhere else like >> jdk/test/sun/security/provider/certpath? > > Hmmm...not sure about that, but maybe an exp

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v2]

2025-02-19 Thread Sean Mullan
On Fri, 14 Feb 2025 19:16:41 GMT, Weijun Wang wrote: > Also, now we have the same content in 3 places: > > 1. Here > > 2. In the Security Guide at > https://docs.oracle.com/en/java/javase/23/security/troubleshooting-security.html#GUID-05F3E865-20FF-46EB-AC35-84D4B552CA48 > > 3. At

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v2]

2025-02-19 Thread Sean Mullan
On Fri, 14 Feb 2025 19:12:51 GMT, Koushik Muthukrishnan Thirupattur wrote: >> java.security.debug is a widely used debug system property for JDK security >> libs. It's time to capture details about this property via javadoc. >> >> ![image](https://github.com/user-attachments/assets/2c58dd82-36

Re: RFR: 8349759: Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms [v4]

2025-02-19 Thread Jamil Nimeh
> This fix makes some minor changes to the internals of the > `CertificateBuilder` and `SimpleOCSPServer` test classes. They would break > when ML-DSA was selected as key and signing algorithms. Also RSASSA-PSS > works better now with these changes. I've also taken this opportunity to do > s

Integrated: 8349664: HEX dump should always use ASCII or ISO_8859_1

2025-02-19 Thread Mikhail Yankelevich
On Mon, 17 Feb 2025 11:40:59 GMT, Mikhail Yankelevich wrote: > Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. > This also fixes the issue with conversion in `encode` method, as the input is > always ISO_8859_1. This pull request has now been integrated. Changeset: 7734f8e

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v4]

2025-02-19 Thread duke
On Wed, 19 Feb 2025 17:21:10 GMT, Mikhail Yankelevich wrote: >> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. >> This also fixes the issue with conversion in `encode` method, as the input >> is always ISO_8859_1. > > Mikhail Yankelevich has updated the pull request increme

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v2]

2025-02-19 Thread Sean Mullan
On Fri, 14 Feb 2025 19:15:21 GMT, Weijun Wang wrote: > The name and title should not be "Security Properties". This is about the > debug system property. Yes, this is because "Security Properties" are different than system properties, and are listed in the `java.security` file. We may want to

Re: RFR: 8261513: Various BasicConstraintsExtension issues [v3]

2025-02-19 Thread Sean Mullan
On Mon, 3 Feb 2025 19:26:27 GMT, Ben Perez wrote: >> 8261513: Various BasicConstraintsExtension issues > > Ben Perez has updated the pull request with a new target base due to a merge > or a rebase. The incremental webrev excludes the unrelated changes brought in > by the merge/rebase. The pull

Re: RFR: 8346129: Simplify EdDSA & XDH curve name usage

2025-02-19 Thread Artur Barashev
On Fri, 14 Feb 2025 18:44:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review for the following change. Naming conventions for EdDSA and > XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator. > These internal changes help make it more consistent when parsing the act

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v2]

2025-02-19 Thread Koushik Muthukrishnan Thirupattur
On Wed, 19 Feb 2025 22:50:40 GMT, Sean Mullan wrote: >> Koushik Muthukrishnan Thirupattur has updated the pull request incrementally >> with one additional commit since the last revision: >> >> 8328914: Document the java.security.debug property in javadoc > > src/java.base/share/classes/java/

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v5]

2025-02-19 Thread Mikhail Yankelevich
> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. > This also fixes the issue with conversion in `encode` method, as the input is > always ISO_8859_1. Mikhail Yankelevich has updated the pull request incrementally with one additional commit since the last revision: import

Re: RFR: 8267068: Incomplete @throws javadoc for various javax.crypto.spec classes [v3]

2025-02-19 Thread Mark Powers
> [JDK-8267068](https://bugs.openjdk.org/browse/JDK-8267068) Mark Powers has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains three commits: - Merge master - review comments from Valerie and Sean - first iteration - Change

Re: RFR: 8346129: Simplify EdDSA & XDH curve name usage

2025-02-19 Thread Anthony Scarpino
On Wed, 19 Feb 2025 21:19:22 GMT, Artur Barashev wrote: >> Hi, >> >> I need a review for the following change. Naming conventions for EdDSA and >> XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator. >> These internal changes help make it more consistent when parsing the a

Re: RFR: 8346129: Simplify EdDSA & XDH curve name usage

2025-02-19 Thread Anthony Scarpino
On Wed, 19 Feb 2025 21:31:08 GMT, Artur Barashev wrote: >> Hi, >> >> I need a review for the following change. Naming conventions for EdDSA and >> XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator. >> These internal changes help make it more consistent when parsing the a

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v2]

2025-02-19 Thread Koushik Muthukrishnan Thirupattur
On Wed, 19 Feb 2025 22:39:21 GMT, Sean Mullan wrote: > > Also, now we have the same content in 3 places: > > ``` > > 1. Here > > > > 2. In the Security Guide at > > https://docs.oracle.com/en/java/javase/23/security/troubleshooting-security.html#GUID-05F3E865-20FF-46EB-AC35-84D4B552CA48 > > >

Re: RFR: 8348309: MultiNST tests need more debugging and timing [v2]

2025-02-19 Thread Anthony Scarpino
> I need a review of this change that adds new timing controls for the initial > server setup. On rare occasions, more so on certain architectures, the > server may not fully start before the client tries to connect. Additional > debugging is added to help identify if there are other timing is

Re: RFR: 8346129: Simplify EdDSA & XDH curve name usage

2025-02-19 Thread Artur Barashev
On Fri, 14 Feb 2025 18:44:38 GMT, Anthony Scarpino wrote: > Hi, > > I need a review for the following change. Naming conventions for EdDSA and > XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator. > These internal changes help make it more consistent when parsing the act

Re: RFR: 8349849: PKCS11 SunTlsKeyMaterial crashes when used with TLS1.2 TlsKeyMaterialParameterSpec

2025-02-19 Thread Valerie Peng
On Thu, 13 Feb 2025 18:43:01 GMT, Daniel JeliƄski wrote: >> Ah ok. So I assume TLS 1.3 is using a different code path or KDF. > > TLS 1.3 uses HKDF, and doesn't work with SunPKCS11 yet, see > [JDK-8278640](https://bugs.openjdk.org/browse/JDK-8278640) I'd like to clarify the usage of `SunTlsKeyM

Re: RFR: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread Nicole Xu
On Thu, 13 Feb 2025 20:04:05 GMT, Chen Liang wrote: >> As is suggested in >> [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should >> be used consistently in microbenchmarks to 'align with the intuition that >> when you use jvmArgsAppend/-Prepend intent is to add to a se

Re: RFR: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread duke
On Thu, 13 Feb 2025 08:35:47 GMT, Nicole Xu wrote: > As is suggested in > [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should > be used consistently in microbenchmarks to 'align with the intuition that > when you use jvmArgsAppend/-Prepend intent is to add to a set of

Re: RFR: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread Hao Sun
On Thu, 13 Feb 2025 08:35:47 GMT, Nicole Xu wrote: > As is suggested in > [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should > be used consistently in microbenchmarks to 'align with the intuition that > when you use jvmArgsAppend/-Prepend intent is to add to a set of

Integrated: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread Nicole Xu
On Thu, 13 Feb 2025 08:35:47 GMT, Nicole Xu wrote: > As is suggested in > [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should > be used consistently in microbenchmarks to 'align with the intuition that > when you use jvmArgsAppend/-Prepend intent is to add to a set of

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v3]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 23:27:19 GMT, Koushik Muthukrishnan Thirupattur wrote: >> java.security.debug is a widely used debug system property for JDK security >> libs. It's time to capture details about this property via javadoc. >> >> ![image](https://github.com/user-attachments/assets/bf8bb8bf-a6

Re: RFR: 8349943: [JMH] Use jvmArgs consistently

2025-02-19 Thread Nicole Xu
On Thu, 13 Feb 2025 08:35:47 GMT, Nicole Xu wrote: > As is suggested in > [JDK-8342958](https://bugs.openjdk.org/browse/JDK-8342958), `jvmArgs` should > be used consistently in microbenchmarks to 'align with the intuition that > when you use jvmArgsAppend/-Prepend intent is to add to a set of

Re: RFR: 8349664: HEX dump should always use ASCII or ISO_8859_1 [v4]

2025-02-19 Thread Weijun Wang
On Wed, 19 Feb 2025 17:21:10 GMT, Mikhail Yankelevich wrote: >> Changed `HexDumpEncoder`, so `encodeBuffer` always uses ISO_8859_1. >> This also fixes the issue with conversion in `encode` method, as the input >> is always ISO_8859_1. > > Mikhail Yankelevich has updated the pull request increme

Re: RFR: 8328914: Document the java.security.debug property in javadoc [v3]

2025-02-19 Thread Koushik Muthukrishnan Thirupattur
> java.security.debug is a widely used debug system property for JDK security > libs. It's time to capture details about this property via javadoc. > > ![image](https://github.com/user-attachments/assets/2c58dd82-363e-49be-9734-755d5d0014d7) > > NOTE : We are adding a new html file (similar to t