RFR: 8327538: The SSLExtension class specifies incorrect values for heartbeat per RFC 6520 and post_handshake_auth per RFC 8446

8327538: The SSLExtension class specifies incorrect values for heartbeat per RFC 6520 and post_handshake_auth per RFC 8446 - Commit messages: - 8327538: The SSLExtension class specifies incorrect values for heartbeat per RFC 6520 and post_handshake_auth per RFC 8446 Changes: https

Re: RFR: 8327538: The SSLExtension class specifies incorrect values for heartbeat per RFC 6520 and post_handshake_auth per RFC 8446

On Sat, 20 Jul 2024 01:32:00 GMT, Bradford Wetmore wrote: >> 8327538: The SSLExtension class specifies incorrect values for heartbeat per >> RFC 6520 and post_handshake_auth per RFC 8446 > > LGTM. > > Since we don't support either extension, either add a regression test that > searches a pro

Integrated: 8327538: The SSLExtension class specifies incorrect values for heartbeat per RFC 6520 and post_handshake_auth per RFC 8446

On Fri, 19 Jul 2024 17:24:04 GMT, Hai-May Chao wrote: > 8327538: The SSLExtension class specifies incorrect values for heartbeat per > RFC 6520 and post_handshake_auth per RFC 8446 This pull request has now been integrated. Changeset: fd741a88 Author: Hai-May Chao URL:

Re: RFR: 8336935: Test sun/security/krb5/auto/RealmSpecificValues.java fails: java.lang.RuntimeException: Should not reach here

On Mon, 22 Jul 2024 21:40:15 GMT, Weijun Wang wrote: > The test sets system properties. Should run in `othervm`. Marked as reviewed by hchao (Committer). - PR Review: https://git.openjdk.org/jdk/pull/20284#pullrequestreview-2192619833

Re: RFR: 8336667: IAE in DerInputStream.toByteArray

On Mon, 22 Jul 2024 21:28:07 GMT, Weijun Wang wrote: > When reading an indefinite BER `DerValue` from a `DerInputStream`, the > current position of the stream must be placed right after the BER. There is a > bug in the calculation. Nice to have new PoC.java test to cover indefinite length enco

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v2]

On Wed, 24 Jul 2024 19:12:59 GMT, Weijun Wang wrote: >> There is an error in `jarsigner` on the "This JAR contains signed entries >> that aren't signed by alias in this keystore" warning. The exit code is >> determined by >> [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v2]

On Wed, 24 Jul 2024 20:43:48 GMT, Weijun Wang wrote: > The [CSR](https://bugs.openjdk.org/browse/JDK-8334263) and [release > note](https://bugs.openjdk.org/browse/JDK-8334262) have been updated as well. The CSR and release note look good. Just one small suggestion for CSR: changing `Only detec

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v3]

On Tue, 30 Jul 2024 15:10:50 GMT, Weijun Wang wrote: >> There is an error in `jarsigner` on the "This JAR contains signed entries >> that aren't signed by alias in this keystore" warning. The exit code is >> determined by >> [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v2]

On Tue, 30 Jul 2024 15:07:39 GMT, Weijun Wang wrote: >> test/jdk/sun/security/tools/jarsigner/ByAlias.java line 91: >> >>> 89: kt("-delete -alias ee"); >>> 90: js("-verify a.jar") >>> 91: .shouldContain("not signed by alias in this keystore"); >> >> As this PR ch

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v2]

On Tue, 30 Jul 2024 22:13:08 GMT, Weijun Wang wrote: >> Thanks to verify the exit code is not 32. Is it doable to have a test for >> aliasNotInStore which is not emitting a non-zero exit code? > > There is a chainNotValidated error here. But I can add the check in an > earlier check. See my nex

Re: RFR: 8330217: Spurious warning from jarsigner -verify when keystore with intermediate CA is used [v4]

On Tue, 30 Jul 2024 22:24:04 GMT, Weijun Wang wrote: >> There is an error in `jarsigner` on the "This JAR contains signed entries >> that aren't signed by alias in this keystore" warning. The exit code is >> determined by >> [`notSignedByAlias`](https://github.com/openjdk/jdk/blob/0a60b0f99efb

Re: RFR: 8335288: SunPKCS11 initialization will call C_GetMechanismInfo on unsupported mechanisms [v2]

On Wed, 21 Aug 2024 00:09:25 GMT, Valerie Peng wrote: >> Can someone help review this fix? Changed the required-mechanism check by >> checking if the particular mechanism is inside the list of enabled supported >> mechanisms. This should be more reliable than calling C_GetMechanismInfo(..) >>

RFR: 8339347: keytool -importpass insists prompting the user even if there is no terminal

Given the changes to the System.console() behavior, where it no longer returns null when a write pipe is connected to the Java process, keytool needs to be updated to determine whether an interactive terminal is attached. - Commit messages: - 8339347: keytool -importpass insists pr

Re: RFR: 8339347: keytool -importpass insists prompting the user even if there is no terminal

On Wed, 4 Sep 2024 16:10:50 GMT, Hai-May Chao wrote: > Given the changes to the System.console() behavior, where it no longer > returns null when a write pipe is connected to the Java process, keytool > needs to be updated to determine whether an interactive terminal is attac

Re: RFR: 8339347: keytool -importpass insists prompting the user even if there is no terminal [v2]

> Given the changes to the System.console() behavior, where it no longer > returns null when a write pipe is connected to the Java process, keytool > needs to be updated to determine whether an interactive terminal is attached. Hai-May Chao has updated the pull request incrementally

Re: RFR: 8339347: keytool -importpass insists prompting the user even if there is no terminal [v2]

On Thu, 5 Sep 2024 16:27:42 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update setResponse in testcase > > test/jdk/sun/security/tools/keytool/TestImportPass.

Re: RFR: 8339347: keytool -importpass insists prompting the user even if there is no terminal

On Wed, 4 Sep 2024 22:08:22 GMT, Weijun Wang wrote: >> Given the changes to the System.console() behavior, where it no longer >> returns null when a write pipe is connected to the Java process, keytool >> needs to be updated to determine whether an interactive terminal is attached. > > Do you n

Integrated: 8339347: keytool -importpass insists prompting the user even if there is no terminal

On Wed, 4 Sep 2024 16:10:50 GMT, Hai-May Chao wrote: > Given the changes to the System.console() behavior, where it no longer > returns null when a write pipe is connected to the Java process, keytool > needs to be updated to determine whether an interactive terminal is attached.

Re: RFR: 8309841: Jarsigner should print a warning if an entry is removed [v2]

On Thu, 12 Sep 2024 15:32:44 GMT, Weijun Wang wrote: >> There ~are two~ is one change~s~: >> >> 1. In `jarsigner -verify`, check a .SF file contains un-existing entries and >> print them out as >> >> Warning: nonexistent signed entries detected: [a] >> >> ~2. In `JarSigner::sign0`, when creat

Re: RFR: 8309841: Jarsigner should print a warning if an entry is removed [v2]

On Thu, 12 Sep 2024 15:32:44 GMT, Weijun Wang wrote: >> There ~are two~ is one change~s~: >> >> 1. In `jarsigner -verify`, check a .SF file contains un-existing entries and >> print them out as >> >> Warning: nonexistent signed entries detected: [a] >> >> ~2. In `JarSigner::sign0`, when creat

Re: RFR: 8309841: Jarsigner should print a warning if an entry is removed [v2]

On Thu, 12 Sep 2024 15:32:44 GMT, Weijun Wang wrote: >> There ~are two~ is one change~s~: >> >> 1. In `jarsigner -verify`, check a .SF file contains un-existing entries and >> print them out as >> >> Warning: nonexistent signed entries detected: [a] >> >> ~2. In `JarSigner::sign0`, when creat

Re: RFR: 8309841: Jarsigner should print a warning if an entry is removed [v4]

On Fri, 13 Sep 2024 16:23:40 GMT, Weijun Wang wrote: >> There ~are two~ is one change~s~: >> >> 1. In `jarsigner -verify`, check a .SF file contains un-existing entries and >> print them out as >> >> Warning: nonexistent signed entries detected: [a] >> >> ~2. In `JarSigner::sign0`, when creat

Re: RFR: 8288568: Reduce runtime of java.security microbenchmarks

On Thu, 16 Jun 2022 15:35:04 GMT, Claes Redestad wrote: > - Reduce forks, iteration, runtime to reduce runtime while maintaining high > data quality on typical benchmarking hosts. > > Reduces runtime from estimated 10+ hours to 54 minutes. Looks good. Would you also consider to apply the same

Re: RFR: 8288568: Reduce runtime of java.security microbenchmarks [v2]

On Fri, 17 Jun 2022 12:24:50 GMT, Claes Redestad wrote: >> - Reduce forks, iteration, runtime to reduce runtime while maintaining high >> data quality on typical benchmarking hosts. >> >> Reduces runtime from estimated 10+ hours to 54 minutes. > > Claes Redestad has updated the pull request inc

RFR: 8286259: Password cleanup after KeyStore.PasswordProtection in P11KeyStore

Please review the small update for JDK-8286259. - Commit messages: - 8286259: Password cleanup after KeyStore.PasswordProtection in P11KeyStore Changes: https://git.openjdk.org/jdk/pull/9254/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=9254&range=00 Issue: https://bugs.

Integrated: 8286259: Password cleanup after KeyStore.PasswordProtection in P11KeyStore

On Thu, 23 Jun 2022 00:41:07 GMT, Hai-May Chao wrote: > Please review the small update for JDK-8286259. This pull request has now been integrated. Changeset: ca78f7bd Author: Hai-May Chao URL: https://git.openjdk.org/jdk/commit/ca78f7bd762e1d5cd843d1ff36fafb8c943aba97 Stats:

RFR: 8289401: Add dump output to TestRawRSACipher.java

Test TestRawRSACipher.java may fail intermittently. Please review changes to dump out the input and output when it fails. - Commit messages: - 8289401: Add dump output to TestRawRSACipher.java Changes: https://git.openjdk.org/jdk/pull/9316/files Webrev: https://webrevs.openjdk.org

Re: RFR: 8289401: Add dump output to TestRawRSACipher.java [v2]

> Test TestRawRSACipher.java may fail intermittently. Please review changes to > dump out the input and output when it fails. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Update to use HexFormat - Changes:

Re: RFR: 8289401: Add dump output to TestRawRSACipher.java [v2]

On Tue, 28 Jun 2022 23:18:28 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update to use HexFormat > > Looks fine. @wangweij Thanks for the review.

Integrated: 8289401: Add dump output to TestRawRSACipher.java

On Tue, 28 Jun 2022 22:55:26 GMT, Hai-May Chao wrote: > Test TestRawRSACipher.java may fail intermittently. Please review changes to > dump out the input and output when it fails. This pull request has now been integrated. Changeset: 7b3bf977 Author: Hai-May Chao URL:

Re: RFR: 6522064: Aliases from Microsoft CryptoAPI has bad character encoding

On Wed, 8 Jun 2022 13:42:43 GMT, Weijun Wang wrote: > Switch to wide char version of `CertGetNameString` to get the non-ASCII name. Marked as reviewed by hchao (Committer). Test case looks good. - PR: https://git.openjdk.org/jdk/pull/9085

Re: RFR: 8292682: Code change of JDK-8282730 not updated to reflect CSR update

On Fri, 19 Aug 2022 18:47:40 GMT, Weijun Wang wrote: > The final version of the CSR at https://bugs.openjdk.org/browse/JDK-8290119 > uses `@implNote` for the new text, but the code change was not updated before > the integration. Marked as reviewed by hchao (Committer). Looks good. -

Re: RFR: 8292683: Remove BadKeyUsageTest.java from Problem List

On Fri, 19 Aug 2022 19:01:10 GMT, Weijun Wang wrote: > Sigh. I removed the test file itself long time ago but forgot to remove a > line on it in the problem list. Marked as reviewed by hchao (Committer). Looks good. - PR: https://git.openjdk.org/jdk/pull/9951

Re: RFR: 8292676: Remove two kerberos tests from problem list

On Fri, 19 Aug 2022 15:13:34 GMT, Weijun Wang wrote: > The two tests are no longer manual and should be removed from the problem > list. Marked as reviewed by hchao (Committer). Looks good. - PR: https://git.openjdk.org/jdk/pull/9943

Re: RFR: 8293779: redundant checking in AESCrypt.makeSessionKey() method [v2]

On Wed, 14 Sep 2022 16:03:48 GMT, Xue-Lei Andrew Fan wrote: >> Hi, >> >> Please review this simple code cleanup. >> >> The following checking for key in the makeSessionKey() method is redundant >> as it the same checking has been performance before calling the method. >> >> >> if (k

Re: RFR: 8256660: Disable DTLS 1.0

On Fri, 28 Oct 2022 17:00:12 GMT, Sean Mullan wrote: > Disable DTLS 1.0 by default. This version of DTLS has weakened over time and > lacks support for stronger cipher suites. DTLS 1.0 correlates with version > 1.1 of TLS which has already been disabled by default in JDK 16. The IETF has > dep

Re: RFR: 8299746: Accept unknown signatureAlgorithm in PKCS7 SignerInfo

On Fri, 6 Jan 2023 15:52:03 GMT, Weijun Wang wrote: > Modern signature algorithms provided by a 3rd-party provider might not be > recognized by JDK code yet. Marked as reviewed by hchao (Committer). - PR: https://git.openjdk.org/jdk/pull/11883

RFR: 8286907: keytool should warn about weak PBE algorithms

Please review the fix to address the problem in keytool -genseckey and -importpass. - Commit messages: - 8286907: keytool should warn about weak PBE algorithms Changes: https://git.openjdk.org/jdk/pull/12056/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=12056&range=00 I

Re: RFR: 8286907: keytool should warn about weak PBE algorithms [v2]

> Please review the fix to address the problem in keytool -genseckey and > -importpass. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Update with Max's comment - Changes: - all: https://git.openjdk.o

Re: RFR: 8286907: keytool should warn about weak PBE algorithms [v2]

On Fri, 20 Jan 2023 22:03:29 GMT, Hai-May Chao wrote: >> Please review the fix to address the problem in keytool -genseckey and >> -importpass. > > Hai-May Chao has updated the pull request incrementally with one additional > commit since the last revision: > >

Re: RFR: 8286907: keytool should warn about weak PBE algorithms [v2]

On Thu, 26 Jan 2023 12:30:25 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update with Max's comment > > I said "one solution is to add RC2_40 and RC2_

Re: RFR: 8286907: keytool should warn about weak PBE algorithms [v2]

On Thu, 26 Jan 2023 17:39:34 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update with Max's comment > > Yeah, this is a little tricky. My feeling is that

Integrated: 8286907: keytool should warn about weak PBE algorithms

On Tue, 17 Jan 2023 23:25:42 GMT, Hai-May Chao wrote: > Please review the fix to address the problem in keytool -genseckey and > -importpass. This pull request has now been integrated. Changeset: b00b70c2 Author: Hai-May Chao URL: https://git.openjdk.org/jdk/

Re: RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng wrote: > Could someone help review this PKCS11KeyStore fix regarding the cert chain > removal? > > The proposed fix will not remove the cert if it has a corresponding private > key or is an issuer of other entities in the same keystore. > > Thanks

Re: RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

On Fri, 5 May 2023 19:43:31 GMT, Valerie Peng wrote: >> test/jdk/sun/security/pkcs11/KeyStore/CertChainRemoval.java line 176: >> >>> 174: >>> 175: // should only have "pk1" now >>> 176: checkEntry(ks, "pk1", pk1Chain); >> >> When the kesytore should only have "pk1” now, how wou

Re: RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries

On Mon, 1 May 2023 19:49:05 GMT, Valerie Peng wrote: > Could someone help review this PKCS11KeyStore fix regarding the cert chain > removal? > > The proposed fix will not remove the cert if it has a corresponding private > key or is an issuer of other entities in the same keystore. > > Thanks

Re: RFR: 8301154: SunPKCS11 KeyStore deleteEntry results in dangling PrivateKey entries [v2]

On Fri, 12 May 2023 02:23:17 GMT, Valerie Peng wrote: >> Could someone help review this PKCS11KeyStore fix regarding the cert chain >> removal? >> >> The proposed fix will not remove the cert if it has a corresponding private >> key or is an issuer of other entities in the same keystore. >> >

Re: RFR: JDK-8307794 Test for HSS/LMS Signature Verification [v5]

On Tue, 23 May 2023 17:14:42 GMT, Mark Powers wrote: >> https://bugs.openjdk.org/browse/JDK-8307794 > > Mark Powers has updated the pull request incrementally with one additional > commit since the last revision: > > change class names and fix nit Test VerifyHSSLMSSignedJar.java looks good.

Re: RFR: JDK-8307794 Test for HSS/LMS Signature Verification [v7]

On Tue, 30 May 2023 16:47:03 GMT, Mark Powers wrote: >> https://bugs.openjdk.org/browse/JDK-8307794 > > Mark Powers has updated the pull request incrementally with one additional > commit since the last revision: > > Sean's additional comments take 2 test/jdk/sun/security/tools/jarsigner/Ver

Re: RFR: JDK-8307794 Test for HSS/LMS Signature Verification [v7]

On Tue, 30 May 2023 16:47:03 GMT, Mark Powers wrote: >> https://bugs.openjdk.org/browse/JDK-8307794 > > Mark Powers has updated the pull request incrementally with one additional > commit since the last revision: > > Sean's additional comments take 2 test/micro/org/openjdk/bench/java/securit

Re: RFR: 8309867: redundant class field RSAPadding.md

On Mon, 12 Jun 2023 16:39:33 GMT, Xue-Lei Andrew Fan wrote: > Hi, > > May I get this simple update reviewed? > > The class field RSAPadding.md can be converted to a local variable of the > constructor, and save the class footprint. > > Thanks, > Xuelei Marked as reviewed by hchao (Committer)

Re: [jdk21] RFR: 8309740: Expand timeout windows for tests in JDK-8179502

On Fri, 23 Jun 2023 14:55:45 GMT, Jamil Nimeh wrote: > This is a backport of the test fixes comprising JDK-8309740. Marked as reviewed by hchao (Committer). - PR Review: https://git.openjdk.org/jdk21/pull/58#pullrequestreview-1495731841

Re: [jdk21] RFR: 8292704: sun/security/tools/jarsigner/compatibility/Compatibility.java use wrong key size for EC

On Tue, 27 Jun 2023 20:44:01 GMT, Rajan Halade wrote: > This test update should be included in JDK 21 LTS release. Marked as reviewed by hchao (Committer). - PR Review: https://git.openjdk.org/jdk21/pull/74#pullrequestreview-1503711317

Re: RFR: JDK-8311592 ECKeySizeParameterSpec causes too many exceptions on third party providers

On Tue, 18 Jul 2023 03:58:50 GMT, Anthony Scarpino wrote: > Hi, > > This fix eliminates needless exceptions each time the EC key size is obtained > through AlgorithmParameters on third party providers. These providers throw > an InvalidParameterSpecException as `sun.security.util.KeyUtil.get

Re: RFR: 8312578: Redundant javadoc in X400Address

On Mon, 24 Jul 2023 08:04:53 GMT, John Jiang wrote: > [JDK-8296741] removed the constructor `X400Address(byte[] value)`, but it > didn't remove the javadoc for this constructor. > This simple patch just removes this javadoc. > > [JDK-8296741]: > Ma

RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar - Commit messages: - 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar Changes:

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

On Fri, 28 Jul 2023 16:48:36 GMT, Mark Powers wrote: >> JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low >> for JARs such as WhiteSource/Mend unified agent jar > > src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java line > 852: > >> 850:

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar [v2]

> JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low > for JARs such as WhiteSource/Mend unified agent jar Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Variable tmp declaration

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar [v2]

On Fri, 28 Jul 2023 19:54:13 GMT, Claes Redestad wrote: >> You're right. Didn't look close enough. > > Might make sense to declare `tmp` as an `int` to avoid future confusion and > save a few bytecode on repeated implicit unboxing every time `tmp` is used. Done as suggested. - PR

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar [v3]

On Fri, 28 Jul 2023 19:43:17 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> debug message update > > src/java.base/share/classes/sun/security/util/Signatur

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar [v3]

> JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low > for JARs such as WhiteSource/Mend unified agent jar Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: debug message update - C

Integrated: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar

On Fri, 28 Jul 2023 15:34:47 GMT, Hai-May Chao wrote: > JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low > for JARs such as WhiteSource/Mend unified agent jar This pull request has now been integrated. Changeset: e47a84f2 Author: Hai-May Chao URL:

Re: RFR: 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar [v3]

On Fri, 28 Jul 2023 22:49:04 GMT, Hai-May Chao wrote: >> JDK-8312489: Increase jdk.jar.maxSignatureFileSize default which is too low >> for JARs such as WhiteSource/Mend unified agent jar > > Hai-May Chao has updated the pull request incrementally with one additional >

RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length

Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank you. - Commit messages: - 8311596: Add separate system properties for TLS server and client for maximum chain length Changes: https://git.openjdk.org/jdk/pull/15163/files Webrev: https://webrevs.openjdk.

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v2]

On Mon, 7 Aug 2023 15:36:54 GMT, Mark Powers wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Set to default if a negative value is set > > src/java.base/share/classes/sun/security/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v2]

On Mon, 7 Aug 2023 17:23:11 GMT, Jamil Nimeh wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Set to default if a negative value is set > > src/java.base/share/classes/sun/security/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v2]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Set to default if a negative value is set - Changes: - all:

Re: RFR: 8304956: Update KeyStore.getDefaultType​() specification to return pkcs12 as fallback [v3]

On Tue, 19 Sep 2023 17:16:58 GMT, Kevin Driver wrote: >> Ben Perez has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Added test to check that when keystore.type is null it defaults to pkcs12 > > @haimaychao Are any accompanying changes nee

Re: RFR: 8304956: Update KeyStore.getDefaultType​() specification to return pkcs12 as fallback [v3]

On Tue, 19 Sep 2023 17:09:56 GMT, Ben Perez wrote: >> Replaced "jks" with "pkcs12" in both the spec and fallback for >> `KeyStore.getDefaultType()` > > Ben Perez has updated the pull request incrementally with one additional > commit since the last revision: > > Added test to check that when

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v3]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request co

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Change made to configure max allowed cert chain lengths based on updat

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]

On Fri, 13 Oct 2023 18:02:34 GMT, Mark Powers wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Change made to configure max allowed cert chain lengths based on updated >> CSR >

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]

On Fri, 13 Oct 2023 18:59:44 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Change made to configure max allowed cert chain lengths based on updated >> CSR >

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]

On Fri, 13 Oct 2023 21:43:58 GMT, Weijun Wang wrote: >> Since 8 is the default for "jdk.tls.maxClientCertificateChainLength", it is >> going to be overridden when "jdk.tls.maxCertificateChainLength" is set. >> Setting "jdk.tls.maxClientCertificateChainLength" to 8 is treated as keeping >> the

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v4]

On Mon, 16 Oct 2023 13:31:46 GMT, Sean Mullan wrote: >> That's not my understanding. Since `jdk.tls.maxClientCertificateChainLength` >> is explicitly set on the command line you should honor it. > > Yes, I agree that if the application sets > `jdk.tls.maxClientCertificateChainLength` or > `jdk

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v5]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Override the client/server defaults - Changes: - all: https://git.openjdk.o

Re: RFR: 8318328: DHKEM should check XDH name in case-insensitive mode

On Tue, 17 Oct 2023 18:03:33 GMT, Weijun Wang wrote: > The comparison should have been done in case-insensitive mode. > > The new test confirms the change inside `DHKEM.java`. The one in > `XDHPrivateKeyImpl.java` is not easy to confirm. The SUN provider's > implementation always got the name

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contai

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]

On Fri, 20 Oct 2023 18:39:38 GMT, Kevin Driver wrote: >> src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 150: >> >>> 148: */ >>> 149: static { >>> 150: Integer clientLen = GetIntegerAction.privilegedGetProperty( >> >> I think you could call `privilegedGe

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]

On Fri, 20 Oct 2023 17:19:52 GMT, Xue-Lei Andrew Fan wrote: >> Hai-May Chao has updated the pull request with a new target base due to a >> merge or a rebase. The incremental webrev excludes the unrelated changes >> brought in by the merge/rebase. The pull request conta

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v6]

On Wed, 18 Oct 2023 00:25:02 GMT, Hai-May Chao wrote: >> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank >> you. > > Hai-May Chao has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v7]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Change property names to clearly indicate client side and server side - C

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Change maxCertificateChainLength to be a local variable - Changes: - all:

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v7]

On Fri, 27 Oct 2023 19:45:29 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Change property names to clearly indicate client side and server side > > src/java.base/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v7]

On Fri, 27 Oct 2023 20:08:25 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Change property names to clearly indicate client side and server side > > src/java.base/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v7]

On Fri, 27 Oct 2023 20:22:05 GMT, Weijun Wang wrote: >> This belongs to the `if (inboundClientLen == null || inboundClientLen < 0)` >> side. The else side stays the same. > > Precisely, it's > > if (inboundServerLen == null || inboundServerLen < 0) { > maxInboundClientCertCh

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v9]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Update comments and property process code - Changes: - all:

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]

On Mon, 30 Oct 2023 14:14:25 GMT, Sean Mullan wrote: >> src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java line 178: >> >>> 176: * the jdk.tls.maxCertificateChainLength property will not >>> override >>> 177: * the values. >>> 178: */ >> >> English is

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v10]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated to not longer than 80-chars - Changes: - all: https://git.openjdk.o

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v9]

On Tue, 31 Oct 2023 13:26:47 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update comments and property process code > > src/java.base/share/classes/sun/security/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v10]

On Mon, 30 Oct 2023 22:08:44 GMT, Hai-May Chao wrote: >> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank >> you. > > Hai-May Chao has updated the pull request incrementally with one additional > commit since the last revision: > > Up

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v11]

> Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: typo fix - Changes: - all: https://git.openjdk.org/jdk/pull/15163/files

Integrated: 8311596: Add separate system properties for TLS server and client for maximum chain length

On Fri, 4 Aug 2023 17:30:06 GMT, Hai-May Chao wrote: > Please review the enhancement for JDK-8311596 and its CSR JDK-8313236. Thank > you. This pull request has now been integrated. Changeset: 0064cf90 Author: Hai-May Chao URL: https://git.openjdk.org/jdk/

Re: RFR: 8311596: Add separate system properties for TLS server and client for maximum chain length [v8]

On Wed, 1 Nov 2023 14:13:32 GMT, Sean Mullan wrote: >> When no system property is set, previously max inbound length is 10, now >> it's 8. > > I think the wording of the comment is somewhat confusing because it is trying > to explain the behavior of both properties together and the words "eithe

RFR: 8319670: Improve comments describing system properties for TLS server and client for max chain length

Please review the comment change in SSLConfiguration class that describes TLS related system properties used to enforce certificate chain length. Thanks. - Commit messages: - Improve comments describing system properties for TLS server and client for max chain length Changes: http

Integrated: 8319670: Improve comments describing system properties for TLS server and client for max chain length

On Wed, 8 Nov 2023 23:34:22 GMT, Hai-May Chao wrote: > Please review the comment change in SSLConfiguration class that describes TLS > related system properties used to enforce certificate chain length. Thanks. This pull request has now been integrated. Changeset: a95062b3 Author: H

Re: RFR: 8319670: Improve comments describing system properties for TLS server and client for max chain length

On Thu, 9 Nov 2023 20:09:20 GMT, Sean Mullan wrote: >> Please review the comment change in SSLConfiguration class that describes >> TLS related system properties used to enforce certificate chain length. >> Thanks. > > Marked as reviewed by mullan (Reviewer). @seanjmullan Thanks for the review

Re: RFR: 8202598: [linux] keytool -certreq inconsistent with platform line.separator

On Mon, 11 Dec 2023 16:14:24 GMT, Weijun Wang wrote: > Always use CRLF in PEM output. Marked as reviewed by hchao (Committer). - PR Review: https://git.openjdk.org/jdk/pull/17060#pullrequestreview-1778545710

Re: RFR: 8325022: Incorrect error message on TLS 1.2 client authentication

On Wed, 31 Jan 2024 07:42:32 GMT, John Jiang wrote: > If the server doesn't receive the client certificate for required client > authentication, it should raise error `Empty client certificate chain`. Marked as reviewed by hchao (Committer). LGTM - PR Review: https://git.openjdk.

Re: RFR: 8319673: Few security tests ignore VM flags [v2]

On Thu, 15 Feb 2024 18:28:08 GMT, Matthew Donovan wrote: >> In this PR I updated the tests to use the newer >> ProcessTools.createTestJavaProcessBuilder() methods to launch child >> processes. This method ensures that VM options are passed to subprocesses. > > Matthew Donovan has updated the pu

  1   2   3   >