8245527: LDAP Channel Binding support for Java GSS/Kerberos #278
Conversation
|
👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into |
|
@alexeybakhtin The following labels will be automatically applied to this pull request: When this pull request is ready to be reviewed, an RFR email will be sent to the corresponding mailing lists. If you would like to change these labels, use the |
openjdk
bot
added
security
Webrevs
|
|
Thanks for the PR Alexey! Let me run a last round of testing - and if that comes back clean I'll approve. Please don't integrate until you get a reviewer from security-libs too. best regards, |
| @@ -972,4 +990,46 @@ public void run() { | |||
| } | |||
| return buf; | |||
| } | |||
|
|
|||
| private CompletableFuture<X509Certificate> tlsHandshakeCompleted = | |||
There was a problem hiding this comment.
Thank you. Agree. It should be final.
| /** | ||
| * Channel binding on the basis of TLS Finished message | ||
| */ | ||
| TLS_UNIQUE("tls-unique"), |
There was a problem hiding this comment.
Is that still used? If not maybe it should be removed?
There was a problem hiding this comment.
No, It is not used.
However, I'd like to leave it as is (it is mentioned in the documentation as unsupported value).
Otherwise, TlsChannelBindingType enum will have one element only and should be simplified/removed in all places. In this case, it would be double work to add TlsChannelBindingType enum back in the future if "tls-unique" required.
If required I can remove TLS_UNIQUE item, but not remove TlsChannelBindingType enum
There was a problem hiding this comment.
I was suggesting to keep TlsChannelBindingType but remove TLS_UNIQUE; However, I'm OK to keep things as is: this is an internal API. I wonder if it would deserve a comment:
/**
* Channel binding on the basis of TLS Finished message
*/
// TLS_UNIQUE is defined by RFC 5929 but is not supported by the current LDAP stack.
TLS_UNIQUE("tls-unique"),
There was a problem hiding this comment.
Thank you. Added suggested comment.
| @@ -150,6 +151,14 @@ | |||
| } | |||
| secCtx.requestMutualAuth(mutual); | |||
|
|
|||
| if (props != null) { | |||
| // TLS Channel Binding | |||
| byte[] tlsCB = (byte[])props.get("jdk.internal.sasl.tlschannelbinding"); | |||
There was a problem hiding this comment.
You can say the name is defined in another class in another module. If we really want to rename it one day we will know where it's from.
There was a problem hiding this comment.
Thank you. Comment is added
| CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR); | ||
| int acceptorAddressType = getAddrType(acceptorAddress, | ||
| (channelBinding instanceof TlsChannelBindingImpl)? | ||
| CHANNEL_BINDING_AF_UNSPEC:CHANNEL_BINDING_AF_NULL_ADDR); |
There was a problem hiding this comment.
Normally we put a white space around "?" and ":".
There was a problem hiding this comment.
Thank you. Fixed.
|
|
||
| /** | ||
| * Parse value of "com.sun.jndi.ldap.tls.cbtype" property | ||
| * @param cbType |
There was a problem hiding this comment.
Please add a @return here, esp, about null.
There was a problem hiding this comment.
Added @return with comments
|
|
||
| public TlsChannelBindingType getType() { | ||
| return cbType; | ||
| } |
|
@alexeybakhtin This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for more details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 79 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@wangweij, @dfuch, @AlekseiEfimov) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
|
/csr |
|
@dfuch the issue for this pull request, JDK-8245527, already has an approved CSR request: JDK-8247311 |
|
/reviewer credit mullan |
|
@alexeybakhtin |
|
@alexeybakhtin Reviewer |
|
@alexeybakhtin |
|
/sponsor |
openjdk
bot
added
integrated
|
@yan-too @alexeybakhtin Since your change was applied there have been 79 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit cfa3f74. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
|
@alexeybakhtin: It is official for TLS 1.3 Binding!
Details:
Can you look to add it? Thanks in advance. |
Hi,
Plaese review JDK-8245527 fix which implements LDAP Channel Binding support for Java GSS/Kerberos.
Initial review is available at core-devs: https://mail.openjdk.java.net/pipermail/core-libs-dev/2020-August/068197.html
This version removes "tls-unique" CB type from the list of possible channel binding types. The only supported type is "tls-server-end-point"
CSR is also updated : https://bugs.openjdk.java.net/browse/JDK-8247311
Thank you
Alexey
Progress
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/278/head:pull/278$ git checkout pull/278