Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8274471: Add support for RSASSA-PSS in OCSP Response #1891

wants to merge 9 commits into from


Copy link

@apavlyutkin apavlyutkin commented May 23, 2023


Here is backport of JDK-8274471 adding support of RSASSA-PSS signature to OCSP Response. Original patch applied with the following changes


  • import of and packages didn't removed cuz they are still in use;
  • added import of java.nio.charset.StandardCharsets.UTF_8 promoting UTF_8 constant;
  • the changes to revocation checking were skipped


  • added import package;
  • the following required methods ported
    public static Signature fromKey(String sigAlg, PrivateKey key, String provider);
    public static Signature fromKey(String sigAlg, PrivateKey key, Provider provider);
    private static Signature autoInitInternal(String alg, PrivateKey key, Signature s);
    public static AlgorithmId fromSignature(Signature sigEngine, PrivateKey key);
  • EdEC related code dropped
  • SignatureUtil.autoInitInternal() method updated to use AlgorithmId.getDefaultAlgorithmParameterSpec() instead of almost identical SignatureUtil.getDefaultParamSpec()


  • public byte[] getEncodedParams() does not throw anymore


  • added import of package

Verification/regression (amd64/LTS 20.04): jdk_security including updated tests


  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue


  • JDK-8274471: Add support for RSASSA-PSS in OCSP Response



Using git

Checkout this PR locally:
$ git fetch pull/1891/head:pull/1891
$ git checkout pull/1891

Update a local copy of the PR:
$ git checkout pull/1891
$ git pull pull/1891/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1891

View PR using the GUI difftool:
$ git pr show -t 1891

Using diff file

Download this PR as a diff file:


Link to Webrev Comment

Copy link

bridgekeeper bot commented May 23, 2023

👋 Welcome back apavlyutkin! A progress list of the required criteria for merging this PR into pr/847 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot changed the title Backport f63c4a832a1aea451f47aaf86d5361e970c6a28f 8274471: Add support for RSASSA-PSS in OCSP Response May 23, 2023
Copy link

openjdk bot commented May 23, 2023

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added backport rfr Pull request is ready for review labels May 23, 2023
Copy link

mlbridge bot commented May 23, 2023


Copy link

@phohensee phohensee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not an expert in this area, but the backport looks good, including the addition of a big chunk of code in from JDK-8242068, which latter is huge and would anyway require a spec change.

Copy link
Contributor Author

apavlyutkin commented May 28, 2023

Actually I'm not sure about EdDSA related delta, it's does not seem necessary for RSASSA-PSS support, and moreover original patch does not have these changes


but for some reason Git transfers them on cherry-pick. I could eliminate unnecesssary code, but I'm not sure if it's better to make more manual changes

Copy link

If it works without the EdDSA code, then don't include the latter.

@openjdk-notifier openjdk-notifier bot changed the base branch from pr/847 to master May 31, 2023 09:17
Copy link

The parent pull request that this pull request depends on has been closed without being integrated and the target branch of this pull request has been updated as the previous branch was deleted. This means that changes from the parent pull request will start to show up in this pull request. If closing the parent pull request was done in error, it will need to be re-opened and this pull request will need to manually be retargeted again.

Copy link

openjdk bot commented May 31, 2023

@apavlyutkin This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8274471: Add support for RSASSA-PSS in OCSP Response

Reviewed-by: phh

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 18 new commits pushed to the master branch:

  • b2faa35: 8309108: Bump update version for OpenJDK: jdk-11.0.21
  • 1000b1c: 8308884: [17u/11u] Backout JDK-8297951
  • 3613ae4: 8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable
  • 398753e: 8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
  • 9eded68: 8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider
  • 1cbdcc9: 8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
  • b3d6981: 8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
  • 8a0b64b: 8307134: Add GTS root CAs
  • 5401f12: 8287007: [cgroups] Consistently use stringStream throughout parsing code
  • 5c4e744: 8301119: Support for GB18030-2022
  • ... and 8 more:

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@phohensee) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

Copy link

openjdk bot commented May 31, 2023

⚠️ @apavlyutkin This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

@openjdk openjdk bot added the ready Pull request is ready to be integrated label May 31, 2023
Copy link
Contributor Author

#1918 raised to replace this one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
backport ready Pull request is ready to be integrated rfr Pull request is ready for review
2 participants