Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8274471: Add support for RSASSA-PSS in OCSP Response #788

Closed
wants to merge 1 commit into from

Conversation

apavlyutkin
Copy link
Contributor

@apavlyutkin apavlyutkin commented Jan 22, 2022

I'd like to backport

8274471: Add support for RSASSA-PSS in OCSP Response
8179503: Java should support GET OCSP calls (dependency)

to jdk11u-dev.

The patches fix internal error upon verification of OCSP Response signed with RSASSA-PSS.

The following changes were done to original patches:

8179503:

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java

  • resolved baseline conflict that took place due to absent revocation checking code

test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java

  • unsupported ObjectIdentifier.of() substituted with new ObjectIdentifier

8274471:

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java

  • changes to absent revokation checking code ignored

src/java.base/share/classes/sun/security/util/SignatureUtil.java

  • the following non-existing methods transferred from jdk17:
    public static Signature fromKey(String sigAlg, PrivateKey key, String provider);
    public static Signature fromKey(String sigAlg, PrivateKey key, Provider provider);
    private static Signature autoInitInternal(String alg, PrivateKey key, Signature s);
    public static AlgorithmId fromSignature(Signature sigEngine, PrivateKey key);
  • EdEcKey (unsupported in jdk11) hook removed from fromSignature() method
  • copied SignatureUtil.autoInitInternal() method updated to use AlgorithmId.getDefaultAlgorithmParameterSpec() instead of SignatureUtil.getDefaultParamSpec()
  • imported AlgorithmId class

test/jdk/java/security/testlibrary/SimpleOCSPServer.java

  • imported SignatureUtil class

Verified (20.04 LTS/amd64) with attached Test8274471.java.zip. Regression: jdk_security


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8274471: Add support for RSASSA-PSS in OCSP Response

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk11u-dev pull/788/head:pull/788
$ git checkout pull/788

Update a local copy of the PR:
$ git checkout pull/788
$ git pull https://git.openjdk.java.net/jdk11u-dev pull/788/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 788

View PR using the GUI difftool:
$ git pr show -t 788

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk11u-dev/pull/788.diff

@bridgekeeper
Copy link

bridgekeeper bot commented Jan 22, 2022

👋 Welcome back apavlyutkin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot changed the title Backport f63c4a832a1aea451f47aaf86d5361e970c6a28f 8274471: Add support for RSASSA-PSS in OCSP Response Jan 22, 2022
@openjdk
Copy link

openjdk bot commented Jan 22, 2022

This backport pull request has now been updated with issue from the original commit.

@openjdk openjdk bot added backport rfr Pull request is ready for review labels Jan 22, 2022
@mlbridge
Copy link

mlbridge bot commented Jan 22, 2022

Webrevs

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 19, 2022

@apavlyutkin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

@apavlyutkin
Copy link
Contributor Author

apavlyutkin commented Mar 1, 2022

@TheRealMDoerr @alexeybakhtin Gentlemen, if you find time for this one, you will greatly oblige me. Thank you

@TheRealMDoerr
Copy link
Contributor

TheRealMDoerr commented Mar 1, 2022

Would it be possible to backport both changes individually (i.e. JDK-8179503 first and JDK-8274471 as dependent PR)?
That would make it easier to review and keep the integration history clean.

@apavlyutkin
Copy link
Contributor Author

apavlyutkin commented Mar 2, 2022

This one is to be splitted into two separate ones

@apavlyutkin apavlyutkin closed this Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport rfr Pull request is ready for review
2 participants