8274471: Add support for RSASSA-PSS in OCSP Response

[apavlyutkin]

This one is submitted in place of openjdk/jdk17u#248 that was too late to jdk17u

I'd like to backport JDK-8274471 to jdk17u-dev

The patch fixes internal error upon verification of OCSP Response signed with RSASSA-PSS

The original patch applied with minor changes to src/java.base/share/classes/sun/security/provider/certpath/OCSP.java

• resolved baseline conflict: the original patch was done on top of JDK-8272120: Avoid looking for standard encodings in "java." modules and cannot be applied cleanly although it deletes the changes done against JDK-8272120 (see lines 249-241)
• imported few required packages

Verified (20.04 LTS/amd64) with attached Test8274471.java.zip. Regression: jdk_security

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Issue

• JDK-8274471: Add support for RSASSA-PSS in OCSP Response

Reviewers

• Martin Doerr (@TheRealMDoerr - Reviewer)
• Goetz Lindenmaier (@GoeLin - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk17u-dev pull/36/head:pull/36
$ git checkout pull/36

Update a local copy of the PR:
$ git checkout pull/36
$ git pull https://git.openjdk.java.net/jdk17u-dev pull/36/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 36

View PR using the GUI difftool:
$ git pr show -t 36

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk17u-dev/pull/36.diff

[bridgekeeper]

👋 Welcome back apavlyutkin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 01: Full - Incremental (e22864b7)
• 00: Full (ea686fe7)

[bridgekeeper]

@apavlyutkin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[apavlyutkin]

Guys, could somebody review that?

[apavlyutkin]

@TheRealMDoerr, could you checked this one. This is just a copy of openjdk/jdk17u#248 that was reviewed by you but missed 17.0.2

[TheRealMDoerr]

Still good. Thanks for the new PR.

[openjdk]

@apavlyutkin This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8274471: Add support for RSASSA-PSS in OCSP Response

Reviewed-by: mdoerr, goetz

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 205 new commits pushed to the master branch:

• 6ce19ed: 8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
• c2a62d7: 8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
• 9e9c150: 8276841: Add support for Visual Studio 2022
• 90d83a2: 8272866: java.util.random package summary contains incorrect mixing function in table
• fc57ee6: 8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
• df5a29c: 8278185: Custom JRE cannot find non-ASCII named module inside
• 6650652: 8281460: Let ObjectMonitor have its own NMT category
• 56f0c53: 8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
• 0c6e662: 8277383: VM.metaspace optionally show chunk freelist details
• 9bb8b7f: 8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
• ... and 195 more: https://git.openjdk.java.net/jdk17u-dev/compare/81cd594074dd588189eb8619ad6ac91c8e022212...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@TheRealMDoerr, @GoeLin) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[apavlyutkin]

/integrate

[openjdk]

@apavlyutkin
Your change (at version ea686fe) is now ready to be sponsored by a Committer.

[GoeLin]

Hi Alexey,
you may not integrate as long as you don't have jdk17u-fix-yes label on the JBS issue. Please see https://wiki.openjdk.java.net/display/JDKUpdates/How+to+contribute+a+fix for how to contribute backports and changes.

/reviewers 2

[openjdk]

@GoeLin
The number of required reviews for this PR is now set to 2 (with at least 1 of role reviewers).

[alexeybakhtin]

Minor comments of the OCSP changes:
The original patch removes unused imports. These unused imports were caused by JDK-8232066: “Remove outdated code/methods from PKIX implementation”
JDK-8232066 does not affect the functionality of this enhancement and can be skipped

So, looks good to me (not a reviewer)

[gnu-andrew]

Part of JDK-8272120 is still being dragged in with the use of UTF_8 in OSCP.java. We can retain that as "UTF-8" and avoid adding the import that is not present in the original patch.

[apavlyutkin]

Part of JDK-8272120 is still being dragged in with the use of UTF_8 in OSCP.java. We can retain that as "UTF-8" and avoid adding the import that is not present in the original patch.

Ok, fixed. BTW how about jdk11u-dev? As I understand being just an enhancement JDK-8272120 does not have a chance to be backported to jdk11, but using "UTF-8" is still an overhead.

[TheRealMDoerr]

Thanks for the update! Good. I think it makes sense to accept it in 11u, too, after it is carefully reviewed and tested.

[apavlyutkin]

Thanks for the update! Good. I think it makes sense to accept it in 11u, too, after it is carefully reviewed and tested.

Thank you. I've already completed backports to 11 (very dirty) & 8 (just a bit unclean). They are postponed

@GoeLin how can I get "ready" label back? Thank you

[GoeLin]

Formal requirements are all met now.
LGTM

[GoeLin]

Please enable github actions, also in the other repos where you might backport to.

[apavlyutkin]

/integrate

[openjdk]

@apavlyutkin
Your change (at version e22864b) is now ready to be sponsored by a Committer.

[GoeLin]

/sponsor

[openjdk]

Going to push as commit 8e13d2f.
Since your change was applied there have been 205 commits pushed to the master branch:

• 6ce19ed: 8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX
• c2a62d7: 8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
• 9e9c150: 8276841: Add support for Visual Studio 2022
• 90d83a2: 8272866: java.util.random package summary contains incorrect mixing function in table
• fc57ee6: 8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled
• df5a29c: 8278185: Custom JRE cannot find non-ASCII named module inside
• 6650652: 8281460: Let ObjectMonitor have its own NMT category
• 56f0c53: 8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup
• 0c6e662: 8277383: VM.metaspace optionally show chunk freelist details
• 9bb8b7f: 8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests
• ... and 195 more: https://git.openjdk.java.net/jdk17u-dev/compare/81cd594074dd588189eb8619ad6ac91c8e022212...master

Your commit was automatically rebased without conflicts.

[openjdk]

@GoeLin @apavlyutkin Pushed as commit 8e13d2f.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.