8297878: KEM: Implementation

[wangweij]

This is the KEM API backport to Java SE 17 MR 1.

The src files are identical to those in the current jdk repo except for the change made to KEM.java at openjdk/jdk@59c2aff#diff-7bee547996d0de5692181a509bdf509276c7eb9351722580fd6aee7975745e67.

Update: There are javadoc changes to all the src files in following commits.

The RSA_KEM code is modified because DerOutputStream lacks several methods in JDK 17.

Proc is updated like in JDK 21 to support for some internal interop testing. The test files for Proc are also backported.

This change does not contain the DHKEM implementation in the original JDK 21 change.

This change also covers JDK-8322971 which fixed a follow-on P3 bug of the initial KEM work.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• JDK-8322971 needs maintainer approval
• Commit message must refer to an issue
• JDK-8297878 needs maintainer approval
• Change requires CSR request JDK-8330545 to be approved

Issues

• JDK-8297878: KEM: Implementation (Enhancement - P3 - Approved) ⚠️ Issue is already resolved. Consider making this a "backport pull request" by setting the PR title to Backport <hash> with the hash of the original commit. See Backports.
• JDK-8322971: KEM.getInstance() should check if a 3rd-party security provider is signed (Bug - P3 - Approved) ⚠️ Issue is already resolved. Consider making this a "backport pull request" by setting the PR title to Backport <hash> with the hash of the original commit. See Backports.
• JDK-8330545: KEM: Implementation (CSR)

Reviewers

• Sean Mullan (@seanjmullan - Reviewer)
• Iris Clark (@irisclark - Reviewer)
• Andrew John Hughes (@gnu-andrew - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-ri.git pull/1/head:pull/1
$ git checkout pull/1

Update a local copy of the PR:
$ git checkout pull/1
$ git pull https://git.openjdk.org/jdk17u-ri.git pull/1/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1

View PR using the GUI difftool:
$ git pr show -t 1

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk17u-ri/pull/1.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@wangweij This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8297878: KEM: Implementation
8322971: KEM.getInstance() should check if a 3rd-party security provider is signed

Reviewed-by: mullan, iris, andrew

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 1 new commit pushed to the master branch:

• af9a602: 8331151: Update .jcheck/conf and version-numbers for 17.0.0.1

Please see this link for an up-to-date comparison between the source branch of this pull request and the master branch.
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[mlbridge]

Webrevs

• 03: Full - Incremental (cb76d539)
• 02: Full - Incremental (9640046c)
• 01: Full - Incremental (cd4aac2b)
• 00: Full (4f9f7dc9)

[wangweij]

/issue add JDK-8322971

[openjdk]

@wangweij
Adding additional issue to issue list: 8322971: KEM.getInstance() should check if a 3rd-party security provider is signed.

[irisclark]

The Spec changes appear to be identical to those in JDK 21, with the exception of the expected @since 17 and @apiNote which are used to identify these as additions via MR.

Associated CSR (JDK-8330545) also Reviewed.

[gnu-andrew]

It would be easier to review if JDK-8322971 and JDK-8305846: "Support compilation in Proc test utility" were backported separately. Also, 8322971 seems to be missing from 21u as well.

The changes look correct as far as I can tell. I'm not sure why different copyright years are being used from the original patch, particularly for Provider.java where this is the only difference from 8297878.

The other differences (21->17, removal of the implementation, SSL & ECC changes) make sense. I presume the test differences with getKemImpl are due to the implementation removal making KEM.getInstance unusable?

So Skara correctly recognises this as a backport, the title should be "Backport 6b90b0519e89429300838fa598b2ea9ffda984a2"

[GoeLin]

Hi @wangweij, you might want to enable the GHA tests?

[wangweij]

@gnu-andrew I backported the 3 issues in a single PR because JDK-8305846 was originally created to support the RSA-KEM interop test. I understand the change for it looks a little strange without any usage of it here. I hope grouping them together will make further backport - if exists - simpler.

For the year of Provider.java, I just updated it to now.

Yes, getKemImpl exists because after JDK-8322971 one cannot load a KEM impl from an unsigned security provider in Oracle JDK. This is a little different from OpenJDK.

[wangweij]

@GoeLin Maybe you can ask the maintainer of this repo to decide whether GHA tests can be enabled. Some security-related tests would fail because hardcoded certificates have expired.

[wangweij]

/integrate

[openjdk]

Going to push as commit e9d2641.
Since your change was applied there has been 1 commit pushed to the master branch:

• af9a602: 8331151: Update .jcheck/conf and version-numbers for 17.0.0.1

Your commit was automatically rebased without conflicts.

[openjdk]

@wangweij Pushed as commit e9d2641.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[gnu-andrew]

8322971

@gnu-andrew I backported the 3 issues in a single PR because JDK-8305846 was originally created to support the RSA-KEM interop test. I understand the change for it looks a little strange without any usage of it here. I hope grouping them together will make further backport - if exists - simpler.

We usually try and avoid it for more complex patches. It makes it easier for the person backporting, but harder for reviewers who have to pick it apart again.

For the year of Provider.java, I just updated it to now.

Ok, we usually avoid this as it creates differences from the original commit which may then break further backports.

Yes, getKemImpl exists because after JDK-8322971 one cannot load a KEM impl from an unsigned security provider in Oracle JDK. This is a little different from OpenJDK.

Ah, ok, so it's necessary after 8322971.