[11u] RFR 8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport
Martin Balao
mbalao at redhat.com
Tue Dec 1 22:06:47 UTC 2020
Hi,
As discussed in [1], this is a fix for the JDK-8257545 regression
affecting 11u [2].
I'd like to have a review of Webrev.00:
* http://cr.openjdk.java.net/~mbalao/webrevs/8257545/8257545.webrev.00/
The fix is about picking the crypto provider used to initialized SunJSSE
(if any) while performing the key exchange phase of the TLS handshake.
Please note that SunPKCS11 does not register AlgorithmParameters for the
DiffieHellman algorithm. Other crypto providers may do that as well. So
it's not always possible to identify a Named Group based on the
parameter values. Even though I see no downside of making SunPKCS11
register AlgorithmParameters for DiffieHellman with the DHParameters
class, I prefer to stay on a more conservative side at this time and
also cover non-SunPKCS11 cases. As a result, we skip the Named Group
identification in NamedGroup.java if ng.functions.getParameters returned
value is null. Note: this is what 11.0.9 and previous releases are
doing, as checked debugging old releases. This is unlikely to affect JDK
releases after 13u because AlgorithmParameters may be obtained from any
crypto provider, and not only the one used to initialize SunJSSE (if one).
I'm currently running regression testing. Let you know if I find
something wrong.
Thanks,
Martin.-
--
[1] -
http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-November/004164.html
[2] - https://bugs.openjdk.java.net/browse/JDK-8257545
More information about the jdk-updates-dev
mailing list