[11u] RFR: 8171279: Support X25519 and X448 in TLS
Martin Balao
mbalao at redhat.com
Tue Nov 24 18:20:38 UTC 2020
Hi Goetz,
I'm not entirely sure how the FIPS support was not broken in 11u after
8171279. What I see previous to the backport is that the crypto provider
for the key exchange scheme was obtained through the
JsseJce::getKeyAgreement method [1]. This method takes into account the
presence of a FIPS-initialized SunJSSE engine [2]. After the backport, I
see that the implementation of any security provider could be used [3].
This means that the FIPS promise (that is: the SunJSSE engine will
obtain all the crypto primitives from the security provider used for its
initialization) is broken. Let me know if I'm overlooking something.
Note: Severin let me know that we are close to ramp-down (this week).
Thanks,
Martin.-
--
[1] -
http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/file/780bcf674789/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java#l502
[2] -
http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/file/ce4f7a2e4da5/src/java.base/share/classes/sun/security/ssl/JsseJce.java#l243
[3] -
http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/file/ce4f7a2e4da5/src/java.base/share/classes/sun/security/ssl/KAKeyDerivation.java#l102
On 11/23/20 6:16 AM, Lindenmaier, Goetz wrote:
> Hi Martin,
>
> I implemented the FIPS stuff that I first had left out
> And pushed the change along with it.
> Anyways, I would not have removed all of the FIPS support,
> only the code that had to be ported for the change.
> But the code is untested.
>
> If you know how, you might want to test it.
>
> Best regards,
> Goetz.
More information about the jdk-updates-dev
mailing list