[11u] RFR: 8171279: Support X25519 and X448 in TLS
Andrew Haley
aph at redhat.com
Thu Nov 26 10:18:14 UTC 2020
On 11/24/20 6:20 PM, Martin Balao wrote:
> I'm not entirely sure how the FIPS support was not broken in 11u after
> 8171279. What I see previous to the backport is that the crypto provider
> for the key exchange scheme was obtained through the
> JsseJce::getKeyAgreement method [1]. This method takes into account the
> presence of a FIPS-initialized SunJSSE engine [2]. After the backport, I
> see that the implementation of any security provider could be used [3].
> This means that the FIPS promise (that is: the SunJSSE engine will
> obtain all the crypto primitives from the security provider used for its
> initialization) is broken. Let me know if I'm overlooking something.
Have you got a test case for this?
--
Andrew Haley (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671
More information about the jdk-updates-dev
mailing list