[11u] RFR: 8171279: Support X25519 and X448 in TLS
Lindenmaier, Goetz
goetz.lindenmaier at sap.com
Thu Oct 1 06:17:45 UTC 2020
Hi,
I am downporting this change for 11.0.10-oracle parity.
It required quite some work.
http://cr.openjdk.java.net/~goetz/wr20/8171279-X25519_in_TLS-jdk11/01/
file src/java.base/share/classes/sun/security/ssl/CipherSuite.java
Non-applying chunk fixes typo in a comment that is not in 11.
I copied the comment to 11.
file src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
Deleting class DHEKAKeyDerivation failed because the code in 11 uses JsseJce.getKeyAgreement()
where the patch uses KeyAgreement.getInstance().
file src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java
11 has different imports.
The remaining conflicts arise from different usages of KeyFactory, ECUtil and JsseJce.
file src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java
The conflicts arise from different usages of KeyAgreement and JsseJce.
file src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
Different imports.
The remaining conflicts arise from different usages of KeyFactory, ECUtil and JsseJce.
file src/java.base/share/classes/sun/security/ssl/SSLExtension.java
Copyright
file src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java
Copyright
file src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
imports
file src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
Different imports.
Enums are moved to a file of their own: NamedGroup.java
Removing the enums does not apply because in 13 FIPS support was removed.
Also, a name string was added.
The supported group types differ, too.
In 11, the enums have a row of additional functionality that
I now removed, too. E.g., additional constructors, isSupported(),
isECAvailable.
Some further differences are again usages of ECUtil, JsseJce etc.
The original patch has more NamedGroups: "// Secondary NIST curves"
file test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java
configureClientSocket() already in 11. We downported this with
a previous change.
The NamedGroups enum is moved to a file of it's own.
Before this change, the named Groups knew about FIPS in 11. The new ones don't.
https://bugs.openjdk.java.net/browse/JDK-8217835 "Remove the experimental SunJSSE FIPS compliant mode"
removed FIPS support in 13 before this change was implemented.
As I understand 8217835, the experimental FIPS feature cannot be used in
11, it just remained in the code. So I skipped adapting NamedGroups to the
old behaviour, I can not test it anyways.
What do you think, do we need to add this code to NamedGroupd.java again?
There are two follow ups,
8224650: Add tests to support X25519 and X448 in TLS
8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA
I have downported these too, and will send RFR once this is stable.
Existing and new test are all passing.
https://bugs.openjdk.java.net/browse/JDK-8171279
http://hg.openjdk.java.net/jdk/jdk/rev/946f7f2d321c
Best regards,
Goetz.
More information about the jdk-updates-dev
mailing list