[8u] Request for enhancement backport approval for CR JDK-8029661 - Support TLS v1.2 algorithm in SunPKCS11 provider

Martin Balao mbalao at redhat.com
Tue Oct 30 20:41:33 UTC 2018


Hi Valerie,

I've fixed a copyright issue in a few headers:

 *
http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.11.jdk8u/
 *
http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.11.jdk8u.zip

This has been tested on Linux x86_64 platform against sun/security/pkcs11
test suite. I've not noticed any regression.

Thanks,
Martin.-

On Mon, Oct 29, 2018 at 8:53 PM, Valerie Peng <valerie.peng at oracle.com>
wrote:

> Hi Martin,
>
> The 8u changes look fine.
>
> Just double checking, what are the platforms and regression tests which
> you use for validating the 8u backport?
> Thanks,
> Valerie
>
>
> On 10/23/2018 5:18 AM, Martin Balao wrote:
>
> Hi Valerie,
>
> This backport was trivial, only a few changes required:
>
>  * Paths
>  * JDK-8210912 fix included [1]
>  * Minor adjustments when checking TLS version
> in P11TlsKeyMaterialGenerator, P11TlsMasterSecretGenerator and
> P11TlsRsaPremasterSecretGenerator
>
> Thanks,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8210912
>
> On Mon, Oct 22, 2018 at 7:17 PM, Valerie Peng <valerie.peng at oracle.com>
> wrote:
>
>> Martin,
>>
>> Sean asked me to help review this backport. Are the changes for 8u
>> identical to those for JDK 12 (minus the path differences)? Is there any 8u
>> specific modifications?
>>
>> Thanks,
>>
>> Valerie
>>
>>
>>
>> On 10/15/2018 8:15 AM, Martin Balao wrote:
>>
>>> Hi Sean,
>>>
>>> Any updates on this?
>>>
>>> Kind regards,
>>> Martin.-
>>>
>>> On Tue, Sep 25, 2018 at 6:56 PM, Seán Coffey <sean.coffey at oracle.com>
>>> wrote:
>>>
>>> Thanks for logging this request Martin. Looking into this and hope to
>>>> reply shortly.
>>>>
>>>> regards,
>>>> Sean.
>>>>
>>>>
>>>>
>>>> On 25/09/2018 10:07, Martin Balao wrote:
>>>>
>>>> Hi,
>>>>>
>>>>> I'd like to request an enhancement backport approval for JDK-8029661
>>>>> [1].
>>>>>
>>>>> Supporting TLS v1.2 algorithms in SunPKCS11 crypto provider would be
>>>>> highly
>>>>> beneficial for operating in a FIPS-140 environment. This is highly
>>>>> critical
>>>>> for both security and compliance reasons to many OpenJDK users;
>>>>> including
>>>>> corporations, public sector and other organizations. TLS 1.2 is
>>>>> currently
>>>>> the most wide-spread TLS version.
>>>>>
>>>>> Changes done as part of this enhancement are constrained to SunPKCS11
>>>>> crypto provider and do not affect SSL/TLS code. Risk involved is low
>>>>> mainly
>>>>> because of the following reasons: 1) this enhancement is an extension
>>>>> on
>>>>> top of currently supported mechanisms (no major refactorings were
>>>>> applied);
>>>>> and, 2) backport is straight forward because affected code has not
>>>>> suffered
>>>>> major changes since JDK 8 release.
>>>>>
>>>>> JDK-8029661 has been reviewed by Valerie Peng on security-dev list [2]
>>>>> and
>>>>> has been merged to JDK [3] base line. Regression testing on
>>>>> sun/security/pkcs11 category experienced no regressions because of this
>>>>> enhancement on both JDK base line and JDK 8.
>>>>>
>>>>> JDK 8 backport webrev:
>>>>>
>>>>>    * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/
>>>>> 8029661.webrev.10.jdk8u/
>>>>>    * http://cr.openjdk.java.net/~mbalao/webrevs/8029661/
>>>>> 8029661.webrev.10.jdk8u.zip
>>>>>
>>>>> Please note that this backport includes JDK-8210912 fix [4].
>>>>>
>>>>> Thanks,
>>>>> Martin.-
>>>>>
>>>>> --
>>>>> [1] - https://bugs.openjdk.java.net/browse/JDK-8029661
>>>>> [2] - http://mail.openjdk.java.net/pipermail/security-dev/
>>>>> 2018-September/018278.html
>>>>> [3] - http://hg.openjdk.java.net/jdk/jdk/rev/bccd9966f1ed
>>>>> [4] - https://bugs.openjdk.java.net/browse/JDK-8210912
>>>>>
>>>>>
>>>>
>>
>
>


More information about the jdk8u-dev mailing list