[8u] RFR 8080462: Update SunPKCS11 provider with PKCS11 v2.40 support

Martin Balao mbalao at redhat.com
Fri Feb 28 19:45:11 UTC 2020 

Hi Andrew,

Thanks for your feedback.

Webrev.01:
http://cr.openjdk.java.net/~mbalao/webrevs/8080462/8080462.8u.jdk.webrev.01/

On 11/28/19 2:16 AM, Andrew John Hughes wrote:
> 
> * The home of legal notices in 8u is the THIRD_PARTY_README file in each
> repository, so the changes should go there, not simply be dropped. This
> one actually seems to be missing at present (it suddenly appears with
> JDK-8169925), so even more reason to add it above the section for the
> PKCS#11 wrapper.

License for PKCS #11 Cryptographic Token
Interface v2.20 was never included in THIRD_PARTY_README but we can
include license for v2.40 directly, taking parts of JDK-8169925 [1] and
JDK-8238898 [2]. I've updated the commit message to reference these bugs.

> * The original patch removes pkcs-11v2-20a3.h while the 8u backport doesn't.

Good catch. Fixed.

> * The change to TRAILER_FIELD_BC is correct, as altering
> PSSParameterSpec would alter the Java 8 API. However, it may be worth
> waiting for JDK-8146293, which has now been proposed for backport via
> JDK-8230978, which will also initiate a spec change via the reference
> implementation, jdk8u41.

Change reverted to use PSSParameterSpec.TRAILER_FIELD_BC now that
8230978 (8146293) has been integrated.

> * I'm seeing a lot of noise when comparing the 8u and 11u patches for
> CK_RSA_PKCS_PSS_PARAMS.java, PKCS11Constants.java, p11_convert.c,
> p11_digest.c, p11_sign.c & pkcs11t.h, though the changes look the same.
> Have you checked that the patched files in 8u compare to those in 8u as
> expected?

I don't know why so much noise given that changes for
PKCS11Constants.java, p11_convert.c, p11_digest.c, p11_sign.c and
pkcs11t.h applied cleanly. It's not the first time I see noise in p11_*
files though (I've seen the same in other backports).

> * Please don't alter the SigInteropPSS.java test without comments
> explaining why. As JDK-8146293 is imminent, I'd say just leave this as
> it is and it will be automatically resolved.

Now that JDK-8146293 has been backported, reverted the "Signature
sigSunRsaSign = Signature.getInstance("RSASSA-PSS", "SunRsaSign");"
change to use the original from the 11u backport.

> * Why is the args argument dropped from the tests? Is this another
> missing fix?
> 

The reason is that 8144539 is not in 8u. I did not consider it a
dependency as it's not directly related to the upgrade to PKCS#11 v2.40.

Testing:
 * No regressions found in sun/security/pkcs11.

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8169925
[2] - https://bugs.openjdk.java.net/browse/JDK-8238898
[3] - https://hg.openjdk.java.net/jdk8u/jdk8u-dev/jdk/rev/ece6722932ca
[4] - https://bugs.openjdk.java.net/browse/JDK-8144539

More information about the jdk8u-dev mailing list