[10] RFR: 8182388: Backout 8182143

Bernd ecki at zusammenkunft.net
Fri Jun 16 23:46:24 UTC 2017


I think the new bug description is backward, as you cannot expect to
implement all algorithms in all providers or use a key class fron one
provider in antoher (especially not if they use mechanisms in external APIs
like PKCS11 or MSCAPI with HSM).

"Crypto keys should be compatible between security providers"
https://bugs.openjdk.java.net/browse/JDK-8182386

So the limiting of ciphers should be based on the actual provider used (or
key selected) and not based on the subset of all providers present.

Maybe something like "JSSE should adjust available ciphers based on
effective provider". Its just a question how the current api can support
that (this is also somewhat related to the point of key usage flags which
also may restrict some ciphers which is only known until the actual Key
instance can be examined).

2017-06-16 23:17 GMT+02:00 Artem Smotrakov <artem.smotrakov at oracle.com>:

> This patch backs out 8182143 because of possible issues on Windows even if
> we don't have a test to reproduce it.
>
> Checking if SunMSCAPI provider is enabled looks like a hack. I filed
> https://bugs.openjdk.java.net/browse/JDK-8182386
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8182388
> Webrev: http://cr.openjdk.java.net/~asmotrak/8182388/webrev.00/
>
> Artem
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20170617/fb4cd665/attachment.htm>


More information about the security-dev mailing list