RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Valerie Peng
valerie.peng at oracle.com
Wed Aug 22 00:37:17 UTC 2018
Hi Martin,
I still observe the TestTLS12 regression test failure with your
webrev.07. Judging from the test failure log, it seems that the test
fails when run on a machine whose NSS library does not support the TLS
v1.2 mechanisms. Generally, the test should check and skip if the
to-be-tested algorithms aren't supported.
There are some lines in TestTLS12.java which exceeds the 80-chars
length. Can you please fix them?
That's it.
Thanks,
Valerie
On 8/14/2018 7:43 AM, Martin Balao wrote:
> Hi Valerie,
>
> Here it is Webrev.07:
>
> *
> http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.07/
> <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.07/>
> *
> http://cr.openjdk.java.net/~mbalao/webrevs/8029661/8029661.webrev.07.zip
> <http://cr.openjdk.java.net/%7Embalao/webrevs/8029661/8029661.webrev.07.zip>
>
> * p11_convert.c:
>
> * L530 and 834: masterKeyDeriveParamToCKMasterKeyDeriveParam and
> keyMatParamToCKKeyMatParam functions used to accept "null" value for
> class parameter -and, in fact, immediately return in such case-.
> Null-checking was in these functions to avoid checking on each call
> site (i.e.: jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam and
> jTls12MasterKeyDeriveParamToCKTls12MasterKeyDeriveParam call sites for
> masterKeyDeriveParamToCKMasterKeyDeriveParam). But I reverted this
> change now, so we check on call sites. I couldn't find any not-checked
> FindClass call.
>
> * L1262: well spotted! Fixed.
>
> * Author tags removed
>
> * Updated copyright on every modified file
>
> * TestTLS12.java improvements:
> * initSecmod is now called when starting the test
> * Better integration with existing NSSDB + FIPS infrastructure
> * RSA+SHA256 certificate (that expires in 2042) was added to FIPS
> keystore and NSSDB.
>
> * Putback comment on webrev
>
> * jdk/sun/security/pkcs11 test suite pass-rate experienced no regression
>
> Thanks,
> Martin.-
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180821/71e3ca24/attachment.htm>
More information about the security-dev
mailing list