RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Valerie Peng
valerie.peng at oracle.com
Thu Feb 1 00:13:29 UTC 2018
Hi Martin,
Thanks for providing us with the patch. Recently, JDK workspace has been
restructured a bit, do you have an updated webrev?
Your changes mostly look fine, but I think we should allow 3rd party
providers to have similar support. For this, we need to have more public
APIs such as those classes under sun.security.internal.spec package and
possibly more. What do you think?
Thanks,
Valerie
On 11/10/2017 6:38 AM, Martin Balao wrote:
> Hi,
>
> I would like to propose a patch for JDK-8029661: JDK-Support TLS v1.2
> algorithm in SunPKCS11 provider [1].
>
> *
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01/
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01/>
> (browse online)
> *
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01.zip
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01.zip>
> (download)
>
> The following algorithms have been implemented in SunPKCS11 provider
> (based on PKCS#11 v2.40 mechanisms):
>
> * SunTls12RsaPremasterSecret
> * SunTls12MasterSecret
> * SunTls12KeyMaterial
> * SunTls12Prf
>
> A minor API change is proposed to expose TLS ProtocolVersion constants
> (SSL30, TLS10, TLS11, etc.) from java.base to jdk.crypto.cryptoki
> module. This allows to remove hardcoded TLS int constants in SunPKCS11
> classes (required when implementing "Tls"-like algorithms).
>
> A test case is included with the following:
>
> * TLS 1.2 communication using SunPKCS11 + NSS (in FIPS mode)
> * Algorithms test against SunJCE
>
> Regards,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8029661
More information about the security-dev
mailing list