RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider

Valerie Peng valerie.peng at oracle.com
Thu Feb 1 00:13:29 UTC 2018


Hi Martin,

Thanks for providing us with the patch. Recently, JDK workspace has been 
restructured a bit, do you have an updated webrev?

Your changes mostly look fine, but I think we should allow 3rd party 
providers to have similar support. For this, we need to have more public 
APIs such as those classes under sun.security.internal.spec package and 
possibly more. What do you think?

Thanks,
Valerie

On 11/10/2017 6:38 AM, Martin Balao wrote:
> Hi,
>
> I would like to propose a patch for JDK-8029661: JDK-Support TLS v1.2 
> algorithm in SunPKCS11 provider [1].
>
>  * 
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01/ 
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01/> 
> (browse online)
>  * 
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01.zip 
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2017_11_09/8029661.webrev.01.zip> 
> (download)
>
> The following algorithms have been implemented in SunPKCS11 provider 
> (based on PKCS#11 v2.40 mechanisms):
>
>  * SunTls12RsaPremasterSecret
>  * SunTls12MasterSecret
>  * SunTls12KeyMaterial
>  * SunTls12Prf
>
> A minor API change is proposed to expose TLS ProtocolVersion constants 
> (SSL30, TLS10, TLS11, etc.) from java.base to jdk.crypto.cryptoki 
> module. This allows to remove hardcoded TLS int constants in SunPKCS11 
> classes (required when implementing "Tls"-like algorithms).
>
> A test case is included with the following:
>
>  * TLS 1.2 communication using SunPKCS11 + NSS (in FIPS mode)
>  * Algorithms test against SunJCE
>
> Regards,
> Martin.-
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8029661



More information about the security-dev mailing list