RFR JDK-8029661: JDK-Support TLS v1.2 algorithm in SunPKCS11 provider
Valerie Peng
valerie.peng at oracle.com
Fri Feb 16 00:53:59 UTC 2018
I am ok with the idea of putting the public API refactoring under a
separate RFE.
Let me apply your updated patch below and run existing regressions again.
Thanks,
Valerie
On 2/5/2018 5:51 AM, Martin Balao wrote:
> Hi Valerie,
>
> Thanks for your review.
>
> Here it's the new webrev updated to the new repository structure. I've
> also updated the testcase to use the new @module jtreg feature:
>
> *
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2018_02_02/8029661.webrev.02
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2018_02_02/8029661.webrev.02>
> (online)
> *
> http://cr.openjdk.java.net/~akasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2018_02_02/8029661.webrev.02.zip
> <http://cr.openjdk.java.net/%7Eakasko/mbalao/jdk_8029661_tls_12_sunpkcs11/2018_02_02/8029661.webrev.02.zip>
> (download)
>
> A few comments in regards to creating public APIs from
> sun.security.internal.spec classes.
>
> Classes in jdk/src/java.base/share/classes/sun/security/internal/spec:
> * TlsKeyMaterialParameterSpec.java
> * TlsMasterSecretParameterSpec.java
> * TlsRsaPremasterSecretParameterSpec.java
> * TlsKeyMaterialSpec.java
> * TlsPrfParameterSpec.java
>
> Classes in jdk/src/java.base/share/classes/java/security/spec (which I
> assume would be the destination):
> * AlgorithmParameterSpec.java
> * ECGenParameterSpec.java
> * InvalidParameterSpecException.java
> * RSAOtherPrimeInfo.java
> * DSAGenParameterSpec.java
> * ECParameterSpec.java
> * KeySpec.java
> * ...
>
> TlsRsaPremasterSecretParameterSpec class contains information about
> min and max SSL/TLS version and, optionally, the pre-master encoded
> key. This information may be useful to any 3rd party class that
> implements a KeyGenerator to generate RSA pre-master secrets.
>
> TlsMasterSecretParameterSpec class contains information (client/server
> random, pre-master secret, hash algorithm, etc.) to generate a master
> secret from a pre-master secret.
>
> TlsKeyMaterialParameterSpec class contains information (client/server
> random, master secret, hash algorithm, etc.) to generate keys for a
> session from a master secret.
>
> TlsPrfParameterSpec class contains information (secret key, label,
> hash algorithm, etc.) to generate handshake authentication codes.
>
> TlsKeyMaterialSpec class contains information about session keys. This
> class inherits from SecretKey class.
>
> So, I agree with you: these parameters/specs may be used by a 3rd
> party and would be better to have them as public interfaces.
>
> However, I suggest to address that in a new ticket because:
> * it is not strictly inherent to SunPKCS11 + TLS 1.2 support we are
> providing in the context of this ticket;
> * it would be more clear both in tickets documentation and repository
> changeset;
> * this refactoring is going to go through CSR, which SunPKCS11 + TLS
> 1.2 support does not need; and,
> * we should also evaluate how TLS 1.3 changes going to impact into this.
>
> Would splitting this into a new ticket work for you?
>
> Kind regards,
> Martin.-
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20180215/aa0f67c2/attachment.htm>
More information about the security-dev
mailing list