RFR 8207031 : CKM_SSL3_PRE_MASTER_KEY_GEN used without need in P11RSACipher.class

Ivan Gerasimov ivan.gerasimov at oracle.com
Thu Jul 12 19:20:27 UTC 2018


I was reported that a 3rd-party PKCS11 provider stopped working 
correctly since integrating the fix for JDK-8134605.

This is due to that a secret key is now generated via 
CKM_SSL3_PRE_MASTER_KEY_GEN even if it is going to be discarded 
(presumably, this is to avoid a time-attack.)

Would you please help review a proposed fix:  If the provider fails 
because it does not support CKM_SSL3_PRE_MASTER_KEY_GEN, and we do not 
need the newly generated key, then ignore the failure?

BUGURL: https://bugs.openjdk.java.net/browse/JDK-8207031
WEBREV: http://cr.openjdk.java.net/~igerasim/8207031/00/webrev/

Thanks in advance!

With kind regards,
Ivan Gerasimov

More information about the security-dev mailing list