Code Review Request: TLS 1.3 full handshake (JDK-8196584)
Xuelei Fan
xuelei.fan at oracle.com
Fri Jun 8 00:25:01 UTC 2018
On 6/7/2018 3:27 PM, Valerie Peng wrote:
> Hi Xuelei,
>
> <sun/security/ssl/RSASignature.java> There seems to be inconsistency in
> whether you can override the internal md5, sha1 digest objects through
> the engineSetParameter(String, Object) call.
I agreed. The use of RSASignature is limited in the provider. The
engineSetParameter() is not used so we don't allow the method in the
implementation.
> Assuming we no longer need
> to override the internal digest objects, we can remove
> getInternalInstance(), setHashes(...).
I agreed.
> Also, not sure how useful is
> RSASignature.getInstance() as it simply calls
> JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
>
The calls to JsseJce.getSignature() are mainly to use the specific FIPS
SunJSSE.cryptoProvider. Although FIPS is an old experimental feature,
we don't remove it from the provider yet. So you may see some unusual
use of getInstance() that calling into JsseJce impl.
Thanks,
Xuelei
> Still looking at more files, just thought that I will get this to you
> first.
>
> Valerie
>
>
> On 2/20/2018 11:57 AM, Xuelei Fan wrote:
>> Hi,
>>
>> I'd like to invite you to review the TLS 1.3 full handshake
>> implementation. I appreciate it if I could have feedback before March
>> 9, 2018.
>>
>> In the "JDK-8185576: New handshake implementation" [1] code review
>> around, I was trying to re-org the TLS handshaking implementation in the
>> SunJSSE provider. If you had reviewed that part, you can start from
>> the following webrev that based on the update of JDK-8185576:
>> http://cr.openjdk.java.net/~xuelei/8196584/webrev-step.00
>>
>> If you would like start from earlier, here is the webrev that contains
>> the handshaking implementation re-org in JDK-8185576:
>> http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>
>>
>> This changeset only implements the full handshake of TLS 1.3, rather
>> then a fully implementation of the latest TLS 1.3 draft [2].
>>
>> In this implementation, I removed:
>> 1. the KRB5 cipher suite implementation.
>> Please let me know if you are still using KRB5 cipher suite. I may
>> not add them back if no objections.
>>
>> 2. OCSP stapling.
>> This feature will be added back later.
>>
>> Resumption and key update, and more features may be added later.
>>
>> Thanks & Regards,
>> Xuelei
>>
>> [1]:
>> http://mail.openjdk.java.net/pipermail/security-dev/2017-December/016642.html
>>
>> [2]: https://tools.ietf.org/html/draft-ietf-tls-tls13-24
>
More information about the security-dev
mailing list