Code Review Request: TLS 1.3 full handshake (JDK-8196584)

Xuelei Fan xuelei.fan at oracle.com
Fri Jun 8 23:52:49 UTC 2018 

Update: http://hg.openjdk.java.net/jdk/sandbox/rev/ad4c1c488574

This update cleans the unused methods in RSASignature.java.

Xuelei

On 6/7/2018 5:25 PM, Xuelei Fan wrote:
> On 6/7/2018 3:27 PM, Valerie Peng wrote:
>> Hi Xuelei,
>>
>> <sun/security/ssl/RSASignature.java> There seems to be inconsistency 
>> in whether you can override the internal md5, sha1 digest objects 
>> through the engineSetParameter(String, Object) call.
> I agreed.  The use of RSASignature is limited in the provider.  The 
> engineSetParameter() is not used so we don't allow the method in the 
> implementation.
> 
>> Assuming we no longer need to override the internal digest objects, we 
>> can remove getInternalInstance(), setHashes(...).
> I agreed.
> 
>> Also, not sure how useful is RSASignature.getInstance() as it simply 
>> calls JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
>>
> The calls to JsseJce.getSignature() are mainly to use the specific FIPS 
> SunJSSE.cryptoProvider.  Although FIPS is an old experimental feature, 
> we don't remove it from the provider yet.  So you may see some unusual 
> use of getInstance() that calling into JsseJce impl.
> 
> Thanks,
> Xuelei
> 
>> Still looking at more files, just thought that I will get this to you 
>> first.
>>
>> Valerie
>>
>>
>> On 2/20/2018 11:57 AM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> I'd like to invite you to review the TLS 1.3 full handshake 
>>> implementation.  I appreciate it if I could have feedback before 
>>> March 9, 2018.
>>>
>>> In the "JDK-8185576: New handshake implementation" [1] code review 
>>> around, I was trying to re-org the TLS handshaking implementation in the
>>> SunJSSE provider.  If you had reviewed that part, you can start from 
>>> the following webrev that based on the update of JDK-8185576:
>>>     http://cr.openjdk.java.net/~xuelei/8196584/webrev-step.00
>>>
>>> If you would like start from earlier, here is the webrev that 
>>> contains the handshaking implementation re-org in JDK-8185576:
>>>     http://cr.openjdk.java.net/~xuelei/8196584/webrev-full.00
>>>
>>>
>>> This changeset only implements the full handshake of TLS 1.3, rather 
>>> then a fully implementation of the latest TLS 1.3 draft [2].
>>>
>>> In this implementation, I removed:
>>> 1. the KRB5 cipher suite implementation.
>>> Please let me know if you are still using KRB5 cipher suite.  I may 
>>> not add them back if no objections.
>>>
>>> 2. OCSP stapling.
>>> This feature will be added back later.
>>>
>>> Resumption and key update, and more features may be added later.
>>>
>>> Thanks & Regards,
>>> Xuelei
>>>
>>> [1]: 
>>> http://mail.openjdk.java.net/pipermail/security-dev/2017-December/016642.html 
>>>
>>> [2]: https://tools.ietf.org/html/draft-ietf-tls-tls13-24
>>

More information about the security-dev mailing list