RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
Valerie Peng
valerie.peng at oracle.com
Tue Apr 2 19:35:24 UTC 2019
Hmm, I didn't see the SignatureScheme.java in the webrev? The stacktrace
in the bug record shows the casting being inside SignatureScheme class.
Did I miss something?
Valerie
On 3/28/2019 7:52 AM, Xuelei Fan wrote:
> ping ...
>
> Xuelei
>
> On 3/22/2019 2:02 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the following update reviewed?
>> http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
>>
>> For EC key exchange in TLS connections, the private key should use
>> the specified EC groups. The current code is calling
>> ECPrivateKey.getParams(). However, the private key may be not an
>> instance of ECPrivateKey, for example for non-extractable private key
>> in the SunPKCS11 provider.
>>
>> To fix the tricky bug, in this update, if private key is an instance
>> of ECPrivateKey, use it; otherwise, try to check the groups in the
>> public key of the X.509 certificate bound to the private key.
>>
>> No hardware to reproduce the issue, and no new regression test. The
>> update is straightforward. Please help to check the patch if you can
>> play with a hardware token.
>>
>> Thanks,
>> Xuelei
More information about the security-dev
mailing list