RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
Xuelei Fan
xuelei.fan at oracle.com
Wed Apr 3 03:45:02 UTC 2019
Good catch! I missed the update for SignatureScheme.
Here is the new webrev:
http://cr.openjdk.java.net/~xuelei/8217610/webrev.01/
Thanks,
Xuelei
On 4/2/2019 12:35 PM, Valerie Peng wrote:
>
> Hmm, I didn't see the SignatureScheme.java in the webrev? The stacktrace
> in the bug record shows the casting being inside SignatureScheme class.
> Did I miss something?
>
> Valerie
>
> On 3/28/2019 7:52 AM, Xuelei Fan wrote:
>> ping ...
>>
>> Xuelei
>>
>> On 3/22/2019 2:02 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I get the following update reviewed?
>>> http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
>>>
>>> For EC key exchange in TLS connections, the private key should use
>>> the specified EC groups. The current code is calling
>>> ECPrivateKey.getParams(). However, the private key may be not an
>>> instance of ECPrivateKey, for example for non-extractable private key
>>> in the SunPKCS11 provider.
>>>
>>> To fix the tricky bug, in this update, if private key is an instance
>>> of ECPrivateKey, use it; otherwise, try to check the groups in the
>>> public key of the X.509 certificate bound to the private key.
>>>
>>> No hardware to reproduce the issue, and no new regression test. The
>>> update is straightforward. Please help to check the patch if you can
>>> play with a hardware token.
>>>
>>> Thanks,
>>> Xuelei
More information about the security-dev
mailing list