RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11

Xuelei Fan xuelei.fan at oracle.com
Wed Apr 3 03:45:02 UTC 2019


Good catch!  I missed the update for SignatureScheme.

Here is the new webrev:
    http://cr.openjdk.java.net/~xuelei/8217610/webrev.01/

Thanks,
Xuelei

On 4/2/2019 12:35 PM, Valerie Peng wrote:
> 
> Hmm, I didn't see the SignatureScheme.java in the webrev? The stacktrace 
> in the bug record shows the casting being inside SignatureScheme class. 
> Did I miss something?
> 
> Valerie
> 
> On 3/28/2019 7:52 AM, Xuelei Fan wrote:
>> ping ...
>>
>> Xuelei
>>
>> On 3/22/2019 2:02 PM, Xuelei Fan wrote:
>>> Hi,
>>>
>>> Could I get the following update reviewed?
>>>     http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
>>>
>>> For EC key exchange in TLS connections, the private key should use 
>>> the specified EC groups.  The current code is calling 
>>> ECPrivateKey.getParams().  However, the private key may be not an 
>>> instance of ECPrivateKey, for example for non-extractable private key 
>>> in the SunPKCS11 provider.
>>>
>>> To fix the tricky bug, in this update, if private key is an instance 
>>> of ECPrivateKey, use it; otherwise, try to check the groups in the 
>>> public key of the X.509 certificate bound to the private key.
>>>
>>> No hardware to reproduce the issue, and no new regression test. The 
>>> update is straightforward.  Please help to check the patch if you can 
>>> play with a hardware token.
>>>
>>> Thanks,
>>> Xuelei



More information about the security-dev mailing list