RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
Valerie Peng
valerie.peng at oracle.com
Wed Apr 3 19:58:00 UTC 2019
Changes look fine~
Thanks,
Valerie
On 4/2/2019 8:45 PM, Xuelei Fan wrote:
> Good catch! I missed the update for SignatureScheme.
>
> Here is the new webrev:
> http://cr.openjdk.java.net/~xuelei/8217610/webrev.01/
>
> Thanks,
> Xuelei
>
> On 4/2/2019 12:35 PM, Valerie Peng wrote:
>>
>> Hmm, I didn't see the SignatureScheme.java in the webrev? The
>> stacktrace in the bug record shows the casting being inside
>> SignatureScheme class. Did I miss something?
>>
>> Valerie
>>
>> On 3/28/2019 7:52 AM, Xuelei Fan wrote:
>>> ping ...
>>>
>>> Xuelei
>>>
>>> On 3/22/2019 2:02 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Could I get the following update reviewed?
>>>> http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
>>>>
>>>> For EC key exchange in TLS connections, the private key should use
>>>> the specified EC groups. The current code is calling
>>>> ECPrivateKey.getParams(). However, the private key may be not an
>>>> instance of ECPrivateKey, for example for non-extractable private
>>>> key in the SunPKCS11 provider.
>>>>
>>>> To fix the tricky bug, in this update, if private key is an
>>>> instance of ECPrivateKey, use it; otherwise, try to check the
>>>> groups in the public key of the X.509 certificate bound to the
>>>> private key.
>>>>
>>>> No hardware to reproduce the issue, and no new regression test. The
>>>> update is straightforward. Please help to check the patch if you
>>>> can play with a hardware token.
>>>>
>>>> Thanks,
>>>> Xuelei
More information about the security-dev
mailing list