RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
Xuelei Fan
xuelei.fan at oracle.com
Fri Mar 22 21:02:53 UTC 2019
Hi,
Could I get the following update reviewed?
http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
For EC key exchange in TLS connections, the private key should use the
specified EC groups. The current code is calling
ECPrivateKey.getParams(). However, the private key may be not an
instance of ECPrivateKey, for example for non-extractable private key in
the SunPKCS11 provider.
To fix the tricky bug, in this update, if private key is an instance of
ECPrivateKey, use it; otherwise, try to check the groups in the public
key of the X.509 certificate bound to the private key.
No hardware to reproduce the issue, and no new regression test. The
update is straightforward. Please help to check the patch if you can
play with a hardware token.
Thanks,
Xuelei
More information about the security-dev
mailing list