RFR [13] JDK-8217610: TLSv1.3 fail with ClassException when EC keys are stored in PKCS11
Xuelei Fan
xuelei.fan at oracle.com
Thu Mar 28 14:52:59 UTC 2019
ping ...
Xuelei
On 3/22/2019 2:02 PM, Xuelei Fan wrote:
> Hi,
>
> Could I get the following update reviewed?
> http://cr.openjdk.java.net/~xuelei/8217610/webrev.00/
>
> For EC key exchange in TLS connections, the private key should use the
> specified EC groups. The current code is calling
> ECPrivateKey.getParams(). However, the private key may be not an
> instance of ECPrivateKey, for example for non-extractable private key in
> the SunPKCS11 provider.
>
> To fix the tricky bug, in this update, if private key is an instance of
> ECPrivateKey, use it; otherwise, try to check the groups in the public
> key of the X.509 certificate bound to the private key.
>
> No hardware to reproduce the issue, and no new regression test. The
> update is straightforward. Please help to check the patch if you can
> play with a hardware token.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list