RFR 8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher

Martin Balao mbalao at redhat.com
Tue Aug 4 21:03:40 UTC 2020


Hi,

I'd like to propose a fix for 8251117 [1], on behalf of Zdenek Zambersky
(Red Hat employee - OCA signed).

Webrev.00:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8251117/8251117.webrev.00/

As noted in the ticket [1], the fix is about using P11Key::length method
for retrieving P11Key sizes when initializing P11Cipher and
P11AEADCipher instances. By doing that, we avoid NullPointerExceptions
that happens when the P11Key is CKA_SENSITIVE and cannot be extracted in
plain (this is the case for NSS software token keys configured in FIPS
mode).

I found no regressions in sun/security/pkcs11 tests. I've also done
manual testing in my NSS-FIPS environment.

Thanks,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8251117



More information about the security-dev mailing list