RFR: 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11 [v3]
Martin Balao
mbalao at openjdk.org
Tue Jun 4 02:58:12 UTC 2024
On Mon, 3 Jun 2024 23:50:18 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Francisco Ferrari Bihurriet has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains ten additional commits since the last revision:
>>
>> - Improve handling when the token variant is unknown
>>
>> Avoid registering CTS algorithms (those depending on CKM_AES_CTS) when
>> the token CTS variant has not been specified in the configuration. Make
>> NSS an exception, as we know that it uses the CS1 variant.
>>
>> Take advantage to extract a pkcs11.Config::parseEnumEntry() method for
>> a cleaner entry in the main switch statement of pkcs11.Config::parse(),
>> also slightly improving the error message.
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Merge 'openjdk/master' into JDK-8330843
>> - Revert re-arrangement of native methods parameters
>>
>> This reverts commit 0a777e94229723376e1264e87cbf0ba805dc736f, except for
>> the copyright which is retained as 2024.
>>
>> NOTE: new calls of the same methods are retained in the re-arrangement
>> style, as we didn't introduce this re-arrangement, it was already
>> present in most of the calls inside ::implUpdate() and ::implDoFinal().
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Merge 'openjdk/master' into JDK-8330843
>> - 8330842: Add AES CBC with Ciphertext Stealing (CTS) SunPKCS11 tests
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Fix cipher tests logging
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Implement integer constants as enum
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>> - Arrange parameters of native methods evenly
>>
>> C_EncryptUpdate / C_DecryptUpdate / C_EncryptFinal / C_DecryptFinal
>>
>> If the call doesn't fit on a single line, use the following order:
>> long hSession,
>> [ long directIn, byte[] in, int inOfs, int inLen,...
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java line 922:
>
>> 920: 0, out, outOfs, outLen);
>> 921: }
>> 922: if (paddingObj != null) {
>
> Why not put this if-block inside an else-block of the `if (blockMode == Mode.CTS),` so it's clear that CTS mode won't use paddingObj?
I'd rather not add a level of indentation to the else-block, but perhaps we can add an else-if block to the `paddingObj != null` block. @franferrax, what do you think?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1625266517
More information about the security-dev
mailing list