RFR: 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11 [v3]
Francisco Ferrari Bihurriet
fferrari at openjdk.org
Tue Jun 4 18:02:58 UTC 2024
On Tue, 4 Jun 2024 12:50:44 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
>> I'd rather not add a level of indentation to the else-block, but perhaps we can add an else-if block to the `paddingObj != null` block. @franferrax, what do you think?
>
> I wouldn't increase indentation either. Regarding adding an `else if`, I'm neither for nor against it, so I can do that if that's your preference.
>
> I agree that added here in line **922** of the encryption case, it would make it clearer that CTS mode won't use `paddingObj`:
>
> https://github.com/openjdk/jdk/blob/997777e86c6fa03f070dcf0f219813c11cb480ce/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L917-L940
>
> However, it would also introduce an asymmetry with the decryption case in line **965**, where we can't do the same, since the code inside the `else` of line **983** must also be executed in CTS mode:
>
> https://github.com/openjdk/jdk/blob/997777e86c6fa03f070dcf0f219813c11cb480ce/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L957-L987
>
> ----
>
> NOTE: this discussion also applies to the [same block in the `ByteBuffer` version of `P11Cipher::implDoFinal()`](https://github.com/openjdk/jdk/blob/997777e86c6fa03f070dcf0f219813c11cb480ce/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java#L1030-L1104): an `else if` could be introduced in line **1036** but not in line **1079**.
Changed in 0d82e7e9444f1807b271e16410a6dd83bda0613a.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18898#discussion_r1626416664
More information about the security-dev
mailing list