RFR: 8330842: Support AES CBC with Ciphertext Stealing (CTS) in SunPKCS11 [v8]

Francisco Ferrari Bihurriet fferrari at openjdk.org
Fri Jun 7 16:45:22 UTC 2024 

On Fri, 7 Jun 2024 16:10:09 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>>> I created the release-note and doc sub-task for this RFE. Please take a look.
>> 
>> They look good to me, I just removed two extra white spaces around the closing parenthesis in [JDK-8333760](https://bugs.openjdk.org/browse/JDK-8333760).
>> 
>>> As for the code change, the rest looks fine to me.
>> 
>> I did one more minor change: 2c6a3c0f79809db77b28c21244ced6621903039f.
>
> @franferrax Can you please quote the relevant fragment from the original CSR text? I think it was more clear.

@martinuy

> @franferrax Can you please quote the relevant fragment from the original CSR text? I think it was more clear.

This was the original CSR text that corresponds with the part of the CSR copied in the release note:

> Introduce a new _SunPKCS11_ provider configuration attribute named `cipherTextStealingVariant` that must be set with any of the following values: `CS1`, `CS2` or `CS3`. This attribute can be used to specify the token's CTS variant and is required to enable `CKM_AES_CTS`. The AES CBC-CTS transformations are not registered by _SunPKCS11_ if the `cipherTextStealingVariant` attribute is not present, with an exception for the NSS Software Token where `CS1` is assumed by default. After encryption, the ciphertext will be converted from the token's variant to _CS3_. Before decryption, the ciphertext will be converted from _CS3_ to the token's variant.

@seanjmullan

> I didn't understand the interoperability part. If SunJCE and Kerberos use CS3, then how can PKCS11 ensure interoperability if someone sets the variable to CS1 or CS2?

The interoperability is ensured by internally converting between _CS3_ and the PKCS #​11 library variant, so that ciphertexts are always arranged in the _CS3_ variant, from a public APIs user's perspective.

> Also, if the property is set to CS2 or CS3, and you are using NSS, is an exception or error thrown?

No, an exception is not thrown and the chosen _CS2_ or _CS3_ variant is applied even for NSS. NOTE: this misconfiguration will lead to invalid outputs. This behaviour is the same for any PKCS #​11 library. What we provide for NSS is an overridable default.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/18898#issuecomment-2155183033

More information about the security-dev mailing list