RFR: 8325164: Named groups and signature schemes unavailable with SunPKCS11 in FIPS mode [v2]

Daniel Jeliński djelinski at openjdk.org
Thu Mar 7 13:28:53 UTC 2024 

On Thu, 7 Mar 2024 12:40:09 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:

>> Currently the SunPKCS11 provider requires other providers in order to offer ECDHE, FFDHE and RSA-PSS in TLS handshakes:
>> - FFDHE requires DiffieHellman AlgorithmParameters from SunJCE
>> - ECDHE requires the SunEC provider to be installed
>> - RSA-PSS requires RSASSA-PSS AlgorithmParameters from SunRsaSign
>> 
>> This PR removes these dependencies: 
>> - SunPKCS11 is modified to offer the PSS and DH AlgorithmParameters (using the same implementation classes as the original providers)
>> - Elliptic curve code is modified to remove the dependency on SunEC provider where possible
>> 
>> Two existing tests were modified to verify the changes:
>> - SigInteropPSS2 test was modified to install SunPKCS11 provider and remove SunRsaSign provider
>> - FipsModeTLS12 test was modified to verify the list of NamedGroups available on a SSLEngine.
>> 
>> Both modified tests fail without the changes, pass with them. Other tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Restore original SunEC behavior

After an offline discussion I pushed an alternative implementation that restores the original SunEC provider behavior of resolving ECParameterSpec using the preferred EC AlgorithmParameters provider.

I also modified SunPKCS11 provider to use the preferred provider instead of using SunEC if it's installed, and failing if SunEC is not installed. SunPKCS11 provides EC AlgorithmParameters, so as long as it is installed, ECParameterSpec resolution will work.

History: the dependency on SunEC provider was introduced in [JDK-7194075](https://bugs.openjdk.org/browse/JDK-7194075) / c39030c7b32ae529699aec3d5bde197b194771a7 to remove duplication of code between SunPKCS11 and SunEC.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/17816#issuecomment-1983501685

More information about the security-dev mailing list