RFR: 8325164: Named groups and signature schemes unavailable with SunPKCS11 in FIPS mode [v2]
Valerie Peng
valeriep at openjdk.org
Tue Mar 12 18:15:15 UTC 2024
On Thu, 7 Mar 2024 12:40:09 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> Currently the SunPKCS11 provider requires other providers in order to offer ECDHE, FFDHE and RSA-PSS in TLS handshakes:
>> - FFDHE requires DiffieHellman AlgorithmParameters from SunJCE
>> - ECDHE requires the SunEC provider to be installed
>> - RSA-PSS requires RSASSA-PSS AlgorithmParameters from SunRsaSign
>>
>> This PR removes these dependencies:
>> - SunPKCS11 is modified to offer the PSS and DH AlgorithmParameters (using the same implementation classes as the original providers)
>> - Elliptic curve code is modified to remove the dependency on SunEC provider where possible
>>
>> Two existing tests were modified to verify the changes:
>> - SigInteropPSS2 test was modified to install SunPKCS11 provider and remove SunRsaSign provider
>> - FipsModeTLS12 test was modified to verify the list of NamedGroups available on a SSLEngine.
>>
>> Both modified tests fail without the changes, pass with them. Other tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
>
> Restore original SunEC behavior
test/jdk/sun/security/pkcs11/Signature/SigInteropPSS2.java line 56:
> 54: Provider sunRsaSign = Security.getProvider("SunRsaSign");
> 55: Security.removeProvider("SunRsaSign");
> 56: Security.insertProviderAt(p, 1);
IIRC, the getInstance() call always specify which provider, why do we need to insert the provider to position 1?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17816#discussion_r1521923378
More information about the security-dev
mailing list