RFR: 8328556: Do not extract large CKO_SECRET_KEY keys from the NSS Software Token [v2]
Martin Balao
mbalao at openjdk.org
Thu Mar 21 17:20:21 UTC 2024
On Thu, 21 Mar 2024 17:17:41 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Hi,
>>
>> I'd like to propose a fix for "8328556: Do not extract large CKO_SECRET_KEY keys from the NSS Software Token". See more details in the JBS ticket [1].
>>
>> No regressions observed in jdk/sun/security/pkcs11.
>>
>> Thanks,
>> Martin.-
>>
>> --
>> [1] - https://bugs.openjdk.org/browse/JDK-8328556
>
> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>
> Test TestLargeSecretKeys added.
Update: I found that an existing PKCS11Test configuration (p11-nss-sensitive.txt) sets CKA_SENSITIVE to CK_TRUE for secret keys. Combining this with the DH large secret key derivation trick led to a viable reproducer without having to introduce a FIPS configuration.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18389#issuecomment-2013100964
More information about the security-dev
mailing list