RFR: 8349849: PKCS11 SunTlsKeyMaterial crashes when used with TLS1.2 TlsKeyMaterialParameterSpec
Bradford Wetmore
wetmore at openjdk.org
Thu Feb 13 19:10:17 UTC 2025
On Wed, 12 Feb 2025 10:02:55 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> Please review this trivial fix that ensures that the mechanism always matches the parameter class type.
>
> I added a new test case that crashes without the fix, passes with the fix. Existing tier1-3 test cases continue to pass.
Marked as reviewed by wetmore (Reviewer).
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java line 124:
> 122: } else if (tlsVersion == 0x0303) {
> 123: mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
> 124: }
So this hasn't worked since the TLSv1.2 support was added in 2018? Ouch!
I wonder if how many are using PKCS11 for TLS. Seems like this should have been found earlier.
Double check with @valeriepeng , but looks ok to me...
-------------
PR Review: https://git.openjdk.org/jdk/pull/23583#pullrequestreview-2615984496
PR Review Comment: https://git.openjdk.org/jdk/pull/23583#discussion_r1955073131
More information about the security-dev
mailing list