RFR: 8368694: PKCS11-NSS generic keys generated by DH have leading zeroes stripped [v2]
Daniel Jeliński
djelinski at openjdk.org
Wed Oct 8 10:19:13 UTC 2025
On Wed, 8 Oct 2025 02:20:17 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Use CKA_VALUE_LEN in parameterless engineGenerateSecret
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java line 335:
>
>> 333: new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
>> 334: new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType),
>> 335: new CK_ATTRIBUTE(CKA_VALUE_LEN, secretLen),
>
> How about attributes in another `xxxGenerateSecret(...)` method? Should we also add `CKA_VALUE_LEN` attribute with `secretLen` value there as well, i.e. line 200-203,
Thanks @valeriepeng for the review. I added CKA_VALUE_LEN to the paramterless overload now.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27494#discussion_r2413358229
More information about the security-dev
mailing list