Integrated: 8368694: PKCS11-NSS generic keys generated by DH have leading zeroes stripped
Daniel Jeliński
djelinski at openjdk.org
Thu Oct 9 06:04:14 UTC 2025
On Thu, 25 Sep 2025 16:28:25 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> The DiffieHellman KeyAgreement supports 2 key algorithms: TlsPremasterSecret and Generic. The Generic algorithm is supposed to generate keys of a constant length, keeping leading zeroes as appropriate.
>
> This PR changes the SunPKCS11 implementation to pass a CKA_VALUE_LEN attribute when a fixed length is needed; when the attribute is absent, the PKCS11 provider strips the leading zeroes.
>
> Added a check to the existing test cases to verify the fix. The check passes with the fix, fails without it. Other tier1-3 tests continue to pass.
This pull request has now been integrated.
Changeset: 914b44e2
Author: Daniel Jeliński <djelinski at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/914b44e277df23418736eb00c022bbd829d64e11
Stats: 88 lines in 3 files changed: 52 ins; 25 del; 11 mod
8368694: PKCS11-NSS generic keys generated by DH have leading zeroes stripped
Reviewed-by: valeriep
-------------
PR: https://git.openjdk.org/jdk/pull/27494
More information about the security-dev
mailing list