RFR: 8368073: PKCS11 HKDF can't use byte array IKM in FIPS mode
Daniel Jeliński
djelinski at openjdk.org
Fri Sep 19 08:43:54 UTC 2025
Enable HDKF to work with providers that do not allow secret keys to be created from arbitrary data.
This permits the TLS 1.3 handshake to complete with SunPKCS11 provider backed by NSS in FIPS mode.
I added a TLS 1.3 test case to an existing test. The new test passes with the HKDF changes, fails without them. Other tier1-3 tests continue to pass.
-------------
Commit messages:
- Add bug ID
- Try to use a CKO_DATA object if secret creation fails
Changes: https://git.openjdk.org/jdk/pull/27384/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27384&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8368073
Stats: 99 lines in 3 files changed: 68 ins; 15 del; 16 mod
Patch: https://git.openjdk.org/jdk/pull/27384.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27384/head:pull/27384
PR: https://git.openjdk.org/jdk/pull/27384
More information about the security-dev
mailing list