RFR: 8368073: PKCS11 HKDF can't use byte array IKM in FIPS mode [v2]
Daniel Jeliński
djelinski at openjdk.org
Tue Sep 23 16:16:22 UTC 2025
> Enable HDKF to work with providers that do not allow secret keys to be created from arbitrary data.
>
> This permits the TLS 1.3 handshake to complete with SunPKCS11 provider backed by NSS in FIPS mode.
>
> I added a TLS 1.3 test case to an existing test. The new test passes with the HKDF changes, fails without them. Other tier1-3 tests continue to pass.
Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
Address review comments
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/27384/files
- new: https://git.openjdk.org/jdk/pull/27384/files/730427d5..81b470e2
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=27384&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=27384&range=00-01
Stats: 61 lines in 1 file changed: 34 ins; 24 del; 3 mod
Patch: https://git.openjdk.org/jdk/pull/27384.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27384/head:pull/27384
PR: https://git.openjdk.org/jdk/pull/27384
More information about the security-dev
mailing list