RFR: 8368073: PKCS11 HKDF can't use byte array IKM in FIPS mode [v2]
Daniel Jeliński
djelinski at openjdk.org
Tue Sep 23 16:16:22 UTC 2025
On Tue, 23 Sep 2025 16:12:52 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> Enable HDKF to work with providers that do not allow secret keys to be created from arbitrary data.
>>
>> This permits the TLS 1.3 handshake to complete with SunPKCS11 provider backed by NSS in FIPS mode.
>>
>> I added a TLS 1.3 test case to an existing test. The new test passes with the HKDF changes, fails without them. Other tier1-3 tests continue to pass.
>
> Daniel Jeliński has updated the pull request incrementally with one additional commit since the last revision:
>
> Address review comments
Thanks @valeriepeng for your review. I updated the PR, let me know if that looks acceptable.
-------------
PR Review: https://git.openjdk.org/jdk/pull/27384#pullrequestreview-3258615121
More information about the security-dev
mailing list