<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Martin,</p>
<p>Thanks for the update, I will resume the review on this one with
your latest webrev.</p>
<p>BTW, there is no webrev.07 for your other fix, i.e. JDK-8029661,
right? Just checking.</p>
Regards,<br>
Valerie<br>
<br>
<div class="moz-cite-prefix">On 8/3/2018 2:13 PM, Martin Balao
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKZz+gd6YcFNcCD1_r4-r9jdzRcCXTVPmoGBJdSXaY1m7sc6Wg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<div dir="ltr">
<div>Hi Valerie,</div>
<div><br>
</div>
<div> * <a
href="http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10/"
target="_blank" moz-do-not-send="true">http://cr.openjdk.java.net/~<wbr>mbalao/webrevs/6913047/<wbr>6913047.webrev.10/</a></div>
<div> * <a
href="http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10.zip"
target="_blank" moz-do-not-send="true">http://cr.openjdk.java.net/~<wbr>mbalao/webrevs/6913047/<wbr>6913047.webrev.10.zip</a></div>
<div><br>
</div>
<div>New in webrev 10:</div>
<div><br>
</div>
<div> * Bug fix when private DSA/EC keys are sensitive</div>
<div> * I found this bug removing "attributes = compatibility"
entry in NSS configuration file so keys were CKA_SENSITIVE.</div>
<div> * This is really an NSS bug when unwrapping ephemeral
keys (NSC_UnwrapKey function), because CKA_NETSCAPE_DB
attribute is required but not used/needed. There was a similar
bug when creating objects (NSC_CreateObject function), fixed
many years ago [1].</div>
<div> * In those cases in which the bug occurs (private keys,
of DSA/EC type, sensitive and without CKA_NETSCAPE_DB
attribute set), I store an empty CKA_NETSCAPE_DB attribute in
the buffer that will later be used for key unwrapping. I'm not
doing a C_SetAttributeValue call because keys are read-only.
We can let users set CKA_NETSCAPE_DB attribute in NSS
configuration file [2] but this would be a workaround on users
side.</div>
<div> * Changes in:</div>
<div> * p11_keymgmt.c</div>
<div> * L175-187, L212-214 and L275-278</div>
<div><br>
</div>
<div> * Bug fix when storing sensitive RSA keys in a keystore</div>
<div> * CKA_NETSCAPE_DB attribute is not needed so we return it
as null (instead of failing with an "Invalid algorithm"
message)</div>
<div> * Changes in:</div>
<div> * P11KeyStore.java</div>
<div> * L1909-1914</div>
<div><br>
</div>
<div> * Lines length was cut to improve code readability</div>
<div><br>
</div>
<div>Regression tests on jdk/sun/security/pkcs11 category
passed. I ran my internal test suite too, that covers the
following services (with SunPKCS11 provider): Cipher,
Signature, KeyAgreement, Digest, Mac, KeyGenerator,
KeyPairGenerator and Keystore.</div>
<div><br>
</div>
<div>Kind regards,</div>
<div>Martin.-</div>
<div><br>
</div>
<div>--</div>
<div>[1] - <a
href="https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6"
target="_blank" moz-do-not-send="true">https://bugzilla.mozilla.org/<wbr>show_bug.cgi?id=309701#c6</a></div>
<div>[2] - <a
href="https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml"
target="_blank" moz-do-not-send="true">https://alvinalexander.com/<wbr>java/jwarehouse/openjdk-8/jdk/<wbr>test/sun/security/pkcs11/fips/<wbr>fips.cfg.shtml</a></div>
<div><br>
</div>
</div>
</blockquote>
<br>
</body>
</html>