Hi Valerie,
* http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/
* http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip
New in webrev 10:
* Bug fix when private DSA/EC keys are sensitive
* I found this bug removing "attributes = compatibility" entry in NSS
configuration file so keys were CKA_SENSITIVE.
* This is really an NSS bug when unwrapping ephemeral keys (NSC_UnwrapKey
function), because CKA_NETSCAPE_DB attribute is required but not
used/needed. There was a similar bug when creating objects
(NSC_CreateObject function), fixed many years ago [1].
* In those cases in which the bug occurs (private keys, of DSA/EC type,
sensitive and without CKA_NETSCAPE_DB attribute set), I store an empty
CKA_NETSCAPE_DB attribute in the buffer that will later be used for key
unwrapping. I'm not doing a C_SetAttributeValue call because keys are
read-only. We can let users set CKA_NETSCAPE_DB attribute in NSS
configuration file [2] but this would be a workaround on users side.
* Changes in:
* p11_keymgmt.c
* L175-187, L212-214 and L275-278
* Bug fix when storing sensitive RSA keys in a keystore
* CKA_NETSCAPE_DB attribute is not needed so we return it as null
(instead of failing with an "Invalid algorithm" message)
* Changes in:
* P11KeyStore.java
* L1909-1914
* Lines length was cut to improve code readability
Regression tests on jdk/sun/security/pkcs11 category passed. I ran my
internal test suite too, that covers the following services (with SunPKCS11
provider): Cipher, Signature, KeyAgreement, Digest, Mac, KeyGenerator,
KeyPairGenerator and Keystore.
Kind regards,
Martin.-
--
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6
[2] - https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/
test/sun/security/pkcs11/fips/fips.cfg.shtml
