Hi Martin,

Thanks for the update, I will resume the review on this one with your latest webrev.

BTW, there is no webrev.07 for your other fix, i.e. JDK-8029661, right? Just checking.

Regards,
Valerie

On 8/3/2018 2:13 PM, Martin Balao wrote:
Hi Valerie,

 * http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/ <http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10/>  * http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip <http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10.zip>

New in webrev 10:

 * Bug fix when private DSA/EC keys are sensitive
  * I found this bug removing "attributes = compatibility" entry in NSS configuration file so keys were CKA_SENSITIVE.   * This is really an NSS bug when unwrapping ephemeral keys (NSC_UnwrapKey function), because CKA_NETSCAPE_DB attribute is required but not used/needed. There was a similar bug when creating objects (NSC_CreateObject function), fixed many years ago [1].   * In those cases in which the bug occurs (private keys, of DSA/EC type, sensitive and without CKA_NETSCAPE_DB attribute set), I store an empty CKA_NETSCAPE_DB attribute in the buffer that will later be used for key unwrapping. I'm not doing a C_SetAttributeValue call because keys are read-only. We can let users set CKA_NETSCAPE_DB attribute in NSS configuration file [2] but this would be a workaround on users side.
  * Changes in:
   * p11_keymgmt.c
    * L175-187, L212-214 and L275-278

 * Bug fix when storing sensitive RSA keys in a keystore
  * CKA_NETSCAPE_DB attribute is not needed so we return it as null (instead of failing with an "Invalid algorithm" message)
  * Changes in:
   * P11KeyStore.java
    * L1909-1914

 * Lines length was cut to improve code readability

Regression tests on jdk/sun/security/pkcs11 category passed. I ran my internal test suite too, that covers the following services (with SunPKCS11 provider): Cipher, Signature, KeyAgreement, Digest, Mac, KeyGenerator, KeyPairGenerator and Keystore.

Kind regards,
Martin.-

--
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6 <https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6> [2] - https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml <https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml>


Reply via email to