Hi Martin,
Thanks for the update, I will resume the review on this one with your
latest webrev.
BTW, there is no webrev.07 for your other fix, i.e. JDK-8029661, right?
Just checking.
Regards,
Valerie
On 8/3/2018 2:13 PM, Martin Balao wrote:
Hi Valerie,
*
http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10/
<http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10/>
*
http://cr.openjdk.java.net/~mbalao/webrevs/6913047/6913047.webrev.10.zip
<http://cr.openjdk.java.net/%7Embalao/webrevs/6913047/6913047.webrev.10.zip>
New in webrev 10:
* Bug fix when private DSA/EC keys are sensitive
* I found this bug removing "attributes = compatibility" entry in
NSS configuration file so keys were CKA_SENSITIVE.
* This is really an NSS bug when unwrapping ephemeral keys
(NSC_UnwrapKey function), because CKA_NETSCAPE_DB attribute is
required but not used/needed. There was a similar bug when creating
objects (NSC_CreateObject function), fixed many years ago [1].
* In those cases in which the bug occurs (private keys, of DSA/EC
type, sensitive and without CKA_NETSCAPE_DB attribute set), I store an
empty CKA_NETSCAPE_DB attribute in the buffer that will later be used
for key unwrapping. I'm not doing a C_SetAttributeValue call because
keys are read-only. We can let users set CKA_NETSCAPE_DB attribute in
NSS configuration file [2] but this would be a workaround on users side.
* Changes in:
* p11_keymgmt.c
* L175-187, L212-214 and L275-278
* Bug fix when storing sensitive RSA keys in a keystore
* CKA_NETSCAPE_DB attribute is not needed so we return it as null
(instead of failing with an "Invalid algorithm" message)
* Changes in:
* P11KeyStore.java
* L1909-1914
* Lines length was cut to improve code readability
Regression tests on jdk/sun/security/pkcs11 category passed. I ran my
internal test suite too, that covers the following services (with
SunPKCS11 provider): Cipher, Signature, KeyAgreement, Digest, Mac,
KeyGenerator, KeyPairGenerator and Keystore.
Kind regards,
Martin.-
--
[1] - https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6
<https://bugzilla.mozilla.org/show_bug.cgi?id=309701#c6>
[2] -
https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml
<https://alvinalexander.com/java/jwarehouse/openjdk-8/jdk/test/sun/security/pkcs11/fips/fips.cfg.shtml>