On Thu, 7 Mar 2024 12:40:09 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
>> Currently the SunPKCS11 provider requires other providers in order to offer >> ECDHE, FFDHE and RSA-PSS in TLS handshakes: >> - FFDHE requires DiffieHellman AlgorithmParameters from SunJCE >> - ECDHE requires the SunEC provider to be installed >> - RSA-PSS requires RSASSA-PSS AlgorithmParameters from SunRsaSign >> >> This PR removes these dependencies: >> - SunPKCS11 is modified to offer the PSS and DH AlgorithmParameters (using >> the same implementation classes as the original providers) >> - Elliptic curve code is modified to remove the dependency on SunEC provider >> where possible >> >> Two existing tests were modified to verify the changes: >> - SigInteropPSS2 test was modified to install SunPKCS11 provider and remove >> SunRsaSign provider >> - FipsModeTLS12 test was modified to verify the list of NamedGroups >> available on a SSLEngine. >> >> Both modified tests fail without the changes, pass with them. Other tier1-3 >> tests continue to pass. > > Daniel Jeliński has updated the pull request incrementally with one > additional commit since the last revision: > > Restore original SunEC behavior After an offline discussion I pushed an alternative implementation that restores the original SunEC provider behavior of resolving ECParameterSpec using the preferred EC AlgorithmParameters provider. I also modified SunPKCS11 provider to use the preferred provider instead of using SunEC if it's installed, and failing if SunEC is not installed. SunPKCS11 provides EC AlgorithmParameters, so as long as it is installed, ECParameterSpec resolution will work. History: the dependency on SunEC provider was introduced in [JDK-7194075](https://bugs.openjdk.org/browse/JDK-7194075) / c39030c7b32ae529699aec3d5bde197b194771a7 to remove duplication of code between SunPKCS11 and SunEC. ------------- PR Comment: https://git.openjdk.org/jdk/pull/17816#issuecomment-1983501685