On Fri, 7 Jun 2024 16:10:09 GMT, Martin Balao <mba...@openjdk.org> wrote:
>>> I created the release-note and doc sub-task for this RFE. Please take a >>> look. >> >> They look good to me, I just removed two extra white spaces around the >> closing parenthesis in >> [JDK-8333760](https://bugs.openjdk.org/browse/JDK-8333760). >> >>> As for the code change, the rest looks fine to me. >> >> I did one more minor change: 2c6a3c0f79809db77b28c21244ced6621903039f. > > @franferrax Can you please quote the relevant fragment from the original CSR > text? I think it was more clear. @martinuy > @franferrax Can you please quote the relevant fragment from the original CSR > text? I think it was more clear. This was the original CSR text that corresponds with the part of the CSR copied in the release note: > Introduce a new _SunPKCS11_ provider configuration attribute named > `cipherTextStealingVariant` that must be set with any of the following > values: `CS1`, `CS2` or `CS3`. This attribute can be used to specify the > token's CTS variant and is required to enable `CKM_AES_CTS`. The AES CBC-CTS > transformations are not registered by _SunPKCS11_ if the > `cipherTextStealingVariant` attribute is not present, with an exception for > the NSS Software Token where `CS1` is assumed by default. After encryption, > the ciphertext will be converted from the token's variant to _CS3_. Before > decryption, the ciphertext will be converted from _CS3_ to the token's > variant. @seanjmullan > I didn't understand the interoperability part. If SunJCE and Kerberos use > CS3, then how can PKCS11 ensure interoperability if someone sets the variable > to CS1 or CS2? The interoperability is ensured by internally converting between _CS3_ and the PKCS #11 library variant, so that ciphertexts are always arranged in the _CS3_ variant, from a public APIs user's perspective. > Also, if the property is set to CS2 or CS3, and you are using NSS, is an > exception or error thrown? No, an exception is not thrown and the chosen _CS2_ or _CS3_ variant is applied even for NSS. NOTE: this misconfiguration will lead to invalid outputs. This behaviour is the same for any PKCS #11 library. What we provide for NSS is an overridable default. ------------- PR Comment: https://git.openjdk.org/jdk/pull/18898#issuecomment-2155183033