On Thu, 25 Sep 2025 16:28:25 GMT, Daniel Jeliński <[email protected]> wrote:
> The DiffieHellman KeyAgreement supports 2 key algorithms: TlsPremasterSecret > and Generic. The Generic algorithm is supposed to generate keys of a constant > length, keeping leading zeroes as appropriate. > > This PR changes the SunPKCS11 implementation to pass a CKA_VALUE_LEN > attribute when a fixed length is needed; when the attribute is absent, the > PKCS11 provider strips the leading zeroes. > > Added a check to the existing test cases to verify the fix. The check passes > with the fix, fails without it. Other tier1-3 tests continue to pass. src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java line 335: > 333: new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY), > 334: new CK_ATTRIBUTE(CKA_KEY_TYPE, keyType), > 335: new CK_ATTRIBUTE(CKA_VALUE_LEN, secretLen), How about attributes in another `xxxGenerateSecret(...)` method? Should we also add `CKA_VALUE_LEN` attribute with `secretLen` value there as well, i.e. line 200-203, ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27494#discussion_r2412341167
