RH2104724: Avoid import/export of DH private keys #14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Failing test cases from OPENJDK-824 are passing in a local build of this PR + #16, executed with: separator="$(printf "%$(tput cols)s" | tr " " "=")"
highlighter="s/^\(failed\|error\)\(:\|$\)/$(tput bold && tput setaf 1)\0$(tput sgr0)/gi;
s/^passed\(:\|$\)/$(tput bold && tput setaf 2)\0$(tput sgr0)/gi;
s/^ignored\(:\|$\)/$(tput bold && tput setaf 3)\0$(tput sgr0)/gi"
function test_env_create() {
git clone --quiet "https://github.com/rh-openjdk/$1" && pushd "$1" >/dev/null &&
echo -e "$(tput bold)${separator}\n= $1\n${separator}$(tput sgr0)"
}
function test_env_destroy() {
popd >/dev/null && rm -rf "$1" && echo -e "\n"
}
function run_tests() {
export JAVA_HOME="$(find $HOME -wholename */jdk17u/build/*/images/jdk -print -quit)"
test_env_create ssl-tests || return
make TEST_PKCS11_FIPS=1 SSLTESTS_SSL_CONFIG_FILTER=SunJSSE,Default,TLSv1.2,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 \
SSLTESTS_CUSTOM_JAVA_PARAMS=-Djdk.tls.ephemeralDHKeySize=2048 ssl-tests | sed "$highlighter"
test_env_destroy ssl-tests
test_env_create CryptoTest || return
make KeyAgreementTests | sed "$highlighter"
test_env_destroy CryptoTest
unset JAVA_HOME
}
run_tests && unset run_tests test_env_destroy test_env_create highlighter separatorOutput from Output from |
franferrax
commented
Oct 24, 2022
| debug.println("Importing a Diffie-Hellman private key..."); | ||
| } | ||
| if (DHKF == null) { | ||
| DHKFLock.lock(); |
There was a problem hiding this comment.
I forgot to remove the DHKF and DHKFLock static variables from the start of the FIPSKeyImporter class.
franferrax
added a commit
to franferrax/jdk
that referenced
this pull request
Oct 28, 2022
openjdk#13 isn't a perfect revert of 0af22dc limited to SSLContextImpl.java and SunJSSE.java, since it doesn't remove the SharedSecrets import. This was already in this way in rh2020290-support_tls_1_3_in_fips.v1.patch, I'm now realizing this when doing the OpenJDK 11 backport and retrying the same approach in OpenJDK 17: ~~~ # Revert openjdk#13 git show 0bd5ca9 | git apply -R # Redo openjdk#13 by reverting 0af22dc in SSLContextImpl.java and SunJSSE.java git show 0af22dc | git apply -R --include=src/java.base/share/classes/sun/security/ssl/* ~~~ In openjdk#14, I forgot to delete the DHKF and DHKFLock static variables from FIPSKeyImporter, which are no longer used, see rh-openjdk#14 (comment).
gnu-andrew
pushed a commit
that referenced
this pull request
Nov 23, 2022
#13 isn't a perfect revert of 0af22dc limited to SSLContextImpl.java and SunJSSE.java, since it doesn't remove the SharedSecrets import. This was already in this way in rh2020290-support_tls_1_3_in_fips.v1.patch, I'm now realizing this when doing the OpenJDK 11 backport and retrying the same approach in OpenJDK 17: ~~~ # Revert #13 git show 0bd5ca9 | git apply -R # Redo #13 by reverting 0af22dc in SSLContextImpl.java and SunJSSE.java git show 0af22dc | git apply -R --include=src/java.base/share/classes/sun/security/ssl/* ~~~ In #14, I forgot to delete the DHKF and DHKFLock static variables from FIPSKeyImporter, which are no longer used, see #14 (comment). Reviewed-by: @gnu-andrew
gnu-andrew
pushed a commit
that referenced
this pull request
Apr 4, 2023
gnu-andrew
pushed a commit
to gnu-andrew/jdk
that referenced
this pull request
Aug 18, 2023
openjdk#13 isn't a perfect revert of 0af22dc limited to SSLContextImpl.java and SunJSSE.java, since it doesn't remove the SharedSecrets import. This was already in this way in rh2020290-support_tls_1_3_in_fips.v1.patch, I'm now realizing this when doing the OpenJDK 11 backport and retrying the same approach in OpenJDK 17: ~~~ # Revert openjdk#13 git show 0bd5ca9 | git apply -R # Redo openjdk#13 by reverting 0af22dc in SSLContextImpl.java and SunJSSE.java git show 0af22dc | git apply -R --include=src/java.base/share/classes/sun/security/ssl/* ~~~ In openjdk#14, I forgot to delete the DHKF and DHKFLock static variables from FIPSKeyImporter, which are no longer used, see rh-openjdk#14 (comment). Reviewed-by: @gnu-andrew
gnu-andrew
pushed a commit
that referenced
this pull request
Aug 22, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Search this PR in Red Hat Jira
RH2104724 / RH2104725: Avoid import/export of DH private keys
Description
As analyzed in OPENJDK-824, NSS doesn't support wrapping/unwrapping of Diffie-Hellman private keys (
CKK_DH), so we can't import/export them from the NSS PKCS#11 software token.In addition, as part of 78df8b5 work, we started to blindly consider a private key extractable when the plain key support is enabled, preventing DH private keys from being instantiated as the opaque
P11PrivateKey. This now causes an error, as an attempt is made to extract these keys when instantiating theP11DHPrivateKeyfull-data object.This work:
P11PrivateKeyfor them (instead ofP11DHPrivateKey)CKK_DHprivate keys.