I just realized that a natural place to configure provider behavior is
in the provider construction, which is also per provider, so you can
have multiple ones with different configuration. We are already using an
InputStream to construct SunPKCS11, and adding more parameters to
configure/override
Just FYI. SoftHSM2 from the OpenDNSSec project is a good P11 to test
with, and I believe it supports brainpool in recent versions.
https://github.com/opendnssec/SoftHSMv2
It works really good)
Regards,
Tomas
On 2018-02-09 02:03, Valerie Peng wrote:
> Hi Tobias,
>
> Just curious, which PKCS11
Looking to push a new test which helps test CloneableDigest code. It's
something that arose during JDK-8193683 fix.
The test was contributed by Brad Wetmore. I've converted it to use the
SSLSocketTemplate.
JBS : https://bugs.openjdk.java.net/browse/JDK-8193892
webrev :
Oh-well, I suppose that we are all humans. ;)
Let me take a closer look on this and see if there are other ways to
relax this constraint than adding env var which should be the very last
resort in my opinion.
BTW, is there a bug filed for this?
Thanks for the feedback,
Valerie
On 2/9/2018
Hmm, seems reasonable to support this in the provider configuration file.
Or, on a similar note, but slightly different approach is to just add an
configuration option for disabling checking the supported key size range.
Regards,
Valerie
On 2/9/2018 2:16 AM, Tomas Gustavsson wrote:
I just
Hi Valerie,
these tests were initally meant for the new curves in SunEC, but the SunEC
tests are using
the PKCS#11 tests. Even though I made these known answer tests for SunEC, I
think it
might be a good idea not to limit them to SunEC but run them on tests using
TestECDH with
any provider,
Hi,
Thanks for the answer. (sorry I was out with the flu for a week)
> I am not too keen to add an env var/system property to accommodate this
> kind of PKCS11 library bugs since this should be rare I hope.
> Valerie
Unfortunately I don't see it as rare and the impact is huge due to the
slow
Awesome.
I just posted in another thread to the mailing list with some examples
where more flexibility would be needed. "PKCS#11 provider issues with
min and max size".
Another example would be to add flexibility to be more crypto "agile".
I.e. when new algorithms come out, for example SHA3. It
Updated again at http://cr.openjdk.java.net/~weijun/8191438/webrev.05/.
--Max
> On Jan 4, 2018, at 8:48 AM, Weijun Wang wrote:
>
> Please take a review at
>
> http://cr.openjdk.java.net/~weijun/8191438/webrev.04/
>
> Major changes:
>
> 1. Warnings on TSA cert chain: