On Tue, 24 Aug 2021 01:33:42 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> Could someone help review this straight forward change? During the > interoperability testing with PKCS11 KW/KWP support, it is noticed that > SunJCE provider used the wrong block size (AES: 16) when padding is needed > for KW mode. With KW, KWP modes, data block size is multiples of 8-byte, so > the padding should pad data to multiples of 8 bytes instead of 16. In > addition, although PKCS#11 v3.0 states the IV for KWP mode is 4-byte, NSS's > implementation would silently ignore the specified IVs. Thus, for max > interoperability, it seems safer to change SunJCE provider to always use the > same default IV and disallow custom IVs for KWP mode, at least for now. > Regression test is enhanced to test more scenarios. > > Thanks, > Valerie I have no further comment, please check Sean's comment before integration. ------------- Marked as reviewed by xuelei (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/5236
