On Wed, 12 Feb 2025 10:02:55 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> Please review this trivial fix that ensures that the mechanism always matches
> the parameter class type.
>
> I added a new test case that crashes without the fix, passes with the fix.
> Existing tier1-3 test cases continue to pass.
Marked as reviewed by wetmore (Reviewer).
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java
line 124:
> 122: } else if (tlsVersion == 0x0303) {
> 123: mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
> 124: }
So this hasn't worked since the TLSv1.2 support was added in 2018? Ouch!
I wonder if how many are using PKCS11 for TLS. Seems like this should have
been found earlier.
Double check with @valeriepeng , but looks ok to me...
-------------
PR Review: https://git.openjdk.org/jdk/pull/23583#pullrequestreview-2615984496
PR Review Comment: https://git.openjdk.org/jdk/pull/23583#discussion_r1955073131
