On Thu, 13 Feb 2025 19:06:28 GMT, Bradford Wetmore <wetm...@openjdk.org> wrote:
>> Please review this trivial fix that ensures that the mechanism always
>> matches the parameter class type.
>>
>> I added a new test case that crashes without the fix, passes with the fix.
>> Existing tier1-3 test cases continue to pass.
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java
> line 124:
>
>> 122: } else if (tlsVersion == 0x0303) {
>> 123: mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
>> 124: }
>
> So this hasn't worked since the TLSv1.2 support was added in 2018? Ouch!
>
> I wonder if how many are using PKCS11 for TLS. Seems like this should have
> been found earlier.
>
> Double check with @valeriepeng , but looks ok to me...
It's not that bad, the crash only happens when you (mis-)use SunTlsKeyMaterial
instead of SunTls12KeyMaterial with TLS 1.2. JSSE uses the correct one. I only
hit this bug when experimenting with tests.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23583#discussion_r1955110134
