On Thu, 25 Sep 2025 19:45:48 GMT, Daniel Jeliński <[email protected]> wrote:
> Change SunJSSE to use `TlsUpdateNplus1` instead of `AES` as the key algorithm > when deriving the next application traffic secret. > > SunPKCS11 provider checks the key length when creating an `AES` key, and > since 384 bits is not a valid AES key length, the key creation fails. > > `TlsUpdateNplus1` is [already > recognized](https://github.com/openjdk/jdk/blob/3c9fd7688f4d73067db9b128c329ca7603a60578/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L287) > as a standard TLS generic key by SunPKCS11. > > Key update is now exercised by the FipsModeTLS test. The test passes with the > changes, fails without them. Other tier1-3 tests continue to pass. This pull request has now been integrated. Changeset: 56baf64a Author: Daniel Jeliński <[email protected]> URL: https://git.openjdk.org/jdk/commit/56baf64ada04f233fbfe4e0cd033c86183e22015 Stats: 21 lines in 2 files changed: 6 ins; 4 del; 11 mod 8368520: TLS 1.3 KeyUpdate fails with SunPKCS11 provider Reviewed-by: valeriep ------------- PR: https://git.openjdk.org/jdk/pull/27498
