Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8325254: CKA_TOKEN private and secret keys are not necessarily sensitive #17712

Closed
wants to merge 1 commit into from

Conversation

martinuy
Copy link
Contributor

@martinuy martinuy commented Feb 5, 2024

Hi,

May I have a review for this fix to JDK-8325254?

With this change, CKA_TOKEN = true is used as an indicator of a sensitive private key (opaque) only if the token is NSS. The behavior previous to JDK-8271566 is restored for non-NSS tokens.

No regressions observed in jdk/sun/security/pkcs11.


Progress

  • Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue

Issue

  • JDK-8325254: CKA_TOKEN private and secret keys are not necessarily sensitive (Bug - P4)

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/17712/head:pull/17712
$ git checkout pull/17712

Update a local copy of the PR:
$ git checkout pull/17712
$ git pull https://git.openjdk.org/jdk.git pull/17712/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 17712

View PR using the GUI difftool:
$ git pr show -t 17712

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/17712.diff

Webrev

Link to Webrev Comment

@bridgekeeper
Copy link

bridgekeeper bot commented Feb 5, 2024

👋 Welcome back mbalao! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added the rfr Pull request is ready for review label Feb 5, 2024
@openjdk
Copy link

openjdk bot commented Feb 5, 2024

@martinuy The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security security-dev@openjdk.org label Feb 5, 2024
@mlbridge
Copy link

mlbridge bot commented Feb 5, 2024

Webrevs

@mcpowers
Copy link
Contributor

mcpowers commented Feb 6, 2024

Your change looks good to me. It makes sense. What testing has been done?

@martinuy
Copy link
Contributor Author

martinuy commented Feb 6, 2024

Hi @mcpowers ,

Thanks for having a look at this proposal. I ran a regression over jdk/sun/security/pkcs11 which exercises the code with the NSS Software Token, and all 111 tests passed. In addition, I asked the people who originally reported this bug to me to do some tests to confirm that JDK-8271566 introduced an observable change in behavior for the KeyStore::getKey public API. These tests included a CKA_TOKEN = TRUE, CKA_SENSITIVE = FALSE, CKA_EXTRACTABLE = TRUE case where we could see how 8271566 made their hardware token to return an opaque key instead of one with all the information. I am personally confident about this change, which does nothing more than returning to pre-8271566 behavior for non-NSS tokens and keeping the new behavior for NSS. If someone has more hardware tokens to test, I'd appreciate any additional feedback.

Martin.-

@valeriepeng
Copy link
Contributor

Since the existing tests use NSS, the change should not cause any difference. Just curious, do you know what PKCS11 library/impl the reporter uses? Would be nice to include it into the bug record as additional information.

@openjdk
Copy link

openjdk bot commented Feb 6, 2024

@martinuy This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8325254: CKA_TOKEN private and secret keys are not necessarily sensitive

Reviewed-by: valeriep

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 25 new commits pushed to the master branch:

  • 96eb039: 8324665: Loose matching of space separators in the lenient date/time parsing mode
  • 2d252ee: 8325180: Rename jvmti_FollowRefObjects.h
  • b814c31: 8321703: jdeps generates illegal dot file containing nodesep=0,500000
  • 50b17d9: 8316704: Regex-free parsing of Formatter and FormatProcessor specifiers
  • 51d7169: 8320237: C2: late inlining of method handle invoke causes duplicate lines in PrintInlining output
  • fd89b33: 8316992: Potential null pointer from get_current_thread JVMCI helper function.
  • d1c8215: 8325194: GHA: Add macOS M1 testing
  • f356970: 8322535: Change default AArch64 SpinPause instruction
  • b75c134: 8325313: Header format error in TestIntrinsicBailOut after JDK-8317299
  • 4cd3187: 8324874: AArch64: crypto pmull based CRC32/CRC32C intrinsics clobber V8-V15 registers
  • ... and 15 more: https://git.openjdk.org/jdk/compare/55c1446b68db6c4734420124b5f26278389fdf2b...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready Pull request is ready to be integrated label Feb 6, 2024
@martinuy
Copy link
Contributor Author

martinuy commented Feb 6, 2024

Hi @valeriepeng ,

Thanks for having a look at this.

Since the existing tests use NSS, the change should not cause any difference. Just curious, do you know what PKCS11 library/impl the reporter uses? Would be nice to include it into the bug record as additional information.

Yes, good idea. I'll add it to the ticket.

@martinuy
Copy link
Contributor Author

martinuy commented Feb 6, 2024

/integrate

@openjdk
Copy link

openjdk bot commented Feb 6, 2024

Going to push as commit 0f5f3c9.
Since your change was applied there have been 26 commits pushed to the master branch:

  • 4b1e367: 8325152: Clarify specification of java.io.RandomAccessFile.setLength
  • 96eb039: 8324665: Loose matching of space separators in the lenient date/time parsing mode
  • 2d252ee: 8325180: Rename jvmti_FollowRefObjects.h
  • b814c31: 8321703: jdeps generates illegal dot file containing nodesep=0,500000
  • 50b17d9: 8316704: Regex-free parsing of Formatter and FormatProcessor specifiers
  • 51d7169: 8320237: C2: late inlining of method handle invoke causes duplicate lines in PrintInlining output
  • fd89b33: 8316992: Potential null pointer from get_current_thread JVMCI helper function.
  • d1c8215: 8325194: GHA: Add macOS M1 testing
  • f356970: 8322535: Change default AArch64 SpinPause instruction
  • b75c134: 8325313: Header format error in TestIntrinsicBailOut after JDK-8317299
  • ... and 16 more: https://git.openjdk.org/jdk/compare/55c1446b68db6c4734420124b5f26278389fdf2b...master

Your commit was automatically rebased without conflicts.

@openjdk openjdk bot added the integrated Pull request has been integrated label Feb 6, 2024
@openjdk openjdk bot closed this Feb 6, 2024
@openjdk openjdk bot removed ready Pull request is ready to be integrated rfr Pull request is ready for review labels Feb 6, 2024
@openjdk
Copy link

openjdk bot commented Feb 6, 2024

@martinuy Pushed as commit 0f5f3c9.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated Pull request has been integrated security security-dev@openjdk.org
Development

Successfully merging this pull request may close these issues.

3 participants