Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider #3420

Closed
wants to merge 4 commits into from

Conversation

valeriepeng
Copy link

@valeriepeng valeriepeng commented Apr 9, 2021

Could someone (perhaps Jamil?) please help review this change? This enhances SunPKCS11 provider with ChaCha20-Poly1305 cipher and ChaCha20 key generation support. Majority of the regression tests are adapted from the existing ones for SunJCE provider's ChaCha20-Poly1305 cipher impl. When testing against NSS v3.57, it does not have support for ChaCha20 cipher, thus I did not add support for ChaCha20 cipher and the corresponding parameter.

Thanks!
Valerie


Progress

  • Change must not contain extraneous whitespace
  • Commit message must refer to an issue
  • Change must be properly reviewed

Issue

  • JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider

Reviewers

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/3420/head:pull/3420
$ git checkout pull/3420

Update a local copy of the PR:
$ git checkout pull/3420
$ git pull https://git.openjdk.java.net/jdk pull/3420/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 3420

View PR using the GUI difftool:
$ git pr show -t 3420

Using diff file

Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/3420.diff

Enhance SunPKCS11 provider with ChaCha20-Poly1305 cipher and ChaCha20 key
 generation support.
@valeriepeng
Copy link
Author

@valeriepeng valeriepeng commented Apr 9, 2021

/csr

@bridgekeeper
Copy link

@bridgekeeper bridgekeeper bot commented Apr 9, 2021

👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

@openjdk openjdk bot added rfr csr labels Apr 9, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Apr 9, 2021

@valeriepeng has indicated that a compatibility and specification (CSR) request is needed for this pull request.
@valeriepeng please create a CSR request and add link to it in JDK-8255410. This pull request cannot be integrated until the CSR request is approved.

@openjdk
Copy link

@openjdk openjdk bot commented Apr 9, 2021

@valeriepeng The following label will be automatically applied to this pull request:

  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

@openjdk openjdk bot added the security label Apr 9, 2021
@mlbridge
Copy link

@mlbridge mlbridge bot commented Apr 9, 2021

Webrevs

@valeriepeng
Copy link
Author

@valeriepeng valeriepeng commented Apr 12, 2021

Please also review CSR: https://bugs.openjdk.java.net/browse/JDK-8265008
Thanks!
Valerie

@@ -0,0 +1,216 @@
/*
Copy link
Member

@sisahoo sisahoo Apr 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no compatibility Test exist between SunJCE and SunPKCS11 providers. Do we need one here.

Copy link
Author

@valeriepeng valeriepeng Apr 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Theoretically, these new regression tests are mostly adapted from the ChaCha20-Poly1305 cipher tests of existing SunJCE provider. The test vectors are also the same, so the compatibility is tested indirectly.
I have added a testInterop() method which uses one for encryption and the other for decryption and vice versa, just to be safe. If there are specific scenarios which I missed, please let me know and I will add it.

random.nextBytes(iv);
}
apAlgo = "ChaCha20-Poly1305";
spec = new IvParameterSpec(iv);
Copy link
Member

@jnimeh jnimeh Apr 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there protections further up the call stack that guarantee that iv will be non-null when encrypt == false? I assume there are but I figured I'd ask since a null iv could cause NPE.

Copy link
Author

@valeriepeng valeriepeng Apr 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there are checks in engineInit() to ensure that IV must be supplied when init with Cipher.DECRYPT_MODE. I added some more checks for getIV() and getParameters() to TestChaChaPoly.java just to be safe.
Also, I added more null checks to this method to ensure that NPE won't happen.

jnimeh
jnimeh approved these changes Apr 15, 2021
@openjdk openjdk bot removed the csr label Apr 21, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Apr 21, 2021

@valeriepeng This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider

Reviewed-by: jnimeh

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 276 new commits pushed to the master branch:

  • a8ddbd1: 8265683: vmTestbase/nsk/jdb tests failed with "JDWP exit error AGENT_ERROR_INTERNAL(181)"
  • 7a55914: 8264196: Change link_and_cleanup_shared_classes(CATCH) to CHECK
  • b84f690: 8265793: Remove duplicate jtreg TEST.groups references for some client tests
  • 0e00598: 8265782: Bump bootjdk to jdk-17+19 on macosx-aarch64 at Oracle
  • e81baea: 8265786: ProblemList serviceability/sa/sadebugd/DisableRegistryTest.java on ZGC
  • ca0de26: 8265699: (bf) Scopes passed to ScopedMemoryAccess.copy[Swap]Memory in incorrect order
  • b930bb1: 8265461: G1: Forwarding pointer removal thread sizing
  • f834557: 8258915: Temporary buffer cleanup
  • 31d8a19: 8265105: gc/arguments/TestSelectDefaultGC.java fails when compiler1 is disabled
  • 657f103: 8057543: Replace javac's Filter with Predicate (and lambdas)
  • ... and 266 more: https://git.openjdk.java.net/jdk/compare/ff223530b66a83fb77c477da97a2dd60df448ec8...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

@openjdk openjdk bot added the ready label Apr 21, 2021
@valeriepeng
Copy link
Author

@valeriepeng valeriepeng commented Apr 29, 2021

/integrate

@openjdk openjdk bot closed this Apr 29, 2021
@openjdk openjdk bot added integrated and removed ready rfr labels Apr 29, 2021
@openjdk
Copy link

@openjdk openjdk bot commented Apr 29, 2021

@valeriepeng Since your change was applied there have been 426 commits pushed to the master branch:

  • 46b4a14: 8266315: Problem list failing test java/awt/font/TextLayout/LigatureCaretTest.java
  • 42af7da: 8265933: Move Java monitor related fields from class Thread to JavaThread
  • 1afbab6: 8263998: Remove mentions of mc region in comments
  • 51b2fb5: 8266299: ProblemList runtime/stringtable/StringTableCleaningTest.java on linux-aarch64 with ZGC
  • 49d0458: 8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong
  • 01415f3: 8266250: WebSocketTest and WebSocketProxyTest call assertEquals(List<byte[]>, List<byte[]>)
  • 5f15666: 8266078: Reader.read(CharBuffer) advances Reader position for read-only Charbuffers
  • 2a03739: 8266014: Regression brought by optimization done with JDK-4926314
  • 6bb71d9: 8264762: ByteBuffer.byteOrder(BIG_ENDIAN).asXBuffer.put(Xarray) and ByteBuffer.byteOrder(nativeOrder()).asXBuffer.put(Xarray) are slow
  • f0f6b0d: 8266027: The diamond finder does not find diamond candidates in field initializers
  • ... and 416 more: https://git.openjdk.java.net/jdk/compare/ff223530b66a83fb77c477da97a2dd60df448ec8...master

Your commit was automatically rebased without conflicts.

Pushed as commit 5d8c1cc.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

@valeriepeng valeriepeng deleted the JDK-8255410 branch Apr 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
integrated security
3 participants