8288985: P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305 #9072
Conversation
|
👋 Welcome back zzambers! A progress list of the required criteria for merging this PR into |
zzambers
changed the title
Webrevs
|
|
The title generally state the problem, or action/expectation. How about either "P11TlsKeyMaterialGenerator does not work with ChaCha20-Poly1305" or "P11TlsKeyMaterialGenerator should work with ChaCha20-Poly1305"? |
| if ("ChaCha20-Poly1305".equals(algorithm)) { | ||
| algorithm = "ChaCha20"; | ||
| } |
There was a problem hiding this comment.
Have you considered adding "ChaCha20-Poly1305" into the "keyTypes" instead? Then you don't need to add the if-block here.
There was a problem hiding this comment.
That would indeed be cleaner solution. I'll make this change. Thank you.
There was a problem hiding this comment.
Please update the 2nd copyright year to 2022 also.
zzambers
changed the title
|
I have addressed both remarks. |
| * @test | ||
| * @bug 8288985 | ||
| * @summary Test that KeyMaterial generator works with ChaCha20-Poly1305 | ||
| * @author Zdenek Zambersky |
There was a problem hiding this comment.
nit: IIRC we no longer add @author tag.
| /* | ||
| * @test | ||
| * @bug 8288985 | ||
| * @summary Test that KeyMaterial generator works with ChaCha20-Poly1305 |
| try { | ||
| KeyGenerator.getInstance("ChaCha20", provider); | ||
| } catch (NoSuchAlgorithmException e) { | ||
| System.out.println("Skipping, ChaCha20 not supported"); | ||
| return; | ||
| } |
There was a problem hiding this comment.
This test does not use CKM_CHACHA20_KEY_GEN, and the test passes when I run it against the version of NSS which does not support CKM_CHACHA20_KEY_GEN. Since the test requires the provider to support "SunTlsRsaPremasterSecret", "SunTls12MasterSecret", and "SunTls12KeyMaterial" key generators, probably should base the check on them instead?
| // https://github.com/openjdk/jdk/blob/ccec5d1e8529c8211cc678d8acc8d37fe461cb51/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java#L270 | ||
| // https://github.com/openjdk/jdk/blob/ccec5d1e8529c8211cc678d8acc8d37fe461cb51/src/java.base/share/classes/sun/security/ssl/CipherSuite.java#L93 |
There was a problem hiding this comment.
nit: do these two links really needed? If yes, add some more text for their purpose?
I will submit a test job on my end also, just to be safe. |
|
I have made fixes to the test based on your comments. I retested test :) and works ( fails without fix in P11SecretKeyFactory.java passes with ). |
|
@zzambers This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 378 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@valeriepeng) but any other Committer may sponsor as well. ➡️ To flag this PR as ready for integration with the above commit message, type |
|
I have realized, I forgot to fix copyright date in P11SecretKeyFactory.java, so fixed that. |
|
@valeriepeng Thank you for the review |
Once you did the "/integrate" command, I can then sponsor this change. |
|
/integrate |
|
/sponsor |
|
Going to push as commit b6bd190.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
@valeriepeng @zzambers Pushed as commit b6bd190. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
TLS
*_CHACHA20_POLY1305_*cipher suites are currently broken when configuration with SunPKCS11 provider is used. I discovered this by my ssl-tests testsuite [1].Problem:
Exception is thrown by P11TlsKeyMaterialGenerator.engineGenerateKey method [2], based on result of P11SecretKeyFactory.getKeyType method [3], which only "knows" "ChaCha20" key algorithm, but does not accept "ChaCha20-Poly1305" as algorithm. Algorithm value is passed from SSLTrafficKeyDerivation.LegacyTrafficKeyDerivation class [4], which leads to algorithm field in SSLCipher class [5]. Value of that field comes from cipher name in JsseJce class [6] (ending at first slash, if any).
Fix:
This fix basically modifies P11SecretKeyFactory.getKeyType method to accept "ChaCha20-Poly1305" as alias for "ChaCha20".
Testing:
I ran jdk_security tests locally and they passed. Also failure in ssl-tests gets fixed.
[1] https://github.com/zzambers/ssl-tests
[2]
jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11TlsKeyMaterialGenerator.java
Line 168 in b7a34f7
[3]
jdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
Line 101 in b7a34f7
[4]
jdk/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java
Line 270 in b7a34f7
[5]
jdk/src/java.base/share/classes/sun/security/ssl/SSLCipher.java
Line 496 in b7a34f7
[6]
jdk/src/java.base/share/classes/sun/security/ssl/JsseJce.java
Line 81 in b7a34f7
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/9072/head:pull/9072$ git checkout pull/9072Update a local copy of the PR:
$ git checkout pull/9072$ git pull https://git.openjdk.org/jdk pull/9072/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 9072View PR using the GUI difftool:
$ git pr show -t 9072Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/9072.diff