Yes, key value extraction is disallowed for PKCS11 provider in FIPS mode.
When you call KeyAgreement.generateSecret(), a native key is generated and its
key value would be extracted and return which would be rejected for provider in
FIPS mode. Please try the KeyAgreement.generateSecret(String) ca
Thank you for that information but the problem is that the HSM provider
has documented that the CKD_NULL is not allowed in FIPS mode and when i
try either
byte[] Z = ka.generateSecret();
*or*
SecretKey Z = ka.generateSecret("TlsPremasterSecret");
the error is the same:
Caused by: sun.securi
On Sat, 3 Aug 2024 00:46:05 GMT, Anthony Scarpino wrote:
>> Hi
>>
>> This change is to improve TLS 1.3 session resumption by allowing a TLS
>> server to send more than one resumption ticket per connection and clients to
>> store more. Resumption is a quick way to use an existing TLS session t
> Introduce an API for Key Derivation Functions (KDFs), which are cryptographic
> algorithms for deriving additional keys from a secret key and other data. See
> [JEP 478](https://openjdk.org/jeps/478).
>
> Work was begun in [another PR](https://github.com/openjdk/jdk/pull/18924).
Kevin Driver
On Fri, 16 Aug 2024 21:40:08 GMT, Weijun Wang wrote:
>> @wangweij felt this was advantageous.
>
> Valerie is correct. I might have confused algorithm name and format name.
Addressed in
https://github.com/openjdk/jdk/pull/20301/commits/48395b86ba8e1cda663ae326e06ae2556f4b905a.
Please indicate i
On Fri, 16 Aug 2024 18:18:51 GMT, Valerie Peng wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java
>> line 258:
>>
>>> 256: byte[] workItemBytes = CipherCore.getKeyBytes(checkIt);
>>> 257: return new SecretKeySpec(workItemBytes, "
On Fri, 16 Aug 2024 18:16:07 GMT, Valerie Peng wrote:
>> Kevin Driver has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> addressed several review comments, namely: - renaming the getParameters
>> method - renaming the AlgorithmParameterSpe
On Fri, 16 Aug 2024 21:10:40 GMT, Kevin Driver wrote:
>> src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java line
>> 362:
>>
>>> 360: *
>>> 361: * @param prk
>>> 362: * the pseudorandom key; may be {@code null}
>>
>> Instead of stating "prk may b
On Tue, 6 Aug 2024 22:25:30 GMT, Martin Balao wrote:
>> Can someone help review this fix? Changed the required-mechanism check by
>> checking if the particular mechanism is inside the list of enabled supported
>> mechanisms. This should be more reliable than calling C_GetMechanismInfo(..)
>> o
On Tue, 6 Aug 2024 22:39:59 GMT, Martin Balao wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
>> line 1297:
>>
>>> 1295: new HashMap();
>>> 1296:
>>> 1297: for (long longMech : supportedMechanisms) {
>>
>> Is the code under `if (!conf
On Fri, 16 Aug 2024 23:38:56 GMT, Valerie Peng wrote:
>> Addressed in
>> https://github.com/openjdk/jdk/pull/20301/commits/c6f491cd05c76088e6431b2ba9d4ab42b29e4055.
>> Please indicate if this is resolved.
>
> How about the "may" => "should" change?
Addressed in
https://github.com/openjdk/jdk/
In preparation for the new PQC algorithms implementations, internal XOF
(eXtendable Output Function) methods are added to the SHAKE128 and SHAKE256
implementations.
-
Commit messages:
- Cosmetic fixes
- JDK-8338587 - Internal XOF Methods for SHAKE128 and SHAKE256
Changes: https:/
On Mon, 19 Aug 2024 19:38:37 GMT, Ferenc Rakoczi wrote:
> In preparation for the new PQC algorithms implementations, internal XOF
> (eXtendable Output Function) methods are added to the SHAKE128 and SHAKE256
> implementations.
Not sure if you noticed, the bot warns "Change must not contain ext
13 matches
Mail list logo
