Bug ID: JDK-8029661 Support TLS v1.2 algorithm in SunPKCS11 provider

JDK-8029661 : Support TLS v1.2 algorithm in SunPKCS11 provider

Type: Enhancement
Component: security-libs
Sub-Component: javax.net.ssl

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2013-12-06
Updated: 2019-03-19
Resolved: 2018-09-19

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 12	JDK 8	Other
11.0.3-oracleFixed	12 b12Fixed	8u192Fixed	openjdk7uFixed

Related Reports

Blocks :	JDK-8080462 - Update SunPKCS11 provider with PKCS11 v2.40 support
Duplicate :	JDK-8080076 - PKCS#11 v2.40 Support for TLSv1.2 feature
Relates :	JDK-8210912 - Build error in src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c after JDK-8029661
Relates :	JDK-8220753 - Re-introduce the test case for TLS 1.2 algorithms in SunPKCS11 crypto provider
Relates :	JDK-8213154 - Update copyright headers of files in src tree that are missing Classpath exception

Description

See the comment in SunPKCS11.java.  Need to consider whether we can support SunTls12Prf, SunTls12RsaPremasterSecret, etc. in SunPKCS11 in the future.

        /*
         * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the
         * PRF calculations.  As of 2010, there is no PKCS11-level
         * support for TLS 1.2 PRF calculations, and no known OS's have
         * an internal variant we could use.  Therefore for TLS 1.2, we
         * are updating JSSE to request different provider algorithms
         * (e.g. "SunTls12Prf"), and currently only SunJCE has these
         * TLS 1.2 algorithms.
         *
         * If we reused the names such as "SunTlsPrf", the PKCS11
         * providers would need be updated to fail correctly when
         * presented with the wrong version number (via
         * Provider.Service.supportsParameters()), and we would also
         * need to add the appropriate supportsParamters() checks into
         * KeyGenerators (not currently there).
         *
         * In the future, if PKCS11 support is added, we will restructure
         * this.
         */

Comments

*Only maintained release with TLSv1.2 (6 doesn't have it, as far as I recall)
24-11-2018
Fix request This is low-risk, adding missing TLSv1.2 support in the PKCS11 provider, and now is in OpenJDK 7 & 8. It would be odd for 11 to be the only maintained release without it.
24-11-2018
Patch proposed on security-dev: http://mail.openjdk.java.net/pipermail/security-dev/2017-November/016446.html
12-12-2017
Assigning to myself on behalf of mbalao@redhat.com .
31-10-2017