Request for phase 2 approval for CR 7099228 (original) (raw)

Request for phase 2 approval for CR 7099228 - Use a PKCS11 config attribute to control encoding of an EC point

Vincent Ryan vincent.x.ryan at oracle.com
Thu Oct 13 00:57:50 PDT 2011

7099228: Use a PKCS11 config attribute to control encoding of an EC point http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7099228

Description The fix for CR 7054637 introduced a PKCS11 token attribute to control whether an EC point encoding is wrapped in an ASN.1 OCTET STRING or not.

It has been reported that the numeric identifier chosen for that attribute clashes with the numeric identifier already chosen by a vendor of PKCS11 tokens in one of their vendor extensions.

To avoid this and any future namespace collisions from other token vendors a JCE provider attribute is used instead of a token attribute.

Equivalent patch to the fix for JDK 8: http://cr.openjdk.java.net/~vinnie/7099228/webrev.00/

Reviewers: Valerie Peng Sean Mullan

Justification: This fix is required in order to avoid any unintended behaviour in PKCS11 security tokens due to a namespace collision in an extensible set of token attributes. One security token vendor has already been identified that will be impacted by this namespace collision.

The fix corrects the problem before any other vendors are impacted. The fix is limited in scope, isolated and is low risk. Only classes in the SunPKCS11 JCE provider are affected by this fix.

Testing is covered by the existing PKCS11 automated regression tests.

More information about the jdk7u-dev mailing list