Please add HMAC keygen to SunPKCS11

Valerie Peng valerie.peng at oracle.com
Sat Oct 24 01:18:56 UTC 2020 

Hi, Justin,

Most callers just wrap the HMAC key bytes into a java SecretKey object, 
e.g. new SecretKeySpec(keyBytes, "HmacSHA256"), pass that into the HMAC 
impl from SunPKCS11 provider which will then convert it into a 
CKK_GENERIC_SECRET key and passing that to underlying PKCS11 library.

Maybe for some very specific cases, support CKM_GENERIC_SECRET_KEY_GEN 
is necessary and I can look into that. For determining the priority on 
this, would the java SecretKey object address your need? Or is there 
other reason requiring 3rd party utility?

Thanks,
Valerie


On 10/21/2020 8:44 PM, Justin Cranford wrote:
>
> Compare SunPKCS11 support for AES vs HMAC
>
>   * AES => keygen is supported, and AES key can be used for encrypt
>     and decrypt.
>   * HMAC => keygen is not supported, but HMAC key can be used for MAC.
>
> This does not make sense. A third-party utility is required for HMAC 
> keygen, but not for AES keygen.
>
> Use case:
>
>   * PKCS#11 driver is v2.20.
>   * This means AES-256-GCM is not available for confidentiality and
>     integrity, because GCM supported was only added in PKCS#11 v2.40.
>   * Fallback to AES-256-CBC and HmacSha256 is required for
>     confidentiality and integrity, respectively.
>   * Java can trigger AES keygen, but not HMAC keygen. A third-party
>     utility is required to trigger HMAC keygen before running Java.
>
> Would it be possible to add the missing GENERIC-SECRET-KEY-GEN 
> mechanism to SunPKCS11? Notice how that mechanism is missing from the 
> documented SunPKCS11 algorithms and mechanisms. It is the same in Java 
> 8 all the way up to 15.
>
>   * https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#ALG
>     <https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html#ALG>
>
> To reproduce and demonstrate the missing HMAC keygen issue, here is a 
> small Java Maven project.
>
>   * https://github.com/justincranford/pkcs11
>     <https://github.com/justincranford/pkcs11>
>
> The readme shows the commands to initialize the SoftHSM2 token, and 
> use a third-party OpenSC utility to trigger HMAC keygen. It also shows 
> how to set the required SoftHSM2 env variable and run the Maven build.
>
> The Maven build will execute the ITPkcs11.java integration test class. 
> The tests demonstrate:
>
>   * Successful SunPKCS11 login to SoftHSM2 and list any existing keys
>   * Successful AES keygen, encrypt, decrypt
>   * Successful HMAC mac
>   * Failed HMAC keygen (because SunPKCS11 does not support
>     GENERIC-SECRET-KEY-GEN mechanism yet)
>
> Thank you,
>
> Justin Cranford
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20201023/9a3e5834/attachment.htm>

More information about the security-dev mailing list