Please add HMAC keygen to SunPKCS11
Justin Cranford
Justin.Cranford at entrust.com
Mon Oct 26 02:59:03 UTC 2020
Hi Valerie,
Thank you for responding to my request for HMAC keygen in SunPKCS11.
The workaround you mentioned executes OK, but does not address the use case. SunJCE handles the same key object for HmacSHA256 too, so I am not sure if there is any benefit to passing a key into SunPKCS11.
Here is the use case. I would like to generate all keys inside the HSM and have them marked unexportable. That strongly guarantees keys never leave the HSM. It also requires continuous access to the HSM which can be managed (ex: physical or network access). Finally, it requires authentication to use the keys which can also be managed (i.e. user PIN with reset/update by SO user).
The only reason for me to use a 3rd party PKCS#11 client is requesting generic secret keygen inside the HSM. After that, SunPKCS11 can login and use it. If SunPKCS11 can handle requesting generic secret keygen, then I don't need that 3rd party HSM client anymore.
Thank you,
Justin Cranford
------------------------------
Date: Fri, 23 Oct 2020 18:18:56 -0700
From: Valerie Peng <valerie.peng at oracle.com>
To: security-dev at openjdk.java.net
Subject: Re: Please add HMAC keygen to SunPKCS11
Message-ID: <5f8bdd12-60eb-b57d-c9d3-6ecf8d8a73e4 at oracle.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hi, Justin,
Most callers just wrap the HMAC key bytes into a java SecretKey object, e.g. new SecretKeySpec(keyBytes, "HmacSHA256"), pass that into the HMAC impl from SunPKCS11 provider which will then convert it into a CKK_GENERIC_SECRET key and passing that to underlying PKCS11 library.
Maybe for some very specific cases, support CKM_GENERIC_SECRET_KEY_GEN is necessary and I can look into that. For determining the priority on this, would the java SecretKey object address your need? Or is there other reason requiring 3rd party utility?
Thanks,
Valerie
More information about the security-dev
mailing list