RFR: 8264849: Add KW and KWP support to PKCS11 provider
Valerie Peng
valeriep at openjdk.java.net
Fri Oct 1 21:37:38 UTC 2021
On Thu, 30 Sep 2021 02:32:33 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes support to SunPKCS11 provider?
>>
>> The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing against NSS library, it seems that they only support the single part enc/dec PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping.
>>
>> The rest are minor code refactoring and updates for the PKCS11 Exception class.
>> The new regression tests are adapted from existing key wrap regression tests for SunJCE provider.
>>
>> Thanks,
>> Valerie
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyWrapCipher.java line 129:
>
>> 127: if (algoParts[0].startsWith("AES")) {
>> 128: // need 3 parts
>> 129: if (algoParts.length != 3) {
>
> At this point in the code, isn't it already certain to be a valid transform? The SunPKCS11 entries are limited to the valid transforms. Additionally do you really want AssertionError? Not NoSuchAlgorithmException?
Hmm, you are right, no need to check again as there are code in javax.crypto.Cipher class which handles this. I will remove it.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5569
More information about the security-dev
mailing list