RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v6]
Francisco Ferrari Bihurriet
duke at openjdk.org
Fri Jun 2 00:36:23 UTC 2023
On Thu, 1 Jun 2023 21:04:32 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #4)
>>
>> Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>> Co-authored-by: Martin Balao <mbalao at redhat.com>
>
> As someone who is familiar with the Cipher convention, it's clearer to apply the Cipher convention across the board, i.e. for Mac and SecretKeyFactory too.
> For example: For SecretKeyFactory.PBEWithHmacSHA1AndAES_128, use
> `CKM_PKCS5_PBKD2 (required CKM_SHA_1_HMAC)` instead of `CKM_PKCS5_PBKD2 and CKM_SHA_1_HMAC`.
>
> The listed mechanism is the one the impl maps to or based on. The required mechanism is for auxiliary functionalities. Putting the auxiliary one inside the required brackets seems clearer than combining them with the "and" word.
@valeriepeng: if the following format looks good to you, I'll pass the update to @martinuy:
<table>
<tr><th>Java Algorithm</th> <th>PKCS#11 Mechanisms</th></tr>
<tr><td>Cipher.PBEWithHmacSHA1AndAES_128</td> <td>CKM_AES_CBC_PAD, CKM_AES_CBC (requires CKM_PKCS5_PBKD2 and CKM_SHA_1_HMAC)</td></tr>
<tr><td>[…]</td> <td>[…]</td></tr>
<tr><td>Mac.HmacPBESHA1</td> <td>CKM_SHA_1_HMAC (requires CKM_PBA_SHA1_WITH_SHA1_HMAC)</td></tr>
<tr><td>[…]</td> <td>[…]</td></tr>
<tr><td>SecretKeyFactory.HmacPBESHA1</td> <td>CKM_PBA_SHA1_WITH_SHA1_HMAC</td></tr>
<tr><td>[…]</td> <td>[…]</td></tr>
<tr><td>SecretKeyFactory.PBKDF2WithHmacSHA224</td> <td>CKM_PKCS5_PBKD2 (requires CKM_SHA224_HMAC)</td></tr>
</table>
-------------
PR Comment: https://git.openjdk.org/jdk/pull/12396#issuecomment-1572960218
More information about the security-dev
mailing list