RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v7]

[Martin Balao]

On Tue, 6 Jun 2023 18:18:43 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #5)
>>   
>>   Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>>   Co-authored-by: Martin Balao <mbalao at redhat.com>
>
> src/java.base/share/classes/sun/security/util/PBEUtil.java line 347:
> 
>> 345:                             "Salt or iteration count parameters are " +
>> 346:                             "not consistent with PBE key");
>> 347:                 }
> 
> Based on the javadoc of PBEKey, it's possible that salt and ic aren't specified, e.g. null and 0. In this case, this check will fail if the PBEParameterSpec contains salt and ic. IIRC, the java impl will use the values from PBEParameterSpec in this case. Perhaps we can consider same handling? This can be handled separately by tracking this under a separate bug as it's getting too close to RPD1 already.

The PBEUtil::checkKeyAndParams function is used by SunPKCS11 only (see P11PBECipher::engineInit and P11Mac::engineInit), and the keys passed are always P11Key instances. Thus, a P11Key that is also a PBEKey is a P11PBEKey, and both the salt and iteration count for these keys are properly set.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1220191902