Integrated: 8301553: Support Password-Based Cryptography in SunPKCS11

Martin Balao mbalao at openjdk.org
Tue Jun 6 19:43:29 UTC 2023 

On Fri, 3 Feb 2023 01:41:41 GMT, Martin Balao <mbalao at openjdk.org> wrote:

> We would like to propose an implementation for the [JDK-8301553: Support Password-Based Cryptography in SunPKCS11](https://bugs.openjdk.org/browse/JDK-8301553) enhancement requirement.
> 
> In addition to pursuing the requirement goals and guidelines of [JDK-8301553](https://bugs.openjdk.org/browse/JDK-8301553), we want to share the following implementation notes (grouped per altered file):
> 
>   * ```src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java``` (modified)
>     * This file contains the ```SunJCE``` implementation for the [PKCS #12 General Method for Password Integrity](https://datatracker.ietf.org/doc/html/rfc7292#appendix-B) algorithms. It has been modified with the intent of consolidating all parameter checks in a common file (```src/java.base/share/classes/sun/security/util/PBEUtil.java```), that can be used both by ```SunJCE``` and ```SunPKCS11```. This change does not only serve the purpose of avoiding duplicated code but also ensuring alignment and compatibility between different implementations of the same algorithms. No changes have been made to parameter checks themselves.
>     * The new ```PBEUtil::getPBAKeySpec``` method introduced for parameters checking takes both a ```Key``` and a ```AlgorithmParameterSpec``` instance (same as the ```HmacPKCS12PBECore::engineInit``` method), and returns a ```PBEKeySpec``` instance which consolidates all the data later required to proceed with the computation (password, salt and iteration count).
> 
>   * ```src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java``` (modified)
>     * This file contains the ```SunJCE``` implementation for the [PKCS #5 Password-Based Encryption Scheme](https://datatracker.ietf.org/doc/html/rfc8018#section-6.2) algorithms, which use PBKD2 algorithms underneath for key derivation. In the same spirit than for the ```HmacPKCS12PBECore``` case, we decided to consolidate common code for parameters validation and default values in a single file (```src/java.base/share/classes/sun/security/util/PBEUtil.java```), that can serve both ```SunJCE``` and ```SunPKCS11``` and ensure compatibility. However, instead of a single static method at the implementation level (see ```PBEUtil::getPBAKeySpec```), we create an instance of an auxiliary class and invoke an instance method (```PBEUtil.PBES2Params::getPBEKeySpec```). The reason is to persist parameters data that has to be consistent between calls to ```PBES2Core::engineInit``` (in its multiple overloads) and ```PB...

This pull request has now been integrated.

Changeset: 4a75fd46
Author:    Martin Balao <mbalao at openjdk.org>
URL:       https://git.openjdk.org/jdk/commit/4a75fd462c002a209201d8bfc8d6c9eb286a7444
Stats:     3273 lines in 30 files changed: 2826 ins; 265 del; 182 mod

8301553: Support Password-Based Cryptography in SunPKCS11

Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
Co-authored-by: Martin Balao <mbalao at openjdk.org>
Reviewed-by: valeriep

-------------

PR: https://git.openjdk.org/jdk/pull/12396

More information about the security-dev mailing list