RFR: 8301553: Support Password-Based Cryptography in SunPKCS11
Martin Balao
mbalao at openjdk.org
Mon Mar 20 14:58:08 UTC 2023
On Sat, 18 Mar 2023 06:08:07 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 118:
>>
>>> 116: return true;
>>> 117: }
>>> 118: return ki.keyType == si.keyType;
>>
>> So, for non-PBE key info, algos do not have to match?
>
> For services and keys cases in which algorithms identity-match —irrespective if they are PBE or non-PBE—, KeyInfo::checkUse is not called and execution moves forward as if the check passed (see [here](https://github.com/openjdk/jdk/blob/ab7ffd56bb8b93d513023d0136df55a6375c3286/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L285)). The same is true for services that accept any key type, such as those whose pseudo types are PCKK_HMAC or PCKK_SSLMAC.
>
> The ki.keyType == si.keyType success value affects cases in which algorithms are different but it's still possible to use the key in the service. One example that would hit this path is a PBE key derived for AES that it's used in an AES Cipher service. For non-PBE keys and services cases, one example is algorithms "RC4" and "ARCFOUR" that have both the underlying CKK_RC4 key type. Notice that this latter case is not new: previous to this enhancement proposal, key types were compared as well (see [here](https://github.com/openjdk/jdk/blob/jdk-21%2B14/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L147)).
>
> For non-PBE keys and services cases, what is new with this enhancement is to accept them if their algorithms are identity-equal. This condition necessarily means that key types are equal —the opposite is obviously not true—. One minor detail, when we refer to the algorithms equality trivial pass condition, it's an object identity comparison for performance.
As commented [here](https://github.com/openjdk/jdk/pull/12396#discussion_r1142245451), I'll add a comment to the code explaining this execution path.
-------------
PR: https://git.openjdk.org/jdk/pull/12396
More information about the security-dev
mailing list