RFR: 8301553: Support Password-Based Cryptography in SunPKCS11 [v5]

[Martin Balao]

On Thu, 25 May 2023 19:30:36 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #3)
>>   
>>   Co-authored-by: Francisco Ferrari <fferrari at redhat.com>
>>   Co-authored-by: Martin Balao <mbalao at redhat.com>
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PBECipher.java line 214:
> 
>> 212:     protected int engineGetKeySize(Key key)
>> 213:             throws InvalidKeyException {
>> 214:         return cipher.engineGetKeySize(key);
> 
> I am not too sure that this would work for all types of key... Based on the current impl, cipher is an AES cipher, but the specified key here can be P11Key or a PBEKey object. The key algorithms for both would be PBE-related, but then you are using a AES cipher to retrieve the key size?

If the key is a P11PBEKey, the underlying Cipher will call P11SecretKeyFactory::convertKey with a non-PBE service algorithm and, assuming that it's in the same token and that the key is suitable for the service, will return the same key. This case should return the key length used during derivation. If the key is a PBEKey but not a P11PBEKey, there will be a call to P11SecretKeyFactory::convertKey with a non-PBE service algorithm and the key algorithm is PBE. Looks to me that, assuming that the key algorithm is suitable for the service, there will be a key derivation to finally get the length from a derived P11PBEKey. This case should not be different than using a PBEKey in a non-PBE service. @franferrax what do you think?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/12396#discussion_r1206093462