RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v6]

Francisco Ferrari Bihurriet fferrari at openjdk.org
Thu Dec 19 17:45:38 UTC 2024 

On Thu, 19 Dec 2024 14:14:43 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Yes, sure. I added a comment to the _Solution_ section of the CSR and the name to the table in _Specification_.
>
> BTW, what else can this key be used? I tried in HmacSHA256 and there is a CKR_KEY_TYPE_INCONSISTENT error.

Hi @wangweij,

Which test have you executed? I'm able to use "Generic" keys for HmacSHA256, in a local slowdebug build of this branch. 


cat >providersList.properties <<'EOF'
security.provider.1=SunPKCS11 --\\n\
    name = NSS\\n\
    nssLibraryDirectory = /usr/lib64\\n\
    nssDbMode = noDb
security.provider.2=SUN
security.provider.3=SunRsaSign
security.provider.4=SunEC
security.provider.5=SunJSSE
security.provider.6=SunJCE
security.provider.7=SunJGSS
security.provider.8=SunSASL
security.provider.9=XMLDSig
security.provider.10=SunPCSC
security.provider.11=JdkLDAP
security.provider.12=JdkSASL
EOF



cat >Main.java <<'EOF'
import java.util.HexFormat;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.SecretKeySpec;

public final class Main {
    public static void main(String[] args) throws Exception {
        byte [] keyMaterial = "Secret-Bytes".getBytes();
        SecretKeySpec spec = new SecretKeySpec(keyMaterial, "Generic");
        SecretKeyFactory skf = SecretKeyFactory.getInstance("Generic");
        SecretKey sk = skf.generateSecret(spec);
        System.out.println(sk);

        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(sk);
        mac.update("test".getBytes());
        System.out.println(HexFormat.of().formatHex(mac.doFinal()));
    }
}
EOF



./build/linux-x86_64-server-slowdebug/images/jdk/bin/java \
    -Djava.security.properties=providersList.properties Main.java
rm providersList.properties Main.java


Output:

SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1892873295

More information about the security-dev mailing list