RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v7]
Martin Balao
mbalao at openjdk.org
Thu Dec 19 19:44:39 UTC 2024
On Thu, 19 Dec 2024 13:58:57 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> > However, we decided not to make `CKM_CONCATENATE_DATA_AND_BASE` a requirement for HKDF services in SunPKCS11.
>
> This sounds perfectly reasonable at token init time. Most HKDF cases do not need multiple IKM or salt segments.
>
> What I asked is at key derivation time. By then it seems you no longer consult the `disabledMechanisms` configuration anymore.
It's true, we can check when concatenating in case the token has support but someone wants to block it by configuration. I pushed the change. The error looks like this:
java.security.ProviderException: Mechanism CKM_CONCATENATE_BASE_AND_KEY is either not supported in the token or disabled through 'disabledMechanisms' in SunPKCS11-NSS configuration.
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF$KeyMaterialMerger.p11Merge(P11KDF.java:256)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF$KeyKeyMaterialMerger.merge(P11KDF.java:312)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF$KeyMaterialMerger.merge(P11KDF.java:236)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF.consolidateKeyMaterial(P11KDF.java:359)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF.derive(P11KDF.java:123)
at jdk.crypto.cryptoki/sun.security.pkcs11.P11KDF.engineDeriveKey(P11KDF.java:99)
...
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2555640625
More information about the security-dev
mailing list