RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v6]

Martin Balao mbalao at openjdk.org
Fri Dec 20 02:46:53 UTC 2024 

On Thu, 19 Dec 2024 17:43:20 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:

>> BTW, what else can this key be used? I tried in HmacSHA256 and there is a CKR_KEY_TYPE_INCONSISTENT error.
>
> Hi @wangweij,
> 
> What test have you executed? I'm able to use "Generic" keys for HmacSHA256, in a local slowdebug build of this branch. 
> 
> 
> cat >providersList.properties <<'EOF'
> security.provider.1=SunPKCS11 --\\n\
>     name = NSS\\n\
>     nssLibraryDirectory = /usr/lib64\\n\
>     nssDbMode = noDb
> security.provider.2=SUN
> security.provider.3=SunRsaSign
> security.provider.4=SunEC
> security.provider.5=SunJSSE
> security.provider.6=SunJCE
> security.provider.7=SunJGSS
> security.provider.8=SunSASL
> security.provider.9=XMLDSig
> security.provider.10=SunPCSC
> security.provider.11=JdkLDAP
> security.provider.12=JdkSASL
> EOF
> 
> 
> 
> cat >Main.java <<'EOF'
> import java.util.HexFormat;
> import javax.crypto.Mac;
> import javax.crypto.SecretKey;
> import javax.crypto.SecretKeyFactory;
> import javax.crypto.spec.SecretKeySpec;
> 
> public final class Main {
>     public static void main(String[] args) throws Exception {
>         byte [] keyMaterial = "Secret-Bytes".getBytes();
>         SecretKeySpec spec = new SecretKeySpec(keyMaterial, "Generic");
>         SecretKeyFactory skf = SecretKeyFactory.getInstance("Generic");
>         SecretKey sk = skf.generateSecret(spec);
>         System.out.println(sk);
> 
>         Mac mac = Mac.getInstance("HmacSHA256");
>         mac.init(sk);
>         mac.update("test".getBytes());
>         System.out.println(HexFormat.of().formatHex(mac.doFinal()));
>     }
> }
> EOF
> 
> 
> 
> ./build/linux-x86_64-server-slowdebug/images/jdk/bin/java \
>     -Djava.security.properties=providersList.properties Main.java
> rm providersList.properties Main.java
> 
> 
> Output:
> 
> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a

The key has to have `CKA_SIGN = true` in order to be used for a HMAC operation in NSS. For example, you can modify the code snippet shared by @franferrax to include the line `Mac mac = Mac.getInstance("HmacSHA256", "SunPKCS11-NSS");` in _Main.java_ (instead of `Mac mac = Mac.getInstance("HmacSHA256");`) and the line `attributes = compatibility` in _providersList.properties_. With these changes, I get the following output:


./bin/java -Djava.security.properties=providersList.properties Main.java
SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1893373855

More information about the security-dev mailing list