RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v6]

Fri Dec 20 13:43:47 UTC 2024

On Fri, 20 Dec 2024 02:42:59 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>> Hi @wangweij,
>> 
>> What test have you executed? I'm able to use "Generic" keys for HmacSHA256, in a local slowdebug build of this branch. 
>> 
>> 
>> cat >providersList.properties <<'EOF'
>> security.provider.1=SunPKCS11 --\\n\
>>     name = NSS\\n\
>>     nssLibraryDirectory = /usr/lib64\\n\
>>     nssDbMode = noDb
>> security.provider.2=SUN
>> security.provider.3=SunRsaSign
>> security.provider.4=SunEC
>> security.provider.5=SunJSSE
>> security.provider.6=SunJCE
>> security.provider.7=SunJGSS
>> security.provider.8=SunSASL
>> security.provider.9=XMLDSig
>> security.provider.10=SunPCSC
>> security.provider.11=JdkLDAP
>> security.provider.12=JdkSASL
>> EOF
>> 
>> 
>> 
>> cat >Main.java <<'EOF'
>> import java.util.HexFormat;
>> import javax.crypto.Mac;
>> import javax.crypto.SecretKey;
>> import javax.crypto.SecretKeyFactory;
>> import javax.crypto.spec.SecretKeySpec;
>> 
>> public final class Main {
>>     public static void main(String[] args) throws Exception {
>>         byte [] keyMaterial = "Secret-Bytes".getBytes();
>>         SecretKeySpec spec = new SecretKeySpec(keyMaterial, "Generic");
>>         SecretKeyFactory skf = SecretKeyFactory.getInstance("Generic");
>>         SecretKey sk = skf.generateSecret(spec);
>>         System.out.println(sk);
>> 
>>         Mac mac = Mac.getInstance("HmacSHA256");
>>         mac.init(sk);
>>         mac.update("test".getBytes());
>>         System.out.println(HexFormat.of().formatHex(mac.doFinal()));
>>     }
>> }
>> EOF
>> 
>> 
>> 
>> ./build/linux-x86_64-server-slowdebug/images/jdk/bin/java \
>>     -Djava.security.properties=providersList.properties Main.java
>> rm providersList.properties Main.java
>> 
>> 
>> Output:
>> 
>> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
>> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a
>
> The key has to have `CKA_SIGN = true` in order to be used for a HMAC operation in NSS. For example, you can modify the code snippet shared by @franferrax to include the line `Mac mac = Mac.getInstance("HmacSHA256", "SunPKCS11-NSS");` in _Main.java_ (instead of `Mac mac = Mac.getInstance("HmacSHA256");`) and the line `attributes = compatibility` in _providersList.properties_. With these changes, I get the following output:
> 
> 
> ./bin/java -Djava.security.properties=providersList.properties Main.java
> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a

Yes, it works now with the `attributes = compatibility` line. Told you I am not an expert. Thanks.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1893955084