RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v6]
Francisco Ferrari Bihurriet
fferrari at openjdk.org
Fri Dec 20 16:46:37 UTC 2024
On Fri, 20 Dec 2024 13:41:28 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> The key has to have `CKA_SIGN = true` in order to be used for a HMAC operation in NSS. For example, you can modify the code snippet shared by @franferrax to include the line `Mac mac = Mac.getInstance("HmacSHA256", "SunPKCS11-NSS");` in _Main.java_ (instead of `Mac mac = Mac.getInstance("HmacSHA256");`) and the line `attributes = compatibility` in _providersList.properties_. With these changes, I get the following output:
>>
>>
>> ./bin/java -Djava.security.properties=providersList.properties Main.java
>> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive, extractable)
>> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a
>
> Yes, it works now with the `attributes = compatibility` line. Told you I am not an expert. Thanks.
Hi, sorry for the confusion. Even when _SunPKCS11_ was the first provider in the list, I should have checked what provider was implementing the `Mac`.
In my previous example, due to _delayed provider selection_, the provider is chosen during the `mac.init(sk)` call. _SunPKCS11_ throws the `InvalidKeyException` you were reproducing (caused by `PKCS11Exception: CKR_KEY_TYPE_INCONSISTENT`), but this exception is ignored and _SunJCE_ is finally selected. This doesn't happen if `attributes = compatibility` or `attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }` is used.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1894157903
More information about the security-dev
mailing list