RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v8]

Sean Mullan mullan at openjdk.org
Fri Dec 20 17:53:39 UTC 2024 

On Thu, 19 Dec 2024 21:11:24 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>>> > Added a _Specification_ change to the CSR so the _Generic_ name is added to the Standard Names document.
>>> 
>>> I think this should be done as a separate issue. By adding this to the CSR, this Enhancement means it is now of SE scope. I would rather this remain as JDK scope. It is better to keep SE and JDK scope changes separate, especially if we ever backport this, it will be smoother if it is of JDK scope.
>> 
>> Are you okay if we create a separated PR to have _Generic_ first and we make the HKDF PR depend on that? We are not planning to backport HKDF but any backport can remove the affected part in the test and avoid an SE change as dependency.
>
>> Are you okay if we create a separated PR to have _Generic_ first and we make the HKDF PR depend on that? We are not planning to backport HKDF but any backport can remove the affected part in the test and avoid an SE change as dependency.
> 
> Yes, but I don't think it needs to be done in any particular order. It is ok if this change goes in first, or vice versa. The spec changes needs to be done by someone in Oracle anyway because the spec is not in the open repo. Please file a separate issue and I will find an assignee.

> I'll split this PR and clarify the intention for _Generic_ keys in the new CSR. @seanjmullan, based on what we discussed with Weijun, would you be open to making this PR dependent on the _Generic_ one? Otherwise, I'll have to trim the test and we will loose coverage.

First, I don't think it is necessary to make this PR dependent on [the Generic one](https://bugs.openjdk.org/browse/JDK-8346720). Go ahead and integrate this issue after you get the necessary reviews. I think it is ok if it is using "Generic" as long as we have a plan to address that in a follow-up issue and add it as a standard name, or revert to something else if we decide differently.

Second, I would like to expand the scope of the new issue to include other uses of "Generic", as it is also used by the KEM API when [decapsulating](https://github.com/openjdk/jdk/blob/59c2aff1edffb66762bbbe5e310913f87953be5b/src/java.base/share/classes/javax/crypto/KEM.java#L206). Weijun just opened [an issue](https://bugs.openjdk.org/browse/JDK-8346736) that will address that and I think we should address the PKCS11 "Generic" name at the same time - I also want to make sure we think this through a bit more. So I would dup JDK-8346720 to the issue Weijun created.

In a worse case scenario, if we decide we don't want to standardize the PKCS11 "Generic" name, then maybe you could change it to something more P11 specific later, like "P11Generic".

-------------

PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2557462086

More information about the security-dev mailing list