RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key
Martin Balao
mbalao at openjdk.org
Wed Apr 9 13:22:36 UTC 2025
On Wed, 9 Apr 2025 06:45:14 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> I think the usual way to handle this is by calling `P11KeyGenerator.checkKeySize`
We discussed calling `P11KeyGenerator::checkKeySize` with @franferrax but were not sure of taking this approach. We found that for DES(3) cases some fixed values are considered valid but wondered if, in theory, the PKCS 11 library can be configured to be more restrictive and reject some of them. Given that this is an error-path and should be exceptional, we thought that the cost of passing the operation to the token and handling the error was affordable. Perhaps we can do both: check beforehand and handle the error afterwards. I'll give it some more thinking.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2789680355
More information about the security-dev
mailing list