RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key
Martin Balao
mbalao at openjdk.org
Wed Apr 9 13:40:35 UTC 2025
On Wed, 9 Apr 2025 11:03:52 GMT, Mikhail Yankelevich <myankelevich at openjdk.org> wrote:
>> Hi,
>>
>> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>>
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>>
>> Thanks,
>> Martin.-
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 41:
>
>> 39: import sun.security.pkcs11.wrapper.*;
>> 40: import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
>> 41: import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*;
>
> Nitpick: Does this import need to be a `*`? Wouldn't it be better to just have a `import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.CKR_KEY_SIZE_RANGE;
> `?
Ok
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2035397303
More information about the security-dev
mailing list