RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key
Valerie Peng
valeriep at openjdk.org
Thu Apr 10 03:14:33 UTC 2025
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao <mbalao at openjdk.org> wrote:
> Hi,
>
> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>
> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>
> Thanks,
> Martin.-
test/jdk/sun/security/pkcs11/KDF/TestHKDF.java line 619:
> 617: k.deriveKey("AES", HKDFParameterSpec.ofExtract()
> 618: .thenExpand(null, 31));
> 619: throw new Exception("No exception thrown.");
nit: "Expected InvalidAlgorithmParameterException not thrown" is clearer?
test/jdk/sun/security/pkcs11/KDF/TestHKDF.java line 625:
> 623: reportTestFailure(new Exception("Derivation of an AES key of " +
> 624: "invalid size (31 bytes) expected to throw " +
> 625: "InvalidAlgorithmParameterException.", e));
Why not just use `reportTestFailure(e)`? I don't find the extra layer of exception too useful.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2036420476
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2036421991
More information about the security-dev
mailing list