RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key
Martin Balao
mbalao at openjdk.org
Thu Apr 10 03:38:24 UTC 2025
On Thu, 10 Apr 2025 03:08:32 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Hi,
>>
>> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>>
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>>
>> Thanks,
>> Martin.-
>
> test/jdk/sun/security/pkcs11/KDF/TestHKDF.java line 619:
>
>> 617: k.deriveKey("AES", HKDFParameterSpec.ofExtract()
>> 618: .thenExpand(null, 31));
>> 619: throw new Exception("No exception thrown.");
>
> nit: "Expected InvalidAlgorithmParameterException not thrown" is clearer?
This exception will be the cause, the wrapper exception will inform that `InvalidAlgorithmParameterException` was expected to be thrown.
> test/jdk/sun/security/pkcs11/KDF/TestHKDF.java line 625:
>
>> 623: reportTestFailure(new Exception("Derivation of an AES key of " +
>> 624: "invalid size (31 bytes) expected to throw " +
>> 625: "InvalidAlgorithmParameterException.", e));
>
> Why not just use `reportTestFailure(e)`? I don't find the extra layer of exception too useful.
To be more informative, because the original exception —not the one that we would throw if no exception is thrown— does not state which exception was expected to be thrown, is just a `ProviderException` which may even look good/appropriate for an invalid key size.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2036438251
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2036436647
More information about the security-dev
mailing list