RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]
Martin Balao
mbalao at openjdk.org
Thu Apr 10 23:54:03 UTC 2025
> Hi,
>
> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>
> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>
> Thanks,
> Martin.-
Martin Balao has updated the pull request incrementally with two additional commits since the last revision:
- Algorithm and key size checking before derivation. Mechanism normalization for TLS.
- Minor import adjustment.
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/24526/files
- new: https://git.openjdk.org/jdk/pull/24526/files/848dd1e1..8feb31ea
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=24526&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=24526&range=00-01
Stats: 145 lines in 4 files changed: 80 ins; 24 del; 41 mod
Patch: https://git.openjdk.org/jdk/pull/24526.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24526/head:pull/24526
PR: https://git.openjdk.org/jdk/pull/24526
More information about the security-dev
mailing list