RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key
Martin Balao
mbalao at openjdk.org
Thu Apr 10 23:56:26 UTC 2025
On Thu, 10 Apr 2025 03:27:19 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Hi,
>>
>> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>>
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>>
>> Thanks,
>> Martin.-
>
> On a related note, I am working on https://github.com/openjdk/jdk/pull/24393 and noticed that JSSE calls HKDF.deriveKey(...) with various names such as "TlsFinishedSecret", "TlsResumptionMasterSecret" as the key algorithm. This causes errors when using PKCS11 HKDF since the `P11SecretKeyFactory.getKeyInfo()` look up returns `null` and leads to `InvalidAlgorithmParameterException`. I am debating whether to do the special handling as below:
>
>
> P11SecretKeyFactory.KeyInfo ki = P11SecretKeyFactory.getKeyInfo(alg);
> if (ki == null) {
> - throw new InvalidAlgorithmParameterException("A PKCS #11 key " +
> - "type (CKK_*) was not found for a key of the algorithm '" +
> - alg + "'.");
> + // special handling for TLS
> + if (alg.startsWith("Tls")) {
> + ki = P11SecretKeyFactory.getKeyInfo("Generic");
> + } else {
> + throw new InvalidAlgorithmParameterException("A PKCS #11 key " +
> + "type (CKK_*) was not found for a key of the algorithm '" +
> + alg + "'.");
> + }
>
>
> Comments or suggestions? @martinuy
@valeriepeng @djelinski @franferrax can you please take a look at this new proposal? Thanks!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2795432401
More information about the security-dev
mailing list