RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]
Martin Balao
mbalao at openjdk.org
Fri Apr 11 23:49:31 UTC 2025
On Fri, 11 Apr 2025 19:47:38 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> > What I have found with Tls* keys is that they are in the map but we need to translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is that enough for #24393?
>
> What I found is that there are more "TlsXXX" than those defined in P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 will treat them as Generic secret keys or changing the TLS code to use a key algorithm recognized by PKCS11). Beside this, we need to make sure the current pseudo key type works, e.g. translating to a valid key type when necessary, as you stated.
Good, let me check this.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2798225287
More information about the security-dev
mailing list