RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]
Martin Balao
mbalao at openjdk.org
Tue Apr 15 13:26:43 UTC 2025
On Mon, 14 Apr 2025 18:53:12 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:
>> Martin Balao has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - Algorithm and key size checking before derivation. Mechanism normalization for TLS.
>> - Minor import adjustment.
>
> test/jdk/sun/security/pkcs11/KDF/TestHKDF.java line 643:
>
>> 641: 32,
>> 642: "Derivation of an invalid key algorithm");
>> 643: }
>
> I suggest adding a case with an invalid key algorithm whose key info map entry doesn't have `KeyInfo.keyType=CKK_GENERIC_SECRET`. For example, `PBEWithHmacSHA224AndAES_256`, where `KeyInfo.keyType=CKK_AES`.
Sounds good!
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2044534670
More information about the security-dev
mailing list