RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

Martin Balao mbalao at openjdk.org
Tue Apr 15 13:49:44 UTC 2025 

On Fri, 11 Apr 2025 23:46:49 GMT, Martin Balao <mbalao at openjdk.org> wrote:

>>> What I have found with Tls* keys is that they are in the map but we need to translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is that enough for #24393?
>> 
>> What I found is that there are more "TlsXXX" than those defined in P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 will treat them as Generic secret keys or changing the TLS code to use a key algorithm recognized by PKCS11). Beside this, we need to make sure the current pseudo key type works, e.g. translating to a valid key type when necessary, as you stated.
>
>> > What I have found with Tls* keys is that they are in the map but we need to translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is that enough for #24393?
>> 
>> What I found is that there are more "TlsXXX" than those defined in P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 will treat them as Generic secret keys or changing the TLS code to use a key algorithm recognized by PKCS11). Beside this, we need to make sure the current pseudo key type works, e.g. translating to a valid key type when necessary, as you stated.
> 
> Good, let me check this.

> Hi @martinuy,
> 
> Thanks for your proposal, I left four comments. Two of them are suggestions/ideas, but unless my static analysis is bogus, I also found a minor bug (one comment explains the reasoning, the other suggests a low-hanging fruit test case to confirm).

Thanks for your review.

Yes, there is a hole that allows derivation for algorithms such as `PBEWithHmacSHA224AndAES_256`. Well spotted! I'm planning to restrict PBE algorithms based on the `PBEKeyInfo` subclass. Perhaps checking `HMACKeyInfo` doesn't hurt, even when these should not pass the mechanism check.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2805117767

More information about the security-dev mailing list