RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v3]
Martin Balao
mbalao at openjdk.org
Thu Apr 17 00:27:42 UTC 2025
On Thu, 17 Apr 2025 00:22:14 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Hi,
>>
>> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>>
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>>
>> Thanks,
>> Martin.-
>
> Martin Balao has updated the pull request incrementally with two additional commits since the last revision:
>
> - TLS keys added to the map.
> - Key type check refactoring (derivation).
I've implemented the `TLSKeyInfo` suggestion and added all Tls* keys to the map —after verifying they reach KDF::deriveKey in #24393.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2811313579
More information about the security-dev
mailing list