RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]
Valerie Peng
valeriep at openjdk.org
Thu Apr 17 20:55:52 UTC 2025
On Thu, 17 Apr 2025 03:14:14 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Hi,
>>
>> I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as _SunJCE_ does. I believe that this is an improvement but further adjustments may be needed in the future.
>>
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>>
>> Thanks,
>> Martin.-
>
> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>
> Inform key sizes in the exception when failing check.
src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 106:
> 104: }
> 105:
> 106: static sealed class KeyInfo permits PBEKeyInfo, HMACKeyInfo, HKDFKeyInfo,
Can we add some comment about the purpose of KeyInfo and the PKCS11 classes which depend on it? E.g. HKDF will use the key algorithm to look up the corresponding key type. Also some comment for the various child key info classes would be nice.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2049633301
More information about the security-dev
mailing list