RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]
Valerie Peng
valeriep at openjdk.org
Fri Apr 18 21:20:54 UTC 2025
On Fri, 18 Apr 2025 19:52:45 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java line 605:
>>
>>> 603: }
>>> 604: }
>>> 605: }
>>
>> Hmm, how about separating out AES, RC4, Blowfish and ChaCha20 to a separate case? Only DES and DES3 needs parity checking and they are very legacy.
>
> We would need to repeat code if we separate (invocation to `P11KeyGenerator::checkKeySize`). Does not look complex enough in my opinion to merit this split.
The separation can remove 1 conditional block, so only 1 extra line and the flow looks cleaner in my opinion, e.g.
Suggestion:
case (int) CKK_DES, (int) CKK_DES3 -> {
keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n,
token);
fixDESParity(encoded, 0);
if (keyType == CKK_DES3) {
fixDESParity(encoded, 8);
if (keyLength == 112) {
keyType = CKK_DES2;
} else {
fixDESParity(encoded, 16);
}
}
}
case (int) CKK_AES, (int) CKK_RC4, (int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> {
keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n,
token);
}
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2051131893
More information about the security-dev
mailing list