RFR: 8348732: SunJCE and SunPKCS11 have different PBE key encodings [v2]
Valerie Peng
valeriep at openjdk.org
Tue Mar 25 00:22:23 UTC 2025
> As part of [https://bugs.openjdk.org/browse/JDK-8301553](JDK-8301553), SunPKCS11 provider added support for PBE SecretKeyFactories for `HmacPBESHAxxx` and `PBEWithHmacSHAxxxAndAES_yyy`. These impls produce keys whose encoding contains the PBKDF2 derived bytes. Given that SunJCE provider have supported `PBEWithHmacSHAxxxAndAES_yyy` SecretKeyFactories whose key encoding is the password bytes for long time. Such difference may be very confusing, e.g. using the same KeySpec and same-name SecretKeyFactory (from different providers), the resulting keys have same algorithm and format but different encodings.
>
> Given that the `P11Mac` and `P11PBECipher` classes already do key derivation internally, these PKCS11 SecretKeyFactories aren't a must-have and are proposed to be removed. I've also aligned the com.sun.crypto.provider.PBEKey class with com.sun.crypto.provider.PPBKDF2KeyImpl class to switch to "UTF-8" when converting the char[] to byte[]. This is to accomodate unicode passwords and given that "UTF-8" encoding is same for ASCII characters, this change should not affect backward compatibility.
Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
apply the suggested changes and minor code refactoring.
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/24068/files
- new: https://git.openjdk.org/jdk/pull/24068/files/df83f4e9..13a3f932
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=24068&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=24068&range=00-01
Stats: 110 lines in 5 files changed: 30 ins; 31 del; 49 mod
Patch: https://git.openjdk.org/jdk/pull/24068.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/24068/head:pull/24068
PR: https://git.openjdk.org/jdk/pull/24068
More information about the security-dev
mailing list