urday, October 24, 2020 3:18:56 AM
*An:* security-dev@openjdk.java.net
*Betreff:* Re: Please add HMAC keygen to SunPKCS11
Hi, Justin,
Most callers just wrap the HMAC key bytes into a java SecretKey
object, e.g. new SecretKeySpec(keyBytes, "HmacSHA256"), pass that into
the HMAC impl from Sun
don't need that
3rd party HSM client anymore.
Thank you,
Justin Cranford
--
Date: Fri, 23 Oct 2020 18:18:56 -0700
From: Valerie Peng
To: security-dev@openjdk.java.net
Subject: Re: Please add HMAC keygen to SunPKCS11
Message-ID: <5f8bdd12-60eb-b57d-c9d3-6
@openjdk.java.net
Betreff: Re: Please add HMAC keygen to SunPKCS11
Hi, Justin,
Most callers just wrap the HMAC key bytes into a java SecretKey object, e.g.
new SecretKeySpec(keyBytes, "HmacSHA256"), pass that into the HMAC impl from
SunPKCS11 provider which will then convert
Hi, Justin,
Most callers just wrap the HMAC key bytes into a java SecretKey object,
e.g. new SecretKeySpec(keyBytes, "HmacSHA256"), pass that into the HMAC
impl from SunPKCS11 provider which will then convert it into a
CKK_GENERIC_SECRET key and passing that to underlying PKCS11 library.
May
Compare SunPKCS11 support for AES vs HMAC
* AES => keygen is supported, and AES key can be used for encrypt and
decrypt.
* HMAC => keygen is not supported, but HMAC key can be used for MAC.
This does not make sense. A third-party utility is required for HMAC keygen,
but not for AES keyg
