On Fri, 17 Sep 2021 23:22:21 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> Anyone has time to review this RFE for adding AES cipher with KW, KWP modes > support to SunPKCS11 provider? > > The main changes are in only one new class, i.e. P11KeyWrapCipher.java, which > is the CipherSpi impl for the native PKCS11 key wrap mechanisms. When testing > against NSS library, it seems that they only support the single part enc/dec > PKCS11 APIs, so have to use a new class as existing P11Cipher class relies on > the multi part enc/dec PKCS11 APIs and do not support key wrapping/unwrapping. > > The rest are minor code refactoring and updates for the PKCS11 Exception > class. > The new regression tests are adapted from existing key wrap regression tests > for SunJCE provider. > > Thanks, > Valerie The corresponding PKCS11 mechanisms impl in NSS supports enc/dec/wrap/unwrap. In NIST spec 800-38F, these two modes, i.e. KW and KWP, are approved for both key wrapping as well as the protection of general data. Thus, they are implemented to support both enc/dec and wrap/unwrap. > > > From a high level, why does P11KeyWrapCipher support ENCRYPT and DECRYPT > modes? I expected to only see UNWRAP and WRAP mode supported. Along those > same lines I expected to only see C_WrapKey and C_UnwrapKey, and not > encryption/decryption pkcs11 calls. Is there some additional support here > that I'm not seeing? ------------- PR: https://git.openjdk.java.net/jdk/pull/5569
