Re: RFR: 8301553: Support Password-Based Cryptography in SunPKCS11

Wed, 01 Mar 2023 14:40:53 -0800 

On Wed, 1 Mar 2023 00:59:10 GMT, Francisco Ferrari Bihurriet <d...@openjdk.org> 
wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PKCS5_PBKD2_PARAMS.java
>>  line 66:
>> 
>>> 64:  *   CK_ULONG ulPrfDataLen;
>>> 65:  *   CK_UTF8CHAR_PTR pPassword;
>>> 66:  *   CK_ULONG_PTR ulPasswordLen;
>> 
>> This does not match the one in PKCS#11 spec, the 'ulPasswordLen' should be 
>> CK_ULONG type.
>> I see that you added another CK_PKCS5_PBKD2_PARAMS class matching the spec 
>> definition. Is this to work around some existing bug? It seems strange to 
>> put the inconsistent type in the original class and the correct one in the 
>> new class.
>
> Hi @valeriepeng. There's been a typo in the `CK_PKCS5_PBKD2_PARAMS` structure 
> for some time. Apparently this [led to divergences in token 
> implementations](https://lists.oasis-open.org/archives/pkcs11/201304/msg00019.html#00016:~:text=We%20have%20a,ul%27%20prefix%20indicator
>  "Re: [pkcs11] fwd: CKM_PKCS5_PBKD2_PARAMS struct: password length"), where 
> some considered `ulPasswordLen` as `CK_ULONG` (the intention) and others, 
> [including 
> NSS](https://lists.oasis-open.org/archives/pkcs11/201304/msg00023.html#:~:text=I%27ve%20checked,typo%2e),
>  considered it as `CK_ULONG_PTR` (the typo, but trying to follow the standard 
> verbatim).
> 
> This was fixed in [PKCS#11 v2.40 errata 
> 01](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/errata01/os/pkcs11-curr-v2.40-errata01-os-complete.html#_Toc72656433
>  "2.26.3 Mechanisms > PKCS #5 and PKCS #5-style password-based encryption 
> (PBE) > PKCS #5 PBKDF2 key generation mechanism parameters") by introducing 
> the new `CK_PKCS5_PBKD2_PARAMS2` structure.
> 
> The [PKCS#11 v3.0 _Oasis_ published version of 
> `pkcs11t.h`](https://docs.oasis-open.org/pkcs11/pkcs11-curr/v3.0/os/include/pkcs11-v3.0/pkcs11t.h)
>  and also _OpenJDK_'s `pkcs11t.h` define both structures:
> https://github.com/openjdk/jdk/blob/04278e6bf2da501542feb777ab864bbcc5794fd0/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/pkcs11t.h#L1946-L1977
> 
> Also, nowadays [NSS still uses the _deprecated_ 
> `CK_PKCS5_PBKD2_PARAMS`](https://github.com/nss-dev/nss/blob/NSS_3_88_RTM/lib/softoken/pkcs11c.c#L4053-L4054)
>  instead of the new and recommended `CK_PKCS5_PBKD2_PARAMS2`, thus we defined 
> both `CK_PKCS5_PBKD2_PARAMS.java` and `CK_PKCS5_PBKD2_PARAMS2.java`.

I see. Thanks much for the explanation~

-------------

PR: https://git.openjdk.org/jdk/pull/12396

Reply via email to