On Sat, 18 Mar 2023 06:08:07 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java >> line 118: >> >>> 116: return true; >>> 117: } >>> 118: return ki.keyType == si.keyType; >> >> So, for non-PBE key info, algos do not have to match? > > For services and keys cases in which algorithms identity-match —irrespective > if they are PBE or non-PBE—, KeyInfo::checkUse is not called and execution > moves forward as if the check passed (see > [here](https://github.com/openjdk/jdk/blob/ab7ffd56bb8b93d513023d0136df55a6375c3286/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L285)). > The same is true for services that accept any key type, such as those whose > pseudo types are PCKK_HMAC or PCKK_SSLMAC. > > The ki.keyType == si.keyType success value affects cases in which algorithms > are different but it's still possible to use the key in the service. One > example that would hit this path is a PBE key derived for AES that it's used > in an AES Cipher service. For non-PBE keys and services cases, one example is > algorithms "RC4" and "ARCFOUR" that have both the underlying CKK_RC4 key > type. Notice that this latter case is not new: previous to this enhancement > proposal, key types were compared as well (see > [here](https://github.com/openjdk/jdk/blob/jdk-21%2B14/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L147)). > > For non-PBE keys and services cases, what is new with this enhancement is to > accept them if their algorithms are identity-equal. This condition > necessarily means that key types are equal —the opposite is obviously not > true—. One minor detail, when we refer to the algorithms equality trivial > pass condition, it's an object identity comparison for performance. As commented [here](https://github.com/openjdk/jdk/pull/12396#discussion_r1142245451), I'll add a comment to the code explaining this execution path. ------------- PR: https://git.openjdk.org/jdk/pull/12396