On Sat, 18 Mar 2023 06:08:07 GMT, Martin Balao <mba...@openjdk.org> wrote:

>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java
>>  line 118:
>> 
>>> 116:                 return true;
>>> 117:             }
>>> 118:             return ki.keyType == si.keyType;
>> 
>> So, for non-PBE key info, algos do not have to match?
>
> For services and keys cases in which algorithms identity-match —irrespective 
> if they are PBE or non-PBE—, KeyInfo::checkUse is not called and execution 
> moves forward as if the check passed (see 
> [here](https://github.com/openjdk/jdk/blob/ab7ffd56bb8b93d513023d0136df55a6375c3286/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L285)).
>  The same is true for services that accept any key type, such as those whose 
> pseudo types are PCKK_HMAC or PCKK_SSLMAC.
> 
> The ki.keyType == si.keyType success value affects cases in which algorithms 
> are different but it's still possible to use the key in the service. One 
> example that would hit this path is a PBE key derived for AES that it's used 
> in an AES Cipher service. For non-PBE keys and services cases, one example is 
> algorithms "RC4" and "ARCFOUR" that have both the underlying CKK_RC4 key 
> type. Notice that this latter case is not new: previous to this enhancement 
> proposal, key types were compared as well (see 
> [here](https://github.com/openjdk/jdk/blob/jdk-21%2B14/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java#L147)).
> 
> For non-PBE keys and services cases, what is new with this enhancement is to 
> accept them if their algorithms are identity-equal. This condition 
> necessarily means that key types are equal —the opposite is obviously not 
> true—. One minor detail, when we refer to the algorithms equality trivial 
> pass condition, it's an object identity comparison for performance.

As commented 
[here](https://github.com/openjdk/jdk/pull/12396#discussion_r1142245451), I'll 
add a comment to the code explaining this execution path.

-------------

PR: https://git.openjdk.org/jdk/pull/12396

Reply via email to