I ran into a few problems related to a similar approach in my own code.
Basically, PKCS12 requires some sort of OID/Algorithm identifier to map
to/from the algorithm name. Anything that you allow for here ideally
needs to be supported by KeyStore there. It doesn't help that PKCS11 has
CKK_GENERIC_SECRET. It also doesn't help that you can't get the actual
OID from the PKCS12 file in all cases.
If this is actually a master secret - maybe 1.3.112.4.30.1283 makes the
most sense? Alternately, maybe OpenJDK can assign an OID for GENERIC_SECRET
I ended up with three "generic" secret keys:
1) A generic key - output of a key agreement - can be coerced into any
regular symmetric secret key, but can't be used to seed a KDF
2) A master key - randomly generated or output of a key agreement or KDF
- input to a KDF (TPM uses the first part of this, most crypto protocols
use the second)
3) A password - randomly generated, or the output of a KDF from a master
key. (The latter is used with a number symmetric key diversification
schemes)
None of these are easy to store in a key store... :-(
Later, Mike
On 12/18/2024 5:33 PM, Weijun Wang wrote:
Allow `Generic` as an algorithm in the `KeyAgreement::generateSecret(alg)`
method.
Weijun Wang has updated the pull request incrementally with one additional
commit since the last revision:
add key size adjustment clarification
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/22650/files
- new: https://git.openjdk.org/jdk/pull/22650/files/f7c03f78..3d62a503
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=22650&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=22650&range=00-01
Stats: 8 lines in 2 files changed: 6 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/22650.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22650/head:pull/22650
PR: https://git.openjdk.org/jdk/pull/22650
