On Fri, 20 Dec 2024 02:42:59 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> Hi @wangweij,
>>
>> What test have you executed? I'm able to use "Generic" keys for HmacSHA256,
>> in a local slowdebug build of this branch.
>>
>>
>> cat >providersList.properties <<'EOF'
>> security.provider.1=SunPKCS11 --\\n\
>> name = NSS\\n\
>> nssLibraryDirectory = /usr/lib64\\n\
>> nssDbMode = noDb
>> security.provider.2=SUN
>> security.provider.3=SunRsaSign
>> security.provider.4=SunEC
>> security.provider.5=SunJSSE
>> security.provider.6=SunJCE
>> security.provider.7=SunJGSS
>> security.provider.8=SunSASL
>> security.provider.9=XMLDSig
>> security.provider.10=SunPCSC
>> security.provider.11=JdkLDAP
>> security.provider.12=JdkSASL
>> EOF
>>
>>
>>
>> cat >Main.java <<'EOF'
>> import java.util.HexFormat;
>> import javax.crypto.Mac;
>> import javax.crypto.SecretKey;
>> import javax.crypto.SecretKeyFactory;
>> import javax.crypto.spec.SecretKeySpec;
>>
>> public final class Main {
>> public static void main(String[] args) throws Exception {
>> byte [] keyMaterial = "Secret-Bytes".getBytes();
>> SecretKeySpec spec = new SecretKeySpec(keyMaterial, "Generic");
>> SecretKeyFactory skf = SecretKeyFactory.getInstance("Generic");
>> SecretKey sk = skf.generateSecret(spec);
>> System.out.println(sk);
>>
>> Mac mac = Mac.getInstance("HmacSHA256");
>> mac.init(sk);
>> mac.update("test".getBytes());
>> System.out.println(HexFormat.of().formatHex(mac.doFinal()));
>> }
>> }
>> EOF
>>
>>
>>
>> ./build/linux-x86_64-server-slowdebug/images/jdk/bin/java \
>> -Djava.security.properties=providersList.properties Main.java
>> rm providersList.properties Main.java
>>
>>
>> Output:
>>
>> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive,
>> extractable)
>> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a
>
> The key has to have `CKA_SIGN = true` in order to be used for a HMAC
> operation in NSS. For example, you can modify the code snippet shared by
> @franferrax to include the line `Mac mac = Mac.getInstance("HmacSHA256",
> "SunPKCS11-NSS");` in _Main.java_ (instead of `Mac mac =
> Mac.getInstance("HmacSHA256");`) and the line `attributes = compatibility` in
> _providersList.properties_. With these changes, I get the following output:
>
>
> ./bin/java -Djava.security.properties=providersList.properties Main.java
> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive,
> extractable)
> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a
Yes, it works now with the `attributes = compatibility` line. Told you I am not
an expert. Thanks.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1893955084
