On Fri, 20 Dec 2024 13:41:28 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> The key has to have `CKA_SIGN = true` in order to be used for a HMAC
>> operation in NSS. For example, you can modify the code snippet shared by
>> @franferrax to include the line `Mac mac = Mac.getInstance("HmacSHA256",
>> "SunPKCS11-NSS");` in _Main.java_ (instead of `Mac mac =
>> Mac.getInstance("HmacSHA256");`) and the line `attributes = compatibility`
>> in _providersList.properties_. With these changes, I get the following
>> output:
>>
>>
>> ./bin/java -Djava.security.properties=providersList.properties Main.java
>> SunPKCS11-NSS Generic secret key, 96 bits session object, not sensitive,
>> extractable)
>> c5dca603b87a1a1fe264f3cab2f851d513afdd2a7dd5ed3ee337356e2d7a001a
>
> Yes, it works now with the `attributes = compatibility` line. Told you I am
> not an expert. Thanks.
Hi, sorry for the confusion. Even when _SunPKCS11_ was the first provider in
the list, I should have checked what provider was implementing the `Mac`.
In my previous example, due to _delayed provider selection_, the provider is
chosen during the `mac.init(sk)` call. _SunPKCS11_ throws the
`InvalidKeyException` you were reproducing (caused by `PKCS11Exception:
CKR_KEY_TYPE_INCONSISTENT`), but this exception is ignored and _SunJCE_ is
finally selected. This doesn't happen if `attributes = compatibility` or
`attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }` is used.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1894157903
