On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao <mba...@openjdk.org> wrote:
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors > and may even (in theory) delay the error until the key is used, as _SunJCE_ > does. I believe that this is an improvement but further adjustments may be > needed in the future. > > No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`. > > Thanks, > Martin.- On a related note, I am working on https://github.com/openjdk/jdk/pull/24393 and noticed that JSSE calls HKDF.deriveKey(...) with various names such as "TlsFinishedSecret", "TlsResumptionMasterSecret" as the key algorithm. This causes errors when using PKCS11 HKDF since the `P11SecretKeyFactory.getKeyInfo()` look up returns `null` and leads to `InvalidAlgorithmParameterException`. I am debating whether to do the special handling as below: P11SecretKeyFactory.KeyInfo ki = P11SecretKeyFactory.getKeyInfo(alg); if (ki == null) { - throw new InvalidAlgorithmParameterException("A PKCS #11 key " + - "type (CKK_*) was not found for a key of the algorithm '" + - alg + "'."); + // special handling for TLS + if (alg.startsWith("Tls")) { + ki = P11SecretKeyFactory.getKeyInfo("Generic"); + } else { + throw new InvalidAlgorithmParameterException("A PKCS #11 key " + + "type (CKK_*) was not found for a key of the algorithm '" + + alg + "'."); + } Comments or suggestions? @martinuy ------------- PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2791454433
