On Fri, 11 Apr 2025 23:46:49 GMT, Martin Balao <mba...@openjdk.org> wrote:
>>> What I have found with Tls* keys is that they are in the map but we need to >>> translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is >>> that enough for #24393? >> >> What I found is that there are more "TlsXXX" than those defined in >> P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to >> decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 >> will treat them as Generic secret keys or changing the TLS code to use a key >> algorithm recognized by PKCS11). Beside this, we need to make sure the >> current pseudo key type works, e.g. translating to a valid key type when >> necessary, as you stated. > >> > What I have found with Tls* keys is that they are in the map but we need >> > to translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). >> > Is that enough for #24393? >> >> What I found is that there are more "TlsXXX" than those defined in >> P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to >> decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 >> will treat them as Generic secret keys or changing the TLS code to use a key >> algorithm recognized by PKCS11). Beside this, we need to make sure the >> current pseudo key type works, e.g. translating to a valid key type when >> necessary, as you stated. > > Good, let me check this. > Hi @martinuy, > > Thanks for your proposal, I left four comments. Two of them are > suggestions/ideas, but unless my static analysis is bogus, I also found a > minor bug (one comment explains the reasoning, the other suggests a > low-hanging fruit test case to confirm). Thanks for your review. Yes, there is a hole that allows derivation for algorithms such as `PBEWithHmacSHA224AndAES_256`. Well spotted! I'm planning to restrict PBE algorithms based on the `PBEKeyInfo` subclass. Perhaps checking `HMACKeyInfo` doesn't hurt, even when these should not pass the mechanism check. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2805117767
