Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v6]

2025-04-22 Thread Francisco Ferrari Bihurriet
On Mon, 21 Apr 2025 17:12:27 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v6]

2025-04-21 Thread Valerie Peng
On Mon, 21 Apr 2025 17:12:27 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-21 Thread Martin Balao
On Fri, 18 Apr 2025 21:18:04 GMT, Valerie Peng wrote: >> The separation can remove 1 conditional block, so only 1 extra line and the >> flow looks cleaner in my opinion, e.g. >> Suggestion: >> >> case (int) CKK_DES, (int) CKK_DES3 -> { >> keyLength = P11KeyGe

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v6]

2025-04-21 Thread Martin Balao
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors >

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Valerie Peng
On Fri, 18 Apr 2025 21:15:41 GMT, Valerie Peng wrote: >> We would need to repeat code if we separate (invocation to >> `P11KeyGenerator::checkKeySize`). Does not look complex enough in my opinion >> to merit this split. > > The separation can remove 1 conditional block, so only 1 extra line and

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Valerie Peng
On Fri, 18 Apr 2025 19:52:45 GMT, Martin Balao wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java >> line 605: >> >>> 603: } >>> 604: } >>> 605: } >> >> Hmm, how about separating out AES, RC4,

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v5]

2025-04-18 Thread Martin Balao
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors >

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Martin Balao
On Thu, 17 Apr 2025 23:52:56 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Inform key sizes in the exception when failing check. > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Martin Balao
On Thu, 17 Apr 2025 22:59:49 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Inform key sizes in the exception when failing check. > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Martin Balao
On Thu, 17 Apr 2025 20:52:52 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Inform key sizes in the exception when failing check. > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-18 Thread Valerie Peng
On Thu, 17 Apr 2025 03:14:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-17 Thread Valerie Peng
On Thu, 17 Apr 2025 03:14:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-17 Thread Valerie Peng
On Thu, 17 Apr 2025 03:14:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-17 Thread Valerie Peng
On Thu, 17 Apr 2025 03:14:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v4]

2025-04-17 Thread Martin Balao
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors >

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v3]

2025-04-16 Thread Martin Balao
On Thu, 17 Apr 2025 00:22:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v3]

2025-04-16 Thread Martin Balao
On Thu, 17 Apr 2025 00:47:00 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with two additional >> commits since the last revision: >> >> - TLS keys added to the map. >> - Key type check refactoring (derivation). > > src/jdk.crypto.cryptoki/share/classes/s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v3]

2025-04-16 Thread Valerie Peng
On Thu, 17 Apr 2025 00:22:14 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v3]

2025-04-16 Thread Martin Balao
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors >

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-16 Thread Valerie Peng
On Mon, 14 Apr 2025 19:01:45 GMT, Francisco Ferrari Bihurriet wrote: >> As far as I understand it, `HmacSHA256` is blocked, but not >> `PBEWithHmacSHA224AndAES_256`. >> >> ### `HmacSHA256` >> >> * Has an `HMACKeyInfo` entry with the following non-static fields: >> * `KeyInfo.algo` = `"Hma

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Martin Balao
On Tue, 15 Apr 2025 16:04:26 GMT, Francisco Ferrari Bihurriet wrote: >> BTW, I don't like the partial "Tls" string comparison much because it's >> making an assumption about the algorithm name. > > A new `PCKK_TLSKEY` pseudo key type looks good to me. Alternatively, and just > thinking out lou

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Martin Balao
On Tue, 15 Apr 2025 13:20:34 GMT, Martin Balao wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java >> line 240: >> >>> 238: putKeyInfo(new KeyInfo("TlsPremasterSecret", >>> PCKK_TLSPREMASTER)); >>> 239: putKeyInfo(new KeyInfo("TlsRsaPrem

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Martin Balao
On Fri, 11 Apr 2025 23:46:49 GMT, Martin Balao wrote: >>> What I have found with Tls* keys is that they are in the map but we need to >>> translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is >>> that enough for #24393? >> >> What I found is that there are more "TlsXXX" th

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Martin Balao
On Mon, 14 Apr 2025 18:53:12 GMT, Francisco Ferrari Bihurriet wrote: >> Martin Balao has updated the pull request incrementally with two additional >> commits since the last revision: >> >> - Algorithm and key size checking before derivation. Mechanism >> normalization for TLS. >> - Minor i

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Francisco Ferrari Bihurriet
On Tue, 15 Apr 2025 13:23:06 GMT, Martin Balao wrote: >> I like this idea but the downside I see is that we would need string >> comparison in `P11KDF::getDerivedKeyType` to allow TLS keys. What if we >> merge all `PCKK_TLSPREMASTER`, `PCKK_TLSRSAPREMASTER` and `PCKK_TLSMASTER` >> into `PCKK_T

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-15 Thread Martin Balao
On Mon, 14 Apr 2025 17:44:53 GMT, Francisco Ferrari Bihurriet wrote: >> Martin Balao has updated the pull request incrementally with two additional >> commits since the last revision: >> >> - Algorithm and key size checking before derivation. Mechanism >> normalization for TLS. >> - Minor i

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-14 Thread Francisco Ferrari Bihurriet
On Mon, 14 Apr 2025 19:01:00 GMT, Francisco Ferrari Bihurriet wrote: >> For the TlsXXX issue I check the pseudo-mechanism. That works if all >> algorithms are known to the map. I'll check how many we have and see what >> are the pros/cons of having them in the map. I prefer symmetric key >> a

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-14 Thread Francisco Ferrari Bihurriet
On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-14 Thread Francisco Ferrari Bihurriet
On Fri, 11 Apr 2025 23:36:17 GMT, Martin Balao wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line >> 246: >> >>> 244: alg.equalsIgnoreCase("Generic")) { >>> 245: return ki.keyType; >>> 246: } >> >> W

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Martin Balao
On Fri, 11 Apr 2025 21:32:47 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with two additional >> commits since the last revision: >> >> - Algorithm and key size checking before derivation. Mechanism >> normalization for TLS. >> - Minor import adjustment

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Martin Balao
On Fri, 11 Apr 2025 19:47:38 GMT, Valerie Peng wrote: > > What I have found with Tls* keys is that they are in the map but we need to > > translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is > > that enough for #24393? > > What I found is that there are more "TlsXXX" than

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Martin Balao
On Fri, 11 Apr 2025 21:28:30 GMT, Valerie Peng wrote: >> Martin Balao has updated the pull request incrementally with two additional >> commits since the last revision: >> >> - Algorithm and key size checking before derivation. Mechanism >> normalization for TLS. >> - Minor import adjustment

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Valerie Peng
On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Valerie Peng
On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Valerie Peng
On Fri, 11 Apr 2025 00:00:39 GMT, Martin Balao wrote: > What I have found with Tls* keys is that they are in the map but we need to > translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is > that enough for #24393? What I found is that there are more "TlsXXX" than those def

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-11 Thread Daniel Jeliński
On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-10 Thread Martin Balao
On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-10 Thread Martin Balao
On Thu, 10 Apr 2025 03:27:19 GMT, Valerie Peng wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

2025-04-10 Thread Martin Balao
> Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, different PKCS 11 libraries may throw different errors >

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-10 Thread Daniel Jeliński
On Wed, 9 Apr 2025 13:19:45 GMT, Martin Balao wrote: > Perhaps we can do both: check beforehand and handle the error afterwards. That sounds reasonable. Whatever you decide, I think it would be good to make sure P11HKDF, P11SecretKeyFactory and P11KeyGenerator perform the same checks during k

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Martin Balao
On Thu, 10 Apr 2025 03:08:32 GMT, Valerie Peng wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that s

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Martin Balao
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Valerie Peng
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Valerie Peng
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Martin Balao
On Wed, 9 Apr 2025 11:03:52 GMT, Mikhail Yankelevich wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Martin Balao
On Wed, 9 Apr 2025 10:57:45 GMT, Mikhail Yankelevich wrote: >> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Martin Balao
On Wed, 9 Apr 2025 06:45:14 GMT, Daniel Jeliński wrote: > I think the usual way to handle this is by calling > `P11KeyGenerator.checkKeySize` We discussed calling `P11KeyGenerator::checkKeySize` with @franferrax but were not sure of taking this approach. We found that for DES(3) cases some fix

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-09 Thread Mikhail Yankelevich
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-08 Thread Daniel Jeliński
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-08 Thread Weijun Wang
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

Re: RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-08 Thread Martin Balao
On Tue, 8 Apr 2025 20:02:56 GMT, Martin Balao wrote: > Hi, > > I would like to request a review for the fix of JDK-8350661. In this fix, we > translate the native PKCS 11 error code into an > `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` > API. With that said, di

RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

2025-04-08 Thread Martin Balao
Hi, I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` API. With that said, different PKCS 11 libraries may throw different errors and may even