> We would like to propose an implementation for the [JDK-8301553: Support > Password-Based Cryptography in > SunPKCS11](https://bugs.openjdk.org/browse/JDK-8301553) enhancement > requirement. > > In addition to pursuing the requirement goals and guidelines of > [JDK-8301553](https://bugs.openjdk.org/browse/JDK-8301553), we want to share > the following implementation notes (grouped per altered file): > > * > ```src/java.base/share/classes/com/sun/crypto/provider/HmacPKCS12PBECore.java``` > (modified) > * This file contains the ```SunJCE``` implementation for the [PKCS #12 > General Method for Password > Integrity](https://datatracker.ietf.org/doc/html/rfc7292#appendix-B) > algorithms. It has been modified with the intent of consolidating all > parameter checks in a common file > (```src/java.base/share/classes/sun/security/util/PBEUtil.java```), that can > be used both by ```SunJCE``` and ```SunPKCS11```. This change does not only > serve the purpose of avoiding duplicated code but also ensuring alignment and > compatibility between different implementations of the same algorithms. No > changes have been made to parameter checks themselves. > * The new ```PBEUtil::getPBAKeySpec``` method introduced for parameters > checking takes both a ```Key``` and a ```AlgorithmParameterSpec``` instance > (same as the ```HmacPKCS12PBECore::engineInit``` method), and returns a > ```PBEKeySpec``` instance which consolidates all the data later required to > proceed with the computation (password, salt and iteration count). > > * ```src/java.base/share/classes/com/sun/crypto/provider/PBES2Core.java``` > (modified) > * This file contains the ```SunJCE``` implementation for the [PKCS #5 > Password-Based Encryption > Scheme](https://datatracker.ietf.org/doc/html/rfc8018#section-6.2) > algorithms, which use PBKD2 algorithms underneath for key derivation. In the > same spirit than for the ```HmacPKCS12PBECore``` case, we decided to > consolidate common code for parameters validation and default values in a > single file > (```src/java.base/share/classes/sun/security/util/PBEUtil.java```), that can > serve both ```SunJCE``` and ```SunPKCS11``` and ensure compatibility. > However, instead of a single static method at the implementation level (see > ```PBEUtil::getPBAKeySpec```), we create an instance of an auxiliary class > and invoke an instance method (```PBEUtil.PBES2Params::getPBEKeySpec```). The > reason is to persist parameters data that has to be consistent between calls > to ```PBES2Core::engineInit``` (in its multiple overloads) ...
Martin Balao has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision: - Rebase fix after JDK-8306033. Replace called functions with their new names. - 8301553: Support Password-Based Cryptography in SunPKCS11 (iteration #1) Co-authored-by: Francisco Ferrari <fferr...@redhat.com> Co-authored-by: Martin Balao <mba...@redhat.com> - 8301553: Support Password-Based Cryptography in SunPKCS11 Co-authored-by: Francisco Ferrari <fferr...@redhat.com> Co-authored-by: Martin Balao <mba...@redhat.com> ------------- Changes: - all: https://git.openjdk.org/jdk/pull/12396/files - new: https://git.openjdk.org/jdk/pull/12396/files/f1b2006a..cd48dc20 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=12396&range=02 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=12396&range=01-02 Stats: 888953 lines in 8327 files changed: 625265 ins; 187201 del; 76487 mod Patch: https://git.openjdk.org/jdk/pull/12396.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/12396/head:pull/12396 PR: https://git.openjdk.org/jdk/pull/12396
