-
Enhancement
-
Resolution: Fixed
-
P4
-
8
-
None
-
b25
-
generic
-
generic
javax.crypto.SecretKeyFactory.translateKey(SecretKey key) translates a key object, whose provider may be unknown or potentially untrusted, into a corresponding key object of this secret-key factory.
During test enhancements for JEP 121 (see CR 7181001) I've encountered with situation that PBKDF2 algorithms has some restriction of using this method.
For PBE algorithms like pbeWithMD5ANDdes or PBEWithSHA1AndRC2_128 it is possible to use as a key some class that implements SecurityKey interface. So, it is enough to implement getAlgorithm, getEncoded, getFormat methods.
For PBKDF2 algorithms like PBKDF2WithHmacSHA1 it doesn't work. The implementation of PBKDF2HmacSHA1Factory requires the key should be an instance of com.sun.crypto.provider.PBKDF2KeyImpl or implements PBEKey interface. In other case the method throws InvalidKeyException like below:
java.security.InvalidKeyException: Invalid key format/algorithm
Test FAILED. Unexpected Exception: java.security.InvalidKeyException: Invalid key format/algorithm
at com.sun.crypto.provider.PBKDF2Core.engineTranslateKey(PBKDF2Core.java:150)
at javax.crypto.SecretKeyFactory.translateKey(SecretKeyFactory.java:409)
See the attached test case.
Well PBEKey extends SecretKey. So, formally there is no spec violation. But there is difference in requirements of using the translateKey() method for PBKDF2 algorithms and that PBE algorithms whose key factory is based on PBEKeyFactory.
I guess this specificity should be reflected in the JDK spec or in the exception message thrown by translateKey() method. Something like
"java.security.InvalidKeyException: instance of PBEKey is required"
During test enhancements for JEP 121 (see CR 7181001) I've encountered with situation that PBKDF2 algorithms has some restriction of using this method.
For PBE algorithms like pbeWithMD5ANDdes or PBEWithSHA1AndRC2_128 it is possible to use as a key some class that implements SecurityKey interface. So, it is enough to implement getAlgorithm, getEncoded, getFormat methods.
For PBKDF2 algorithms like PBKDF2WithHmacSHA1 it doesn't work. The implementation of PBKDF2HmacSHA1Factory requires the key should be an instance of com.sun.crypto.provider.PBKDF2KeyImpl or implements PBEKey interface. In other case the method throws InvalidKeyException like below:
java.security.InvalidKeyException: Invalid key format/algorithm
Test FAILED. Unexpected Exception: java.security.InvalidKeyException: Invalid key format/algorithm
at com.sun.crypto.provider.PBKDF2Core.engineTranslateKey(PBKDF2Core.java:150)
at javax.crypto.SecretKeyFactory.translateKey(SecretKeyFactory.java:409)
See the attached test case.
Well PBEKey extends SecretKey. So, formally there is no spec violation. But there is difference in requirements of using the translateKey() method for PBKDF2 algorithms and that PBE algorithms whose key factory is based on PBEKeyFactory.
I guess this specificity should be reflected in the JDK spec or in the exception message thrown by translateKey() method. Something like
"java.security.InvalidKeyException: instance of PBEKey is required"
- duplicates
-
-
- Closed
-
- relates to
-
JDK-7182129 SKF.translateKey(): text encrypted by original key can't be decrypted by translated one for PBKDF2
-
- Closed
-
