Summary

Define the Generic algorithm for symmetric keys in the SecretKeyFactory JCA engine. Implement the Generic algorithm for SecretKeyFactory in the SunPKCS11 security provider.

Problem

The PKCS #11 standard defines Generic Secret as a symmetric key type that serves multiple purposes (HMAC authentication, HKDF Initial Key Material, HKDF Salt, etc.). See more information in section 6.8 Generic secret key of the PKCS #11 v3.1 standard. Contrary to other key types, Generic Secret keys generally offer more flexibility for key lengths. Keys of the Generic type are represented by the CKK_GENERIC_SECRET PKCS #11 native constant.

While the JDK may be internally using CKK_GENERIC_SECRET keys already (for example, as a result of a Password-Based Cryptography PBKDF2 derivation), there is no support for Java applications to create them explicitly with the SecretKeyFactory JCA engine. JCA engines often receive SecretKeySpec instances and internally create keys in the PKCS #11 library, but this does not allow the Java application to fully control the key's life cycle as it is created for a specific purpose and its handle may never be returned. This problem is more visible with Hardware Security Modules in which keys are expected to be created once and re-used multiple times.

Solution

Extend the list of algorithms supported for the SecretKeyFactory JCA engine to include Generic and implement support in the SunPKCS11 security provider. The underlying PKCS #11 key type for Generic should be CKK_GENERIC_SECRET.

Specification

Make the following changes to the PKCS#11 Reference Guide.

Update Table 5-3 Java Algorithms Supported by the SunPKCS11 Provider to add the following rows:

The update to the SecretKeyFactory section of the Standard Names document is done in the context of CSR JDK-8346997.