Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8346721

Support Generic keys in SunPKCS11 SecretKeyFactory

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Withdrawn
    • Icon: P4 P4
    • 25
    • security-libs
    • None
    • behavioral
    • low
    • Hide
      There is a low risk of a third-party security provider using the _Generic_ key algorithm already for the JCA SecretKeyFactory engine or any extension. If the SunPKCS11 provider is installed with higher preference, there will be a behavioral change: the SunPKCS11 service will be used instead, with potentially undesired effects. This problem can be solved by either lowering SunPKCS11 in the providers preference list or by increasing the third-party's _Generic_ SecretKeyFactory service preference with the `jdk.security.provider.preferred` security property.

      Third-party security providers using the _Generic_ algorithm already for the JCA SecretKeyFactory engine or any extension will potentially face compatibility issues as this name is now standardized and given a specific meaning.
      Show
      There is a low risk of a third-party security provider using the _Generic_ key algorithm already for the JCA SecretKeyFactory engine or any extension. If the SunPKCS11 provider is installed with higher preference, there will be a behavioral change: the SunPKCS11 service will be used instead, with potentially undesired effects. This problem can be solved by either lowering SunPKCS11 in the providers preference list or by increasing the third-party's _Generic_ SecretKeyFactory service preference with the `jdk.security.provider.preferred` security property. Third-party security providers using the _Generic_ algorithm already for the JCA SecretKeyFactory engine or any extension will potentially face compatibility issues as this name is now standardized and given a specific meaning.
    • Java API
    • JDK

      Summary

      Define the Generic algorithm for symmetric keys in the SecretKeyFactory JCA engine. Implement the Generic algorithm for SecretKeyFactory in the SunPKCS11 security provider.

      Problem

      The PKCS #11 standard defines Generic Secret as a symmetric key type that serves multiple purposes (HMAC authentication, HKDF Initial Key Material, HKDF Salt, etc.). See more information in section 6.8 Generic secret key of the PKCS #11 v3.1 standard. Contrary to other key types, Generic Secret keys generally offer more flexibility for key lengths. Keys of the Generic type are represented by the CKK_GENERIC_SECRET PKCS #11 native constant.

      While the JDK may be internally using CKK_GENERIC_SECRET keys already (for example, as a result of a Password-Based Cryptography PBKDF2 derivation), there is no support for Java applications to create them explicitly with the SecretKeyFactory JCA engine. JCA engines often receive SecretKeySpec instances and internally create keys in the PKCS #11 library, but this does not allow the Java application to fully control the key's life cycle as it is created for a specific purpose and its handle may never be returned. This problem is more visible with Hardware Security Modules in which keys are expected to be created once and re-used multiple times.

      Solution

      Extend the list of algorithms supported for the SecretKeyFactory JCA engine to include Generic and implement support in the SunPKCS11 security provider. The underlying PKCS #11 key type for Generic should be CKK_GENERIC_SECRET.

      Specification

      Make the following changes to the PKCS#11 Reference Guide.

      Update Table 5-3 Java Algorithms Supported by the SunPKCS11 Provider to add the following rows:

      Java Algorithm PKCS#11 Mechanisms
      SecretKeyFactory.Generic CKM_GENERIC_SECRET_KEY_GEN

      The update to the SecretKeyFactory section of the Standard Names document is done in the context of CSR JDK-8346997.

            mbalao Martin Balao Alonso
            mbalao Martin Balao Alonso
            Kevin Driver
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: