Summary

Remove the SunPKCS11 SecretKeyFactory impls whose key encodings are incompatible with SunJCE's. These SecretKeyFactory impls are added in JDK 21 under https://bugs.openjdk.org/browse/JDK-8301553.

Problem

As part of JDK-8301553 "Support Password-Based Cryptography in SunPKCS11", support for password-based SecretKeyFactory impls are added to SunPKCS11 provider. However, the key objects produced by these impls return different key encoding comparing to their SunJCE counterparts. These can be very confusing since both keys have the same algorithm and format but different encodings. The main reason for adding these password-based SecretKeyFactory impls to SunPKCS11 provider is to bypass the ASCII-password requirement in SunJCE provider's password-based SecretKeyFactory impls and to add support for unicode.

Solution

Remove the ASCII-password requirement in SunJCE provider's password-based SecretKeyFactory impls and use UTF-8 to convert the password to their encoding bytes. Remove the SunPKCS11 SecretKeyFactory impls added in JDK 21 since the callers can use SunJCE provider's password-based SecretKeyFactory impls instead.

Specification

1. Update the <a href="https://docs.oracle.com/en/java/javase/23/security/oracle-providers.html#GUID-A47B1249-593C-4C38-A0D0-68FA7681E0A7">JDK Providers Documentation</a> to remove the note "The SunJCE provider only supports ASCII for passwords for its PBE algorithms." under "The SunJCE Provider" section

2. Remove the following rows from <a href="https://docs.oracle.com/en/java/javase/23/security/pkcs11-reference-guide1.html#GUID-D3EF9023-7DDC-435D-9186-D2FD05674777__GUID-21B92E76-EE33-47EA-BC0C-F428AF662C02">Table 5-3 "Java Algorithms Supported by the SunPKCS11 Provider"</a> in the "PKCS#11 Reference Guide"

<table> <tr><th>Java Algorithm</th> <th>PKCS#11 Mechanisms</th></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA1AndAES_128</td><td>CKM_PKCS5_PBKD2 (CKM_SHA_1_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA224AndAES_128</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA224_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA256AndAES_128</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA256_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA384AndAES_128</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA384_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA512AndAES_128</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA512_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA1AndAES_256</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA_1_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA224AndAES_256</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA224_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA256AndAES_256</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA256_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA384AndAES_256</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA384_HMAC required)</td></tr> <tr><td>SecretKeyFactory.PBEWithHmacSHA512AndAES_256</td> <td>CKM_PKCS5_PBKD2 (CKM_SHA512_HMAC required)</td></tr> <tr><td>SecretKeyFactory.HmacPBESHA1</td> <td>CKM_PBA_SHA1_WITH_SHA1_HMAC</td></tr> <tr><td>SecretKeyFactory.HmacPBESHA224</td> <td>CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN</td></tr> <tr><td>SecretKeyFactory.HmacPBESHA256</td> <td>CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN</td></tr> <tr><td>SecretKeyFactory.HmacPBESHA384</td> <td>CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN</td></tr> <tr><td>SecretKeyFactory.HmacPBESHA512</td> <td>CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN</td></tr> </table>