Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8352294

SunJCE and SunPKCS11 have different PBE key encodings

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • 25
    • security-libs
    • None
    • behavioral
    • low
    • The support is added only since JDK 21. So, probably not many users depending on them yet.
    • Other
    • JDK

      Summary

      Remove the SunPKCS11 SecretKeyFactory impls whose key encodings are incompatible with SunJCE's. These SecretKeyFactory impls are added in JDK 21 under https://bugs.openjdk.org/browse/JDK-8301553.

      Problem

      As part of JDK-8301553 "Support Password-Based Cryptography in SunPKCS11", support for password-based SecretKeyFactory impls are added to SunPKCS11 provider. However, the key objects produced by these impls return different key encoding comparing to their SunJCE counterparts. These can be very confusing since both keys have the same algorithm, format but different encodings. The main reason for adding these password-based SecretKeyFactory impls to SunPKCS11 provider is to bypass the ASCII-password requirement in SunJCE provider's password-based SecretKeyFactory impls and to add support for unicode.

      Solution

      Remove the ASCII-password requirement in SunJCE provider's password-based SecretKeyFactory impls and use UTF-8 to convert the password to their encoding bytes. Remove the SunPKCS11 SecretKeyFactory impls added in JDK 21 since the callers can use SunJCE provider's password-based SecretKeyFactory impls instead.

      Specification

      1) Update the JDK Providers Documentation to remove the note "The SunJCE provider only supports ASCII for passwords for its PBE algorithms." under "The SunJCE Provider" section

      2) Remove the following rows from Table 5-3 "Java Algorithms Supported by the SunPKCS11 Provider" in the "PKCS#11 Reference Guide"

      Java Algorithm PKCS#11 Mechanisms
      SecretKeyFactory.PBEWithHmacSHA1AndAES_128CKM_PKCS5_PBKD2 (CKM_SHA_1_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA224AndAES_128 CKM_PKCS5_PBKD2 (CKM_SHA224_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA256AndAES_128 CKM_PKCS5_PBKD2 (CKM_SHA256_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA384AndAES_128 CKM_PKCS5_PBKD2 (CKM_SHA384_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA512AndAES_128 CKM_PKCS5_PBKD2 (CKM_SHA512_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA1AndAES_256 CKM_PKCS5_PBKD2 (CKM_SHA_1_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA224AndAES_256 CKM_PKCS5_PBKD2 (CKM_SHA224_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA256AndAES_256 CKM_PKCS5_PBKD2 (CKM_SHA256_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA384AndAES_256 CKM_PKCS5_PBKD2 (CKM_SHA384_HMAC required)
      SecretKeyFactory.PBEWithHmacSHA512AndAES_256 CKM_PKCS5_PBKD2 (CKM_SHA512_HMAC required)
      SecretKeyFactory.HmacPBESHA1 CKM_PBA_SHA1_WITH_SHA1_HMAC
      SecretKeyFactory.HmacPBESHA224 CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN
      SecretKeyFactory.HmacPBESHA256 CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN
      SecretKeyFactory.HmacPBESHA384 CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN
      SecretKeyFactory.HmacPBESHA512 CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN

            valeriep Valerie Peng
            weijun Weijun Wang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: