-
Type:
Sub-task
-
Resolution: Delivered
-
Priority:
P4
-
Affects Version/s: 25
-
Component/s: security-libs
-
generic
-
generic
Starting with JDK 21, the `SunPKCS11` provider added several password-based `SecretKeyFactory` implementations, such as:
<ul>
<li>SecretKeyFactory.PBEWithHmac[MD]AndAES_128</li>
<li>SecretKeyFactory.PBEWithHmac[MD]AndAES_256</li>
<li>SecretKeyFactory.HmacPBE[MD]</li>
</ul>
where [MD] is one of the `SHA1`, `SHA224`, `SHA256`, `SHA384`, and `SHA512` algorithms.
However, the key objects produced by these implementations use the `PBKDF2`-derived values as key encodings. This is different than the `SunJCE` counterparts which use the password bytes as key encodings. These differences can be very confusing and may cause interoperability issues since both keys have the same algorithm and format, but different encodings. Thus, for consistency sake, these `SunPKCS11` password-based `SecretKeyFactory` implementations have been removed.
<ul>
<li>SecretKeyFactory.PBEWithHmac[MD]AndAES_128</li>
<li>SecretKeyFactory.PBEWithHmac[MD]AndAES_256</li>
<li>SecretKeyFactory.HmacPBE[MD]</li>
</ul>
where [MD] is one of the `SHA1`, `SHA224`, `SHA256`, `SHA384`, and `SHA512` algorithms.
However, the key objects produced by these implementations use the `PBKDF2`-derived values as key encodings. This is different than the `SunJCE` counterparts which use the password bytes as key encodings. These differences can be very confusing and may cause interoperability issues since both keys have the same algorithm and format, but different encodings. Thus, for consistency sake, these `SunPKCS11` password-based `SecretKeyFactory` implementations have been removed.