8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key #24526
Conversation
|
👋 Welcome back mbalao! A progress list of the required criteria for merging this PR into |
|
@franferrax @valeriepeng @wangweij may I ask you to have a look at this proposal? Thanks! |
|
@martinuy This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 240 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Webrevs
|
|
Looks good to me, but again I am not a PKCS #11 expert. |
|
I think the usual way to handle this is by calling |
| KDF k = KDF.getInstance("HKDF-SHA256", p11Provider); | ||
| k.deriveKey("AES", HKDFParameterSpec.ofExtract() | ||
| .thenExpand(null, 31)); | ||
| throw new Exception("No exception thrown."); |
There was a problem hiding this comment.
I think this throw is unnecessary, you can just call this code straight on line 619 and remove the catch block below
reportTestFailure(new Exception("Derivation of an AES key of " +
"invalid size (31 bytes) expected to throw " +
"InvalidAlgorithmParameterException.", e));What do you think?
There was a problem hiding this comment.
The catch block would still be needed because another exception (such as ProviderException, as is the case now) might be thrown and we want to make sure that it does not occur.
| import static sun.security.pkcs11.TemplateManager.*; | ||
| import sun.security.pkcs11.wrapper.*; | ||
| import static sun.security.pkcs11.wrapper.PKCS11Constants.*; | ||
| import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.*; |
There was a problem hiding this comment.
Nitpick: Does this import need to be a *? Wouldn't it be better to just have a import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.CKR_KEY_SIZE_RANGE; ?
We discussed calling |
That sounds reasonable. Whatever you decide, I think it would be good to make sure P11HKDF, P11SecretKeyFactory and P11KeyGenerator perform the same checks during key generation. |
| KDF k = KDF.getInstance("HKDF-SHA256", p11Provider); | ||
| k.deriveKey("AES", HKDFParameterSpec.ofExtract() | ||
| .thenExpand(null, 31)); | ||
| throw new Exception("No exception thrown."); |
There was a problem hiding this comment.
nit: "Expected InvalidAlgorithmParameterException not thrown" is clearer?
There was a problem hiding this comment.
This exception will be the cause, the wrapper exception will inform that InvalidAlgorithmParameterException was expected to be thrown.
| reportTestFailure(new Exception("Derivation of an AES key of " + | ||
| "invalid size (31 bytes) expected to throw " + | ||
| "InvalidAlgorithmParameterException.", e)); |
There was a problem hiding this comment.
Why not just use reportTestFailure(e)? I don't find the extra layer of exception too useful.
There was a problem hiding this comment.
To be more informative, because the original exception —not the one that we would throw if no exception is thrown— does not state which exception was expected to be thrown, is just a ProviderException which may even look good/appropriate for an invalid key size.
|
On a related note, I am working on #24393 and noticed that JSSE calls HKDF.deriveKey(...) with various names such as "TlsFinishedSecret", "TlsResumptionMasterSecret" as the key algorithm. This causes errors when using PKCS11 HKDF since the Comments or suggestions? @martinuy |
Thanks for the heads up. I was just looking at the possibility of passing key algorithms for derived keys that were not considered before but are part of the map (e.g. hmac, pbe, etc.), and wondered how that should be handled. Tls could be the opposite case: not part of the map but needs to be handled. Will give it some thinking. I was also thinking of extending the |
|
@valeriepeng @djelinski @franferrax can you please take a look at this new proposal? Thanks! |
|
What I have found with Tls* keys is that they are in the map but we need to translate their pseudo-mechanism to a valid one ( |
What I found is that there are more "TlsXXX" than those defined in P11SecretKeyFactory class which are mapped to PCKK_xxx. So, we will need to decide if those self-defined "TlsXXX" algorithms are allowed (e.g. PKCS11 will treat them as Generic secret keys or changing the TLS code to use a key algorithm recognized by PKCS11). Beside this, we need to make sure the current pseudo key type works, e.g. translating to a valid key type when necessary, as you stated. |
| if (ki.keyType != CKK_GENERIC_SECRET || | ||
| alg.equalsIgnoreCase("Generic")) { | ||
| return ki.keyType; | ||
| } |
There was a problem hiding this comment.
What is this check for? It's not immediately clear to me why do we look up the keyInfo using alg but then again to check to error out when the found keyType is CKK_GENERIC_SECRET && alg not equals "Generic". This seems to directly contradicts the special workaround for "TlsXXX" in my other PR?
There was a problem hiding this comment.
For the TlsXXX issue I check the pseudo-mechanism. That works if all algorithms are known to the map. I'll check how many we have and see what are the pros/cons of having them in the map. I prefer symmetric key algorithms to be in the map.
The reason for the check you referred is to block deriving keys such as HmacSHA256, PBEWithHmacSHA224AndAES_256, etc. which are not the result of HKDF derivations, but of Mac and PBE derivation.
There was a problem hiding this comment.
As far as I understand it, HmacSHA256 is blocked, but not PBEWithHmacSHA224AndAES_256.
HmacSHA256
- Has an
HMACKeyInfoentry with the following non-static fields:KeyInfo.algo="HmacSHA256"KeyInfo.keyType=CKK_GENERIC_SECRETKeyInfo.keyGenMech=CK_UNAVAILABLE_INFORMATIONHMACKeyInfo.mech=CKM_SHA256_HMACHMACKeyInfo.keyLen=256
Given ki.keyType is CKK_GENERIC_SECRET and alg is HmacSHA256, in P11HKDF::getDerivedKeyType it will enter the first case but not the if. So it will finally throw the expected exception:
InvalidAlgorithmParameterException("A key of algorithm 'HmacSHA256' is not valid for derivation.")PBEWithHmacSHA224AndAES_256
- Has an
AESPBEKeyInfoentry with the following non-static fields:KeyInfo.algo="PBEWithHmacSHA224AndAES_256"KeyInfo.keyType=CKK_AESKeyInfo.keyGenMech=CK_UNAVAILABLE_INFORMATIONPBEKeyInfo.kdfMech=CKM_PKCS5_PBKD2PBEKeyInfo.prfMech=CKP_PKCS5_PBKD2_HMAC_SHA224PBEKeyInfo.keyLen=256PBEKeyInfo.extraAttrs=new CK_ATTRIBUTE[] { CK_ATTRIBUTE.ENCRYPT_TRUE }
Given ki.keyType is CKK_AES, in P11HKDF::getDerivedKeyType it will enter the first case and also the if, returning CKK_AES. Later, in P11KeyGenerator::checkKeySize(..., Token token), P11KeyGenerator::getSupportedRange will return null, because ki.keyGenMech is CK_UNAVAILABLE_INFORMATION. This will make P11KeyGenerator::checkKeySize(..., CK_MECHANISM_INFO range) enter the default case, and finally return the unmodified keySize. No exception is thrown, unless I'm missing something.
There was a problem hiding this comment.
Also, we could save one of the if conditions by creating a separate case for CKK_GENERIC_SECRET:
switch ((int) ki.keyType) {
case (int) CKK_DES, (int) CKK_DES3, (int) CKK_AES, (int) CKK_RC4,
(int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> {
return ki.keyType;
}
case (int) CKK_GENERIC_SECRET -> {
if (alg.equalsIgnoreCase("Generic")) {
return ki.keyType;
}
}
// [...]
}In my view, this is quicker to understand, what do you think?
There was a problem hiding this comment.
Yes, I much prefer this idea of separate case for CKK_GENERIC_SECRET.
| case (int) PCKK_TLSPREMASTER, (int) PCKK_TLSRSAPREMASTER, | ||
| (int) PCKK_TLSMASTER -> { | ||
| return CKK_GENERIC_SECRET; | ||
| } |
There was a problem hiding this comment.
It's easier to troubleshoot to add a default case and not let it fall through to the exception on line 253? It's possible that P11SecretKeyFactory is enhanced with more KeyInfo, but the newly added keyType is not added here. Lumping different causes into the same exception may be harder to debug.
There was a problem hiding this comment.
The exception informs the algorithm, and we know that the algorithm was found in the map because, otherwise, we would have not been able to get the KeyInfo ki received by parameter. I can add two separate exceptions if you want, but should not make much of a difference because the reason for the exception is the same: the algorithm is not valid for derivation, regardless if its underlying mechanism is CKK_GENERIC_SECRET or something else.
Good, let me check this. |
franferrax
left a comment
franferrax
left a comment
There was a problem hiding this comment.
Hi @martinuy,
Thanks for your proposal, I left four comments. Two of them are suggestions/ideas, but unless my static analysis is bogus, I also found a minor bug (one comment explains the reasoning, the other suggests a low-hanging fruit test case to confirm).
|
|
||
| putKeyInfo(new KeyInfo("TlsPremasterSecret", PCKK_TLSPREMASTER)); | ||
| putKeyInfo(new KeyInfo("TlsRsaPremasterSecret", PCKK_TLSRSAPREMASTER)); | ||
| putKeyInfo(new KeyInfo("TlsMasterSecret", PCKK_TLSMASTER)); |
There was a problem hiding this comment.
Have you considered removing PCKK_TLSPREMASTER, PCKK_TLSRSAPREMASTER and PCKK_TLSMASTER from everywhere? We could just use CKK_GENERIC_SECRET for the TlsPremasterSecret, TlsRsaPremasterSecret and TlsMasterSecret key info entries.
Unlike PCKK_ANY, which is used for the TemplateManager to map * entries in SunPKCS11 configuration files [1], these other 3 pseudo key types are only used here in P11SecretKeyFactory. Additionally, any time these 3 pseudo key types are used, it is to map to CKK_GENERIC_SECRET.
[1] SunPKCS11 configuration files can't contain PCKK_TLS*MASTER attributes entries, only * is parsable, and corresponds with PCKK_ANY:
There was a problem hiding this comment.
I like this idea but the downside I see is that we would need string comparison in P11KDF::getDerivedKeyType to allow TLS keys. What if we merge all PCKK_TLSPREMASTER, PCKK_TLSRSAPREMASTER and PCKK_TLSMASTER into PCKK_TLSKEY and then do the translation to CKK_GENERIC_SECRET as needed? This will also help with the new Tls* keys that I am planning to add to the map.
There was a problem hiding this comment.
BTW, I don't like the partial "Tls" string comparison much because it's making an assumption about the algorithm name.
There was a problem hiding this comment.
A new PCKK_TLSKEY pseudo key type looks good to me. Alternatively, and just thinking out loud, how about introducing a new TlsKeyInfo and using ki instanceof TlsKeyInfo in P11KDF::getDerivedKeyType?
Perhaps we could also add a new KeyInfo.supportsHKDF boolean field and store that information in the map, replacing the whole P11KDF::getDerivedKeyType call by a ki.supportsHKDF check. This would also solve the PBEWithHmacSHA224AndAES_256 case.
There was a problem hiding this comment.
KeyInfo.supportsHKDF could be a valid approach. My only concern would be overloading the map/map-objects with information that is specific to each use of a key type. For example, the same criteria could be applied to store whether a key is suitable for C_CreateObject in P11SecretKeyFactory::createKey. What I liked about storing the key gen mech is that we have different users benefiting from the same information. If there is interest in exploring this idea, I can propose something.
I liked the TlsKeyInfo idea to remove PCKK_TLS* completely. We can create these keys and assign GENERIC, same as HMACKeyInfo.
| "PBKDF2WithHmacSHA1", | ||
| 32, | ||
| "Derivation of an invalid key algorithm"); | ||
| } |
There was a problem hiding this comment.
I suggest adding a case with an invalid key algorithm whose key info map entry doesn't have KeyInfo.keyType=CKK_GENERIC_SECRET. For example, PBEWithHmacSHA224AndAES_256, where KeyInfo.keyType=CKK_AES.
| if (ki.keyType != CKK_GENERIC_SECRET || | ||
| alg.equalsIgnoreCase("Generic")) { | ||
| return ki.keyType; | ||
| } |
There was a problem hiding this comment.
As far as I understand it, HmacSHA256 is blocked, but not PBEWithHmacSHA224AndAES_256.
HmacSHA256
- Has an
HMACKeyInfoentry with the following non-static fields:KeyInfo.algo="HmacSHA256"KeyInfo.keyType=CKK_GENERIC_SECRETKeyInfo.keyGenMech=CK_UNAVAILABLE_INFORMATIONHMACKeyInfo.mech=CKM_SHA256_HMACHMACKeyInfo.keyLen=256
Given ki.keyType is CKK_GENERIC_SECRET and alg is HmacSHA256, in P11HKDF::getDerivedKeyType it will enter the first case but not the if. So it will finally throw the expected exception:
InvalidAlgorithmParameterException("A key of algorithm 'HmacSHA256' is not valid for derivation.")PBEWithHmacSHA224AndAES_256
- Has an
AESPBEKeyInfoentry with the following non-static fields:KeyInfo.algo="PBEWithHmacSHA224AndAES_256"KeyInfo.keyType=CKK_AESKeyInfo.keyGenMech=CK_UNAVAILABLE_INFORMATIONPBEKeyInfo.kdfMech=CKM_PKCS5_PBKD2PBEKeyInfo.prfMech=CKP_PKCS5_PBKD2_HMAC_SHA224PBEKeyInfo.keyLen=256PBEKeyInfo.extraAttrs=new CK_ATTRIBUTE[] { CK_ATTRIBUTE.ENCRYPT_TRUE }
Given ki.keyType is CKK_AES, in P11HKDF::getDerivedKeyType it will enter the first case and also the if, returning CKK_AES. Later, in P11KeyGenerator::checkKeySize(..., Token token), P11KeyGenerator::getSupportedRange will return null, because ki.keyGenMech is CK_UNAVAILABLE_INFORMATION. This will make P11KeyGenerator::checkKeySize(..., CK_MECHANISM_INFO range) enter the default case, and finally return the unmodified keySize. No exception is thrown, unless I'm missing something.
| if (ki.keyType != CKK_GENERIC_SECRET || | ||
| alg.equalsIgnoreCase("Generic")) { | ||
| return ki.keyType; | ||
| } |
There was a problem hiding this comment.
Also, we could save one of the if conditions by creating a separate case for CKK_GENERIC_SECRET:
switch ((int) ki.keyType) {
case (int) CKK_DES, (int) CKK_DES3, (int) CKK_AES, (int) CKK_RC4,
(int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> {
return ki.keyType;
}
case (int) CKK_GENERIC_SECRET -> {
if (alg.equalsIgnoreCase("Generic")) {
return ki.keyType;
}
}
// [...]
}In my view, this is quicker to understand, what do you think?
Thanks for your review. Yes, there is a hole that allows derivation for algorithms such as |
|
I've implemented the |
| throw new InvalidAlgorithmParameterException("Invalid key " + | ||
| "size for algorithm '" + alg + "'.", e); |
There was a problem hiding this comment.
nit: include the requested key size in the exception message?
| } | ||
|
|
||
| static sealed class KeyInfo permits PBEKeyInfo, HMACKeyInfo, HKDFKeyInfo { | ||
| static sealed class KeyInfo permits PBEKeyInfo, HMACKeyInfo, HKDFKeyInfo, |
There was a problem hiding this comment.
Can we add some comment about the purpose of KeyInfo and the PKCS11 classes which depend on it? E.g. HKDF will use the key algorithm to look up the corresponding key type. Also some comment for the various child key info classes would be nice.
| } | ||
| } | ||
|
|
||
| static final class TLSKeyInfo extends KeyInfo { |
There was a problem hiding this comment.
Documenting this TLSKeyInfo is to support JSSE using HKDF to derive various keys whose algorithms are named following the "TlsXXX" convention?
| case (int) CKK_DES, (int) CKK_DES3, (int) CKK_AES, (int) CKK_RC4, | ||
| (int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> { | ||
| keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n, | ||
| token); | ||
| if (keyType == CKK_DES || keyType == CKK_DES3) { | ||
| fixDESParity(encoded, 0); | ||
| } | ||
| if (keyType == CKK_DES3) { | ||
| fixDESParity(encoded, 8); | ||
| if (keyLength == 112) { | ||
| keyType = CKK_DES2; | ||
| } else { | ||
| fixDESParity(encoded, 16); | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Hmm, how about separating out AES, RC4, Blowfish and ChaCha20 to a separate case? Only DES and DES3 needs parity checking and they are very legacy.
There was a problem hiding this comment.
We would need to repeat code if we separate (invocation to P11KeyGenerator::checkKeySize). Does not look complex enough in my opinion to merit this split.
There was a problem hiding this comment.
The separation can remove 1 conditional block, so only 1 extra line and the flow looks cleaner in my opinion, e.g.
| case (int) CKK_DES, (int) CKK_DES3, (int) CKK_AES, (int) CKK_RC4, | |
| (int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> { | |
| keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n, | |
| token); | |
| if (keyType == CKK_DES || keyType == CKK_DES3) { | |
| fixDESParity(encoded, 0); | |
| } | |
| if (keyType == CKK_DES3) { | |
| fixDESParity(encoded, 8); | |
| if (keyLength == 112) { | |
| keyType = CKK_DES2; | |
| } else { | |
| fixDESParity(encoded, 16); | |
| } | |
| } | |
| } | |
| case (int) CKK_DES, (int) CKK_DES3 -> { | |
| keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n, | |
| token); | |
| fixDESParity(encoded, 0); | |
| if (keyType == CKK_DES3) { | |
| fixDESParity(encoded, 8); | |
| if (keyLength == 112) { | |
| keyType = CKK_DES2; | |
| } else { | |
| fixDESParity(encoded, 16); | |
| } | |
| } | |
| } | |
| case (int) CKK_AES, (int) CKK_RC4, (int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> { | |
| keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n, | |
| token); | |
| } |
There was a problem hiding this comment.
If you'd still like lumping them together as you have it now, then at least move the if (keyType == CKK_DES3) block (line 624-630) to inside the previous if-block (line 621-623)?
| if (!kiClass.equals(P11SecretKeyFactory.TLSKeyInfo.class) && | ||
| !(kiClass.equals(P11SecretKeyFactory.KeyInfo.class) && | ||
| canDeriveKeyInfoType(ki.keyType))) { | ||
| throw new InvalidAlgorithmParameterException("A key of algorithm " + | ||
| "'" + alg + "' is not valid for derivation."); | ||
| } |
There was a problem hiding this comment.
So, essentially, we only allow HKDF to derive keys when ki is either TLSKeyInfo or KeyInfo w/ the key types in canDeriveKeyInfoType(long) method? Are you checking each key algorithm just to rule out RC2 and IDEA? Not sure if it's worth the extra checking. Besides, if more CKK_xxx is added to KeyInfo, it'd need to be added to canDeriveKeyInfoType(long) which can be easily missed.
There was a problem hiding this comment.
That's right: only TLSKeyInfo and selected KeyInfo keys allowed for HKDF derivation. If something is added to the map, it's not implicitly allowed. Same is true for P11SecretKeyFactory::createKey (C_CreateObject). Even P11KeyGenerator may need adjustments depending on the key type. I think that adding something should require to think what's the impact on different services, and not rely on a default/implicit behavior. I don't expect new symmetric key updates to be that frequent, though. If this becomes a problem, we can implement what @franferrax suggested and move the "uses" information to the map.
I was not thinking of RC2 or IDEA but of key algorithms that are not the result of a HKDF derivation and did not go through the checks that we would enforce otherwise. For example, a key of algorithm PBEWithHmacSHA512AndAES_256 should be the result of a PBE derivation and should have a specific key size. It would be inconsistent to obtain a key of this algorithm with a different size through a HKDF derivation. When we check or convert keys to be used in services, we rely on this information.
valeriepeng
left a comment
valeriepeng
left a comment
There was a problem hiding this comment.
Updates look good to me. Thanks~
franferrax
left a comment
franferrax
left a comment
There was a problem hiding this comment.
Thanks for the updates, it looks good to me.
|
/integrate |
|
Going to push as commit 5264d80.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
6 participants
Hi,
I would like to request a review for the fix of JDK-8350661. In this fix, we translate the native PKCS 11 error code into an
InvalidAlgorithmParameterException, as documented in theKDF::deriveKeyAPI. With that said, different PKCS 11 libraries may throw different errors and may even (in theory) delay the error until the key is used, as SunJCE does. I believe that this is an improvement but further adjustments may be needed in the future.No regressions observed in
test/jdk/sun/security/pkcs11/KDF/TestHKDF.java.Thanks,
Martin.-
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/24526/head:pull/24526$ git checkout pull/24526Update a local copy of the PR:
$ git checkout pull/24526$ git pull https://git.openjdk.org/jdk.git pull/24526/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 24526View PR using the GUI difftool:
$ git pr show -t 24526Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/24526.diff
Using Webrev
Link to Webrev Comment