Bug ID: JDK-8356087 Problematic KeyInfo check using key algorithm in P11SecretKeyFactory class

Type: Bug
Component: security-libs
Sub-Component: javax.crypto:pkcs11
Affected Version: 25

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2025-05-02
Updated: 2025-10-14
Resolved: 2025-05-13

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 21	JDK 25
21.0.11-oracleUnresolved	25 b23Fixed

Recent changes of JDK-8348732 introduces a regression below:

Caused by: java.security.InvalidKeyException: Unknown algorithm HKDF-Salt
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:405)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:385)
	at jdk.crypto.cryptoki/sun.security.pkcs11.P11Mac.engineInit(P11Mac.java:224)
	at java.base/javax.crypto.Mac.init(Mac.java:435)
	at java.base/sun.security.ssl.HKDF.extract(HKDF.java:90)

Changeset: 4fc10a1e Branch: master Author: Valerie Peng <valeriep@openjdk.org> Date: 2025-05-13 03:46:30 +0000 URL: https://git.openjdk.org/jdk/commit/4fc10a1e7e9483ecddbaaa9fb52c4db52de86cc8

13-05-2025

Restore to the flow before JDK-8348732 "SunJCE and SunPKCS11 have different PBE key encodings" and only call getKeyInfo(keyAlgo) when it's necessary. Add a open regression test to check the exact scenario.

07-05-2025

A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/25108 Date: 2025-05-07 22:24:50 +0000

07-05-2025