JDK-8356198 : Release Note: SunJCE and SunPKCS11 have different PBE key encodings
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P4
  • Status: New
  • Resolution: Unresolved
  • OS: generic
  • CPU: generic
  • Submitted: 2025-05-05
  • Updated: 2025-05-05
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 25
25Unresolved
Description
Starting JDK 21, `SunPKCS11` provider added several password-based `SecretKeyFactory` impls, e.g. 
<br>`SecretKeyFactory.PBEWithHmac[MD]AndAES_128`
<br>`SecretKeyFactory.PBEWithHmac[MD]AndAES_256`
<br>`SecretKeyFactory.HmacPBE[MD]`
<br>where `[MD]` is one of the `SHA1`, `SHA224`, `SHA256`, `SHA384`, `SHA512` algorithms.

However, the key objects produced by these impls use the `PBKDF2`-derived values as key encodings comparing to their `SunJCE` counterparts which use the password bytes. These can be very confusing and may cause interoperability issues since both keys have the same algorithm, format, but different encodings. Thus, for consistency sake, these `SunPKCS11` password-based `SecretKeyFactory` impls are removed.

Lastly, the password-based `SecretKeyFactory` impls from `SunJCE` provider are enhanced with the Unicode support.