8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key

Reviewed-by: fferrari, valeriep, djelinski

Author: martinuy

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java

@@ -38,6 +38,7 @@
 import static sun.security.pkcs11.TemplateManager.*;
 import sun.security.pkcs11.wrapper.*;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.RV.CKR_KEY_SIZE_RANGE;
 
 final class P11HKDF extends KDFSpi {
     private final Token token;
@@ -157,6 +158,15 @@ private <T> T derive(String alg, AlgorithmParameterSpec derivationSpec,
                     " instance, instead of " + derivationSpec.getClass());
         }
 
+        P11SecretKeyFactory.KeyInfo ki = P11SecretKeyFactory.getKeyInfo(alg);
+        if (ki == null) {
+            throw new InvalidAlgorithmParameterException("A PKCS #11 key " +
+                    "type (CKK_*) was not found for a key of the algorithm '" +
+                    alg + "'.");
+        }
+        checkDerivedKeyType(ki, alg);
+        P11KeyGenerator.checkKeySize(ki.keyGenMech, outLen * 8, token);
+
         P11Key p11BaseKey = convertKey(baseKey, (isExtract ? "IKM" : "PRK") +
                 " could not be converted to a token key for HKDF derivation.");
 
@@ -174,17 +184,10 @@ private <T> T derive(String alg, AlgorithmParameterSpec derivationSpec,
                     "token as service.";
         }
 
-        P11SecretKeyFactory.KeyInfo ki = P11SecretKeyFactory.getKeyInfo(alg);
-        if (ki == null) {
-            throw new InvalidAlgorithmParameterException("A PKCS #11 key " +
-                    "type (CKK_*) was not found for a key of the algorithm '" +
-                    alg + "'.");
-        }
-        long derivedKeyType = ki.keyType;
         long derivedKeyClass = isData ? CKO_DATA : CKO_SECRET_KEY;
         CK_ATTRIBUTE[] attrs = new CK_ATTRIBUTE[] {
                 new CK_ATTRIBUTE(CKA_CLASS, derivedKeyClass),
-                new CK_ATTRIBUTE(CKA_KEY_TYPE, derivedKeyType),
+                new CK_ATTRIBUTE(CKA_KEY_TYPE, ki.keyType),
                 new CK_ATTRIBUTE(CKA_VALUE_LEN, outLen)
         };
         Session session = null;
@@ -195,7 +198,7 @@ private <T> T derive(String alg, AlgorithmParameterSpec derivationSpec,
                     svcKi.hmacMech, saltType, saltBytes, p11SaltKey != null ?
                     p11SaltKey.getKeyID() : 0L, info);
             attrs = token.getAttributes(O_GENERATE, derivedKeyClass,
-                    derivedKeyType, attrs);
+                    ki.keyType, attrs);
             long derivedObjectID = token.p11.C_DeriveKey(session.id(),
                     new CK_MECHANISM(mechanism, params), baseKeyID, attrs);
             Object ret;
@@ -216,6 +219,11 @@ private <T> T derive(String alg, AlgorithmParameterSpec derivationSpec,
             }
             return retType.cast(ret);
         } catch (PKCS11Exception e) {
+            if (e.match(CKR_KEY_SIZE_RANGE)) {
+                throw new InvalidAlgorithmParameterException("Invalid key " +
+                        "size (" + outLen + " bytes) for algorithm '" + alg +
+                        "'.", e);
+            }
             throw new ProviderException("HKDF derivation for algorithm '" +
                     alg + "' failed.", e);
         } finally {
@@ -227,6 +235,23 @@ private <T> T derive(String alg, AlgorithmParameterSpec derivationSpec,
         }
     }
 
+    private static boolean canDeriveKeyInfoType(long t) {
+        return (t == CKK_DES || t == CKK_DES3 || t == CKK_AES ||
+                t == CKK_RC4 || t == CKK_BLOWFISH || t == CKK_CHACHA20 ||
+                t == CKK_GENERIC_SECRET);
+    }
+
+    private void checkDerivedKeyType(P11SecretKeyFactory.KeyInfo ki, String alg)
+            throws InvalidAlgorithmParameterException {
+        Class<?> kiClass = ki.getClass();
+        if (!kiClass.equals(P11SecretKeyFactory.TLSKeyInfo.class) &&
+                !(kiClass.equals(P11SecretKeyFactory.KeyInfo.class) &&
+                        canDeriveKeyInfoType(ki.keyType))) {
+            throw new InvalidAlgorithmParameterException("A key of algorithm " +
+                    "'" + alg + "' is not valid for derivation.");
+        }
+    }
+
     private P11Key.P11SecretKey convertKey(SecretKey key, String errorMessage) {
         try {
             return (P11Key.P11SecretKey) P11SecretKeyFactory.convertKey(token,

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyGenerator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -75,9 +75,10 @@ final class P11KeyGenerator extends KeyGeneratorSpi {
     // java-specific lower limit; returned values are in bits
     private static CK_MECHANISM_INFO getSupportedRange(Token token,
         long mech) throws ProviderException {
-        // No need to query for fix-length algorithms
-        if (mech == CKM_DES_KEY_GEN || mech == CKM_DES2_KEY_GEN ||
-            mech == CKM_DES3_KEY_GEN) {
+        // No need to query if the mechanism is not available or for
+        // fix-length algorithms
+        if (mech == CK_UNAVAILABLE_INFORMATION || mech == CKM_DES_KEY_GEN ||
+                mech == CKM_DES2_KEY_GEN || mech == CKM_DES3_KEY_GEN) {
             return null;
         }
 
@@ -115,15 +116,15 @@ private static CK_MECHANISM_INFO getSupportedRange(Token token,
      * and within the supported range. Return the significant key size
      * upon successful validation.
      * @param keyGenMech the PKCS#11 key generation mechanism.
-     * @param keySize the to-be-checked key size for this mechanism.
+     * @param keySize the to-be-checked key size (in bits) for this mechanism.
      * @param token token which provides this mechanism.
      * @return the significant key size (in bits) corresponding to the
      * specified key size.
      * @throws InvalidParameterException if the specified key size is invalid.
      * @throws ProviderException if this mechanism isn't supported by SunPKCS11
      * or underlying native impl.
      */
-    // called by P11SecretKeyFactory to check key size
+    // called by P11SecretKeyFactory and P11HKDF to check key size
     static int checkKeySize(long keyGenMech, int keySize, Token token)
         throws InvalidAlgorithmParameterException, ProviderException {
         CK_MECHANISM_INFO range = getSupportedRange(token, keyGenMech);
@@ -136,8 +137,8 @@ private static int checkKeySize(long keyGenMech, int keySize,
         switch ((int)keyGenMech) {
             case (int)CKM_DES_KEY_GEN:
                 if ((keySize != 64) && (keySize != 56)) {
-                    throw new InvalidAlgorithmParameterException
-                            ("DES key length must be 56 bits");
+                    throw new InvalidAlgorithmParameterException("DES key " +
+                            "length was " + keySize + " but must be 56 bits");
                 }
                 sigKeySize = 56;
                 break;
@@ -148,23 +149,26 @@ private static int checkKeySize(long keyGenMech, int keySize,
                 } else if ((keySize == 168) || (keySize == 192)) {
                     sigKeySize = 168;
                 } else {
-                    throw new InvalidAlgorithmParameterException
-                            ("DESede key length must be 112, or 168 bits");
+                    throw new InvalidAlgorithmParameterException("DESede key " +
+                            "length was " + keySize + " but must be 112, or " +
+                            "168 bits");
                 }
                 break;
             default:
                 // Handle all variable-key-length algorithms here
-                if (range != null && keySize < range.iMinKeySize
-                    || keySize > range.iMaxKeySize) {
-                    throw new InvalidAlgorithmParameterException
-                        ("Key length must be between " + range.iMinKeySize +
-                        " and " + range.iMaxKeySize + " bits");
+                if (range != null && (keySize < range.iMinKeySize
+                    || keySize > range.iMaxKeySize)) {
+                    throw new InvalidAlgorithmParameterException("Key length " +
+                            "was " + keySize + " but must be between " +
+                            range.iMinKeySize + " and " + range.iMaxKeySize +
+                            " bits");
                 }
                 if (keyGenMech == CKM_AES_KEY_GEN) {
                     if ((keySize != 128) && (keySize != 192) &&
                         (keySize != 256)) {
-                        throw new InvalidAlgorithmParameterException
-                            ("AES key length must be 128, 192, or 256 bits");
+                        throw new InvalidAlgorithmParameterException("AES key" +
+                                " length was " + keySize + " but must be 128," +
+                                " 192, or 256 bits");
                     }
                 }
                 sigKeySize = keySize;

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11SecretKeyFactory.java

@@ -103,13 +103,37 @@ private static void putKeyInfo(KeyInfo ki) {
         keyInfo.put(ki.algo.toUpperCase(Locale.ENGLISH), ki);
     }
 
-    static sealed class KeyInfo permits PBEKeyInfo, HMACKeyInfo, HKDFKeyInfo {
+    /*
+     * The KeyInfo class represents information about a symmetric PKCS #11 key
+     * type or about the output of a key-based computation (e.g. HMAC). A
+     * KeyInfo instance may describe the key/output itself, or the type of
+     * key/output that a service accepts/produces. Used by P11SecretKeyFactory,
+     * P11PBECipher, P11Mac, and P11HKDF.
+     */
+    static sealed class KeyInfo permits PBEKeyInfo, HMACKeyInfo, HKDFKeyInfo,
+            TLSKeyInfo {
+        // Java Standard Algorithm Name.
         public final String algo;
+
+        // Key type (CKK_*).
         public final long keyType;
 
+        // Mechanism for C_GenerateKey to generate a key of this type (CKM_*).
+        // While keys may be generated with other APIs and mechanisms (e.g. AES
+        // key generated with C_DeriveKey and CKM_HKDF_DERIVE instead of
+        // C_GenerateKey and CKM_AES_KEY_GEN), this information is used by
+        // P11KeyGenerator::checkKeySize in a best-effort attempt to validate
+        // that the key size is within a valid range (see CK_MECHANISM_INFO).
+        public final long keyGenMech;
+
         KeyInfo(String algo, long keyType) {
+            this(algo, keyType, CK_UNAVAILABLE_INFORMATION);
+        }
+
+        KeyInfo(String algo, long keyType, long keyGenMech) {
             this.algo = algo;
             this.keyType = keyType;
+            this.keyGenMech = keyGenMech;
         }
 
         // The P11SecretKeyFactory::convertKey method needs to know if a service
@@ -134,8 +158,26 @@ static boolean checkUse(KeyInfo ki, KeyInfo si) {
         }
     }
 
+    /*
+     * KeyInfo specialization for keys that are either input or result of a TLS
+     * key derivation. Keys of this type are typically handled by JSSE and their
+     * algorithm name start with "Tls". Used by P11HKDF.
+     */
+    static final class TLSKeyInfo extends KeyInfo {
+        TLSKeyInfo(String algo) {
+            super(algo, CKK_GENERIC_SECRET);
+        }
+    }
+
+    /*
+     * KeyInfo specialization for outputs of a HMAC computation. Used by
+     * P11SecretKeyFactory and P11Mac.
+     */
     static final class HMACKeyInfo extends KeyInfo {
+        // HMAC mechanism (CKM_*) to generate the output.
         public final long mech;
+
+        // HMAC output length (in bits).
         public final int keyLen;
 
         HMACKeyInfo(String algo, long mech, int keyLen) {
@@ -145,6 +187,10 @@ static final class HMACKeyInfo extends KeyInfo {
         }
     }
 
+    /*
+     * KeyInfo specialization for HKDF key derivation. Used by
+     * P11SecretKeyFactory and P11HKDF.
+     */
     static final class HKDFKeyInfo extends KeyInfo {
         public static final long UNKNOWN_KEY_TYPE = -1;
         public final long hmacMech;
@@ -157,6 +203,10 @@ static final class HKDFKeyInfo extends KeyInfo {
         }
     }
 
+    /*
+     * KeyInfo specialization for PBE key derivation. Used by
+     * P11SecretKeyFactory, P11PBECipher and P11Mac.
+     */
     abstract static sealed class PBEKeyInfo extends KeyInfo
             permits AESPBEKeyInfo, PBKDF2KeyInfo, P12MacPBEKeyInfo {
         public static final long INVALID_PRF = -1;
@@ -204,24 +254,39 @@ static final class P12MacPBEKeyInfo extends PBEKeyInfo {
     }
 
     static {
-        putKeyInfo(new KeyInfo("RC4", CKK_RC4));
-        putKeyInfo(new KeyInfo("ARCFOUR", CKK_RC4));
-        putKeyInfo(new KeyInfo("DES", CKK_DES));
-        putKeyInfo(new KeyInfo("DESede", CKK_DES3));
-        putKeyInfo(new KeyInfo("AES", CKK_AES));
-        putKeyInfo(new KeyInfo("Blowfish", CKK_BLOWFISH));
-        putKeyInfo(new KeyInfo("ChaCha20", CKK_CHACHA20));
-        putKeyInfo(new KeyInfo("ChaCha20-Poly1305", CKK_CHACHA20));
+        putKeyInfo(new KeyInfo("RC4", CKK_RC4, CKM_RC4_KEY_GEN));
+        putKeyInfo(new KeyInfo("ARCFOUR", CKK_RC4, CKM_RC4_KEY_GEN));
+        putKeyInfo(new KeyInfo("DES", CKK_DES, CKM_DES_KEY_GEN));
+        putKeyInfo(new KeyInfo("DESede", CKK_DES3, CKM_DES3_KEY_GEN));
+        putKeyInfo(new KeyInfo("AES", CKK_AES, CKM_AES_KEY_GEN));
+        putKeyInfo(new KeyInfo("Blowfish", CKK_BLOWFISH, CKM_BLOWFISH_KEY_GEN));
+        putKeyInfo(new KeyInfo("ChaCha20", CKK_CHACHA20, CKM_CHACHA20_KEY_GEN));
+        putKeyInfo(new KeyInfo("ChaCha20-Poly1305", CKK_CHACHA20,
+                CKM_CHACHA20_KEY_GEN));
 
         // we don't implement RC2 or IDEA, but we want to be able to generate
         // keys for those SSL/TLS ciphersuites.
-        putKeyInfo(new KeyInfo("RC2", CKK_RC2));
-        putKeyInfo(new KeyInfo("IDEA", CKK_IDEA));
-
-        putKeyInfo(new KeyInfo("TlsPremasterSecret", PCKK_TLSPREMASTER));
-        putKeyInfo(new KeyInfo("TlsRsaPremasterSecret", PCKK_TLSRSAPREMASTER));
-        putKeyInfo(new KeyInfo("TlsMasterSecret", PCKK_TLSMASTER));
-        putKeyInfo(new KeyInfo("Generic", CKK_GENERIC_SECRET));
+        putKeyInfo(new KeyInfo("RC2", CKK_RC2, CKM_RC2_KEY_GEN));
+        putKeyInfo(new KeyInfo("IDEA", CKK_IDEA, CKM_IDEA_KEY_GEN));
+
+        putKeyInfo(new TLSKeyInfo("TlsPremasterSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsRsaPremasterSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsMasterSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsBinderKey"));
+        putKeyInfo(new TLSKeyInfo("TlsClientAppTrafficSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsClientHandshakeTrafficSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsEarlySecret"));
+        putKeyInfo(new TLSKeyInfo("TlsFinishedSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsHandshakeSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsKey"));
+        putKeyInfo(new TLSKeyInfo("TlsResumptionMasterSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsSaltSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsServerAppTrafficSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsServerHandshakeTrafficSecret"));
+        putKeyInfo(new TLSKeyInfo("TlsUpdateNplus1"));
+
+        putKeyInfo(new KeyInfo("Generic", CKK_GENERIC_SECRET,
+                CKM_GENERIC_SECRET_KEY_GEN));
 
         HMACKeyInfo hmacSHA1 =
                 new HMACKeyInfo("HmacSHA1", CKM_SHA_1_HMAC, 160);
@@ -549,34 +614,23 @@ private static P11Key createKey(Token token, byte[] encoded,
         long keyType = ki.keyType;
         try {
             switch ((int) keyType) {
-                case (int) CKK_DES -> {
-                    keyLength =
-                            P11KeyGenerator.checkKeySize(CKM_DES_KEY_GEN, n, token);
-                    fixDESParity(encoded, 0);
-                }
-                case (int) CKK_DES3 -> {
-                    keyLength =
-                            P11KeyGenerator.checkKeySize(CKM_DES3_KEY_GEN, n, token);
-                    fixDESParity(encoded, 0);
-                    fixDESParity(encoded, 8);
-                    if (keyLength == 112) {
-                        keyType = CKK_DES2;
-                    } else {
-                        keyType = CKK_DES3;
-                        fixDESParity(encoded, 16);
+                case (int) CKK_DES, (int) CKK_DES3, (int) CKK_AES, (int) CKK_RC4,
+                        (int) CKK_BLOWFISH, (int) CKK_CHACHA20 -> {
+                    keyLength = P11KeyGenerator.checkKeySize(ki.keyGenMech, n,
+                            token);
+                    if (keyType == CKK_DES || keyType == CKK_DES3) {
+                        fixDESParity(encoded, 0);
+                        if (keyType == CKK_DES3) {
+                            fixDESParity(encoded, 8);
+                            if (keyLength == 112) {
+                                keyType = CKK_DES2;
+                            } else {
+                                fixDESParity(encoded, 16);
+                            }
+                        }
                     }
                 }
-                case (int) CKK_AES -> keyLength =
-                        P11KeyGenerator.checkKeySize(CKM_AES_KEY_GEN, n, token);
-                case (int) CKK_RC4 -> keyLength =
-                        P11KeyGenerator.checkKeySize(CKM_RC4_KEY_GEN, n, token);
-                case (int) CKK_BLOWFISH -> keyLength =
-                        P11KeyGenerator.checkKeySize(CKM_BLOWFISH_KEY_GEN, n,
-                                token);
-                case (int) CKK_CHACHA20 -> keyLength = P11KeyGenerator.checkKeySize(
-                        CKM_CHACHA20_KEY_GEN, n, token);
-                case (int) CKK_GENERIC_SECRET, (int) PCKK_TLSPREMASTER, (int) PCKK_TLSRSAPREMASTER, (int) PCKK_TLSMASTER ->
-                        keyType = CKK_GENERIC_SECRET;
+                case (int) CKK_GENERIC_SECRET -> {}
                 default -> throw new InvalidKeyException("Unknown algorithm " +
                         algorithm);
             }

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java

@@ -311,10 +311,6 @@ public interface PKCS11Constants {
     // pseudo key type ANY (for template manager)
     public static final long  PCKK_ANY                 = 0x7FFFFF22L;
 
-    public static final long  PCKK_TLSPREMASTER        = 0x7FFFFF25L;
-    public static final long  PCKK_TLSRSAPREMASTER     = 0x7FFFFF26L;
-    public static final long  PCKK_TLSMASTER           = 0x7FFFFF27L;
-
     /* Uncomment when actually used
     public static final long  CK_CERTIFICATE_CATEGORY_UNSPECIFIED   = 0L;
     public static final long  CK_CERTIFICATE_CATEGORY_TOKEN_USER    = 1L;