From 4ff3b95b96043edce8e89a42023e6671d86db06a Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Tue, 8 Apr 2025 14:13:24 -0400 Subject: [PATCH 1/7] the change --- src/java.base/share/classes/javax/crypto/KDF.java | 2 -- .../share/classes/javax/crypto/KDFParameters.java | 5 +---- src/java.base/share/classes/javax/crypto/KDFSpi.java | 3 --- .../classes/javax/crypto/spec/HKDFParameterSpec.java | 9 +-------- .../share/classes/jdk/internal/javac/PreviewFeature.java | 4 +--- src/java.base/share/classes/module-info.java | 1 - src/jdk.crypto.cryptoki/share/classes/module-info.java | 3 --- .../sun/crypto/provider/KDF/HKDFBasicFunctionsTest.java | 3 +-- test/jdk/com/sun/crypto/provider/KDF/HKDFDelayedPRK.java | 1 - .../com/sun/crypto/provider/KDF/HKDFExhaustiveTest.java | 3 +-- .../sun/crypto/provider/KDF/HKDFKnownAnswerTests.java | 3 +-- .../jdk/com/sun/crypto/provider/KDF/HKDFSaltIKMTest.java | 5 ++--- .../jdk/javax/crypto/KDF/KDFDelayedProviderSyncTest.java | 3 +-- test/jdk/javax/crypto/KDF/KDFDelayedProviderTest.java | 3 +-- .../crypto/KDF/KDFDelayedProviderThreadingTest.java | 5 ++--- test/jdk/sun/security/pkcs11/KDF/TestHKDF.java | 1 - 16 files changed, 12 insertions(+), 42 deletions(-) diff --git a/src/java.base/share/classes/javax/crypto/KDF.java b/src/java.base/share/classes/javax/crypto/KDF.java index 5c9c7e71ce4a8..048b058d97ec2 100644 --- a/src/java.base/share/classes/javax/crypto/KDF.java +++ b/src/java.base/share/classes/javax/crypto/KDF.java @@ -25,7 +25,6 @@ package javax.crypto; -import jdk.internal.javac.PreviewFeature; import sun.security.jca.GetInstance; import sun.security.jca.GetInstance.Instance; import sun.security.util.Debug; @@ -100,7 +99,6 @@ * @see SecretKey * @since 24 */ -@PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) public final class KDF { private static final Debug pdebug = Debug.getInstance("provider", diff --git a/src/java.base/share/classes/javax/crypto/KDFParameters.java b/src/java.base/share/classes/javax/crypto/KDFParameters.java index 5f83204f3c481..8d443d9c4ec84 100644 --- a/src/java.base/share/classes/javax/crypto/KDFParameters.java +++ b/src/java.base/share/classes/javax/crypto/KDFParameters.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -24,8 +24,6 @@ */ package javax.crypto; -import jdk.internal.javac.PreviewFeature; - /** * A specification of Key Derivation Function ({@link KDF}) parameters. *

@@ -46,5 +44,4 @@ * @see KDF * @since 24 */ -@PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) public interface KDFParameters {} diff --git a/src/java.base/share/classes/javax/crypto/KDFSpi.java b/src/java.base/share/classes/javax/crypto/KDFSpi.java index e2625a1930d64..30a93babf176f 100644 --- a/src/java.base/share/classes/javax/crypto/KDFSpi.java +++ b/src/java.base/share/classes/javax/crypto/KDFSpi.java @@ -25,8 +25,6 @@ package javax.crypto; -import jdk.internal.javac.PreviewFeature; - import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.spec.AlgorithmParameterSpec; @@ -71,7 +69,6 @@ * @see SecretKey * @since 24 */ -@PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) public abstract class KDFSpi { /** diff --git a/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java b/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java index 8f697d12e6014..f53bceb267b1b 100644 --- a/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java +++ b/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,8 +25,6 @@ package javax.crypto.spec; -import jdk.internal.javac.PreviewFeature; - import javax.crypto.SecretKey; import java.security.spec.AlgorithmParameterSpec; import java.util.ArrayList; @@ -77,7 +75,6 @@ * @see javax.crypto.KDF * @since 24 */ -@PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) public interface HKDFParameterSpec extends AlgorithmParameterSpec { /** @@ -92,7 +89,6 @@ public interface HKDFParameterSpec extends AlgorithmParameterSpec { * use-cases respectively. Note that the {@code Builder} is not * thread-safe. */ - @PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) final class Builder { private List ikms = new ArrayList<>(); @@ -296,7 +292,6 @@ static Expand expandOnly(SecretKey prk, byte[] info, int length) { * Defines the input parameters of an Extract operation as defined in RFC 5869. */ - @PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) final class Extract implements HKDFParameterSpec { // HKDF-Extract(salt, IKM) -> PRK @@ -350,7 +345,6 @@ public List salts() { * Defines the input parameters of an Expand operation as defined in RFC 5869. */ - @PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) final class Expand implements HKDFParameterSpec { // HKDF-Expand(PRK, info, L) -> OKM @@ -419,7 +413,6 @@ public int length() { * Defines the input parameters of an Extract-then-Expand operation as * defined in RFC 5869. */ - @PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION) final class ExtractThenExpand implements HKDFParameterSpec { private final Extract ext; private final Expand exp; diff --git a/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java b/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java index deb786b42bd03..9427caf4400de 100644 --- a/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java +++ b/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019, 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2019, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -78,8 +78,6 @@ public enum Feature { STREAM_GATHERERS, @JEP(number=494, title="Module Import Declarations", status="Second Preview") MODULE_IMPORTS, - @JEP(number=478, title="Key Derivation Function API", status="Preview") - KEY_DERIVATION, LANGUAGE_MODEL, /** * A key for testing. diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java index 22f40d9cead1d..66e6267367c26 100644 --- a/src/java.base/share/classes/module-info.java +++ b/src/java.base/share/classes/module-info.java @@ -156,7 +156,6 @@ java.compiler, java.desktop, // for ScopedValue jdk.compiler, - jdk.crypto.cryptoki, // participates in preview features jdk.incubator.vector, // participates in preview features jdk.jartool, // participates in preview features jdk.jdeps, // participates in preview features diff --git a/src/jdk.crypto.cryptoki/share/classes/module-info.java b/src/jdk.crypto.cryptoki/share/classes/module-info.java index 2899bd31f2c8c..b98005648049d 100644 --- a/src/jdk.crypto.cryptoki/share/classes/module-info.java +++ b/src/jdk.crypto.cryptoki/share/classes/module-info.java @@ -23,8 +23,6 @@ * questions. */ -import jdk.internal.javac.ParticipatesInPreview; - /** * Provides the implementation of the SunPKCS11 security provider. * @@ -33,7 +31,6 @@ * @moduleGraph * @since 9 */ -@ParticipatesInPreview module jdk.crypto.cryptoki { provides java.security.Provider with sun.security.pkcs11.SunPKCS11; } diff --git a/test/jdk/com/sun/crypto/provider/KDF/HKDFBasicFunctionsTest.java b/test/jdk/com/sun/crypto/provider/KDF/HKDFBasicFunctionsTest.java index b309d1ce8df22..172d4d451ae9e 100644 --- a/test/jdk/com/sun/crypto/provider/KDF/HKDFBasicFunctionsTest.java +++ b/test/jdk/com/sun/crypto/provider/KDF/HKDFBasicFunctionsTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,6 @@ * @bug 8331008 * @summary basic HKDF operations * @library /test/lib - * @enablePreview */ import java.util.HexFormat; diff --git a/test/jdk/com/sun/crypto/provider/KDF/HKDFDelayedPRK.java b/test/jdk/com/sun/crypto/provider/KDF/HKDFDelayedPRK.java index 50157723416dc..f140d3c3f558e 100644 --- a/test/jdk/com/sun/crypto/provider/KDF/HKDFDelayedPRK.java +++ b/test/jdk/com/sun/crypto/provider/KDF/HKDFDelayedPRK.java @@ -27,7 +27,6 @@ * @summary make sure DPS works when non-extractable PRK is provided * @library /test/lib /test/jdk/security/unsignedjce * @build java.base/javax.crypto.ProviderVerifier - * @enablePreview * @run main/othervm HKDFDelayedPRK */ diff --git a/test/jdk/com/sun/crypto/provider/KDF/HKDFExhaustiveTest.java b/test/jdk/com/sun/crypto/provider/KDF/HKDFExhaustiveTest.java index fd33337a3c015..bf444e3cda48e 100644 --- a/test/jdk/com/sun/crypto/provider/KDF/HKDFExhaustiveTest.java +++ b/test/jdk/com/sun/crypto/provider/KDF/HKDFExhaustiveTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,6 @@ * @summary KDF API tests * @library /test/lib * @run main/othervm -Djava.security.egd=file:/dev/urandom -Djava.security.debug=provider,engine=kdf HKDFExhaustiveTest - * @enablePreview */ import java.security.InvalidAlgorithmParameterException; diff --git a/test/jdk/com/sun/crypto/provider/KDF/HKDFKnownAnswerTests.java b/test/jdk/com/sun/crypto/provider/KDF/HKDFKnownAnswerTests.java index 358ffa794fd58..bb6d4febe3153 100644 --- a/test/jdk/com/sun/crypto/provider/KDF/HKDFKnownAnswerTests.java +++ b/test/jdk/com/sun/crypto/provider/KDF/HKDFKnownAnswerTests.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,6 @@ * @bug 8331008 * @run main HKDFKnownAnswerTests * @summary Tests for HKDF Expand and Extract Key Derivation Functions - * @enablePreview */ import javax.crypto.KDF; diff --git a/test/jdk/com/sun/crypto/provider/KDF/HKDFSaltIKMTest.java b/test/jdk/com/sun/crypto/provider/KDF/HKDFSaltIKMTest.java index 1cd0feab6141c..0ae0fa23ea762 100644 --- a/test/jdk/com/sun/crypto/provider/KDF/HKDFSaltIKMTest.java +++ b/test/jdk/com/sun/crypto/provider/KDF/HKDFSaltIKMTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,6 @@ * @bug 8331008 * @summary addIKM and addSalt consistency checks * @library /test/lib - * @enablePreview */ import jdk.test.lib.Asserts; @@ -89,4 +88,4 @@ public static void main(String[] args) throws Exception { } System.out.println(atlast); } -} \ No newline at end of file +} diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderSyncTest.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderSyncTest.java index f4ddd726d0c6a..6858894d2e933 100644 --- a/test/jdk/javax/crypto/KDF/KDFDelayedProviderSyncTest.java +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderSyncTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,6 @@ * @library /test/lib * @run testng KDFDelayedProviderSyncTest * @summary multi-threading test for KDF - * @enablePreview */ import org.testng.annotations.BeforeClass; diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderTest.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderTest.java index edebae217f2cf..5103a6e5df98b 100644 --- a/test/jdk/javax/crypto/KDF/KDFDelayedProviderTest.java +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ * @build java.base/javax.crypto.ProviderVerifier * @run main/othervm KDFDelayedProviderTest * @summary delayed provider selection - * @enablePreview */ import jdk.test.lib.Asserts; diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderThreadingTest.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderThreadingTest.java index 7b91badef95dd..8d7ad058c39fc 100644 --- a/test/jdk/javax/crypto/KDF/KDFDelayedProviderThreadingTest.java +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderThreadingTest.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2024, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,7 +28,6 @@ * @build java.base/javax.crypto.ProviderVerifier * @run main/othervm KDFDelayedProviderThreadingTest * @summary delayed provider selection threading test - * @enablePreview */ import jdk.test.lib.Asserts; @@ -127,4 +126,4 @@ protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec) throw new InvalidAlgorithmParameterException(); } } -} \ No newline at end of file +} diff --git a/test/jdk/sun/security/pkcs11/KDF/TestHKDF.java b/test/jdk/sun/security/pkcs11/KDF/TestHKDF.java index 5a3e816360058..00889df801095 100644 --- a/test/jdk/sun/security/pkcs11/KDF/TestHKDF.java +++ b/test/jdk/sun/security/pkcs11/KDF/TestHKDF.java @@ -43,7 +43,6 @@ * @bug 8328119 * @summary test HKDF key derivation in SunPKCS11 * @library /test/lib .. - * @enablePreview * @run main/othervm/timeout=30 TestHKDF */ From 66706a50d39b080e493eafb3a03e0f6f044bd652 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Tue, 8 Apr 2025 19:34:39 -0400 Subject: [PATCH 2/7] add enum back --- .../share/classes/jdk/internal/javac/PreviewFeature.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java b/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java index 9427caf4400de..cb5abdd26d73d 100644 --- a/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java +++ b/src/java.base/share/classes/jdk/internal/javac/PreviewFeature.java @@ -78,6 +78,7 @@ public enum Feature { STREAM_GATHERERS, @JEP(number=494, title="Module Import Declarations", status="Second Preview") MODULE_IMPORTS, + KEY_DERIVATION, LANGUAGE_MODEL, /** * A key for testing. From a55c50697ceeec3b698f2c2373e858a3150b4534 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 9 Apr 2025 14:10:45 -0400 Subject: [PATCH 3/7] update @since tags as required by JEP 12 --- src/java.base/share/classes/javax/crypto/KDF.java | 2 +- src/java.base/share/classes/javax/crypto/KDFParameters.java | 2 +- src/java.base/share/classes/javax/crypto/KDFSpi.java | 2 +- .../share/classes/javax/crypto/spec/HKDFParameterSpec.java | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/java.base/share/classes/javax/crypto/KDF.java b/src/java.base/share/classes/javax/crypto/KDF.java index 048b058d97ec2..9b4a51a326d9b 100644 --- a/src/java.base/share/classes/javax/crypto/KDF.java +++ b/src/java.base/share/classes/javax/crypto/KDF.java @@ -97,7 +97,7 @@ * * @see KDFParameters * @see SecretKey - * @since 24 + * @since 25 */ public final class KDF { diff --git a/src/java.base/share/classes/javax/crypto/KDFParameters.java b/src/java.base/share/classes/javax/crypto/KDFParameters.java index 8d443d9c4ec84..b9bd2765883d9 100644 --- a/src/java.base/share/classes/javax/crypto/KDFParameters.java +++ b/src/java.base/share/classes/javax/crypto/KDFParameters.java @@ -42,6 +42,6 @@ * @see KDF#getInstance(String, KDFParameters) * @see KDF#getParameters() * @see KDF - * @since 24 + * @since 25 */ public interface KDFParameters {} diff --git a/src/java.base/share/classes/javax/crypto/KDFSpi.java b/src/java.base/share/classes/javax/crypto/KDFSpi.java index 30a93babf176f..6d0eb90b3974b 100644 --- a/src/java.base/share/classes/javax/crypto/KDFSpi.java +++ b/src/java.base/share/classes/javax/crypto/KDFSpi.java @@ -67,7 +67,7 @@ * @see KDFParameters * @see KDF#getParameters() * @see SecretKey - * @since 24 + * @since 25 */ public abstract class KDFSpi { diff --git a/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java b/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java index f53bceb267b1b..c4ca9e1e183f2 100644 --- a/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java +++ b/src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java @@ -73,7 +73,7 @@ * @spec https://www.rfc-editor.org/info/rfc5869 * RFC 5869: HMAC-based Extract-and-Expand Key Derivation Function (HKDF) * @see javax.crypto.KDF - * @since 24 + * @since 25 */ public interface HKDFParameterSpec extends AlgorithmParameterSpec { From 2f4be1847aea30b0f469c9090abd9f4ee2080e6b Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Tue, 29 Apr 2025 21:59:41 -0400 Subject: [PATCH 4/7] enhancing exception messages and debug outputs --- .../share/classes/javax/crypto/KDF.java | 35 ++++- .../KDF/KDFDelayedProviderException.java | 124 ++++++++++++++++++ 2 files changed, 156 insertions(+), 3 deletions(-) create mode 100644 test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java diff --git a/src/java.base/share/classes/javax/crypto/KDF.java b/src/java.base/share/classes/javax/crypto/KDF.java index 9b4a51a326d9b..5ce067c3e6fad 100644 --- a/src/java.base/share/classes/javax/crypto/KDF.java +++ b/src/java.base/share/classes/javax/crypto/KDF.java @@ -477,6 +477,24 @@ private static KDF handleException(NoSuchAlgorithmException e) throw e; } + // Rethrows the IAPE thrown by an implementation, adding an explanation + // on in which situation it fails. + private void rethrow(InvalidAlgorithmParameterException e) + throws InvalidAlgorithmParameterException { + var source = serviceIterator == null + ? "specified" : "selected"; + if (!skipDebug && pdebug != null) { + pdebug.println("A " + this.getAlgorithm() + + " derivation cannot be performed " + + "using the supplied derivation " + + "inputs, using the " + source + " " + + theOne.provider().getName() + + "."); + } + throw new InvalidAlgorithmParameterException("The " + source + " provider " + + theOne.provider.getName() + " does not support this input", e); + } + /** * Derives a key, returned as a {@code SecretKey} object. * @@ -521,7 +539,12 @@ public SecretKey deriveKey(String alg, } Objects.requireNonNull(derivationSpec); if (checkSpiNonNull(theOne)) { - return theOne.spi().engineDeriveKey(alg, derivationSpec); + try { + return theOne.spi().engineDeriveKey(alg, derivationSpec); + } catch (InvalidAlgorithmParameterException e) { + rethrow(e); + return null; // will not be called + } } else { return (SecretKey) chooseProvider(alg, derivationSpec); } @@ -552,7 +575,12 @@ public byte[] deriveData(AlgorithmParameterSpec derivationSpec) Objects.requireNonNull(derivationSpec); if (checkSpiNonNull(theOne)) { - return theOne.spi().engineDeriveData(derivationSpec); + try { + return theOne.spi().engineDeriveData(derivationSpec); + } catch (InvalidAlgorithmParameterException e) { + rethrow(e); + return null; // will not be called + } } else { try { return (byte[]) chooseProvider(null, derivationSpec); @@ -647,7 +675,8 @@ private Object chooseProvider(String algorithm, e.printStackTrace(pdebug.getPrintStream()); } // getNext reached end without finding an implementation - throw new InvalidAlgorithmParameterException(lastException); + throw new InvalidAlgorithmParameterException( + "No provider supports this input", lastException); } } } diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java new file mode 100644 index 0000000000000..309c9157d501f --- /dev/null +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8353888 + * @library /test/lib /test/jdk/security/unsignedjce + * @build java.base/javax.crypto.ProviderVerifier + * @run main/othervm KDFDelayedProviderException + * @summary check delayed provider selection exception messages + */ + +import jdk.test.lib.Asserts; + +import javax.crypto.KDF; +import javax.crypto.KDFParameters; +import javax.crypto.KDFSpi; +import javax.crypto.SecretKey; +import java.security.InvalidAlgorithmParameterException; +import java.security.Provider; +import java.security.Security; +import java.security.spec.AlgorithmParameterSpec; +import java.security.spec.NamedParameterSpec; + +public class KDFDelayedProviderException { + public static void main(String[] args) throws Exception { + + Security.addProvider(new P1()); // only accepts NamedParameterSpec.ED25519 + Security.addProvider(new P2()); // only accepts NamedParameterSpec.ED448 + + checkMessage("No provider supports this input", + () -> KDF.getInstance("K").deriveData(NamedParameterSpec.X25519)); + + checkMessage("The specified provider P1 does not support this input", + () -> KDF.getInstance("K", "P1").deriveData(NamedParameterSpec.ED448)); + + // ED448 is supported by one provider + KDF.getInstance("K").deriveData(NamedParameterSpec.ED448); + + // After P1 has been selected, ED448 is no longer supported + var k = KDF.getInstance("K"); + k.deriveData(NamedParameterSpec.ED25519); + checkMessage("The selected provider P1 does not support this input", + () -> k.deriveData(NamedParameterSpec.ED448)); + + } + + public static void checkMessage(String msg, Asserts.TestMethod testMethod) { + var exc = Asserts.assertThrows(InvalidAlgorithmParameterException.class, testMethod); + Asserts.assertEquals(msg, exc.getMessage()); + } + + public static class P1 extends Provider { + public P1() { + super("P1", "1", ""); + put("KDF.K", K1.class.getName()); + } + } + + public static class P2 extends Provider { + public P2() { + super("P2", "1", ""); + put("KDF.K", K2.class.getName()); + } + } + + public static class K1 extends KDFSpi { + public K1(KDFParameters p) throws InvalidAlgorithmParameterException { + super(p); + } + protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec) + throws InvalidAlgorithmParameterException { + if (derivationSpec != NamedParameterSpec.ED25519) { + throw new InvalidAlgorithmParameterException("Not Ed25519"); + } + return new byte[0]; + } + protected KDFParameters engineGetParameters() { + return null; + } + protected SecretKey engineDeriveKey(String alg, AlgorithmParameterSpec derivationSpec) { + return null; + } + } + + public static class K2 extends KDFSpi { + public K2(KDFParameters p) throws InvalidAlgorithmParameterException { + super(p); + } + protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec) + throws InvalidAlgorithmParameterException { + if (derivationSpec != NamedParameterSpec.ED448) { + throw new InvalidAlgorithmParameterException("Not Ed448"); + } + return new byte[0]; + } + protected KDFParameters engineGetParameters() { + return null; + } + protected SecretKey engineDeriveKey(String alg, AlgorithmParameterSpec derivationSpec) { + return null; + } + } +} From 6587d9911977fe0d2e0da0a797a420fe440d7f38 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 30 Apr 2025 19:27:45 -0400 Subject: [PATCH 5/7] add a positive debug log and update exception message --- src/java.base/share/classes/javax/crypto/KDF.java | 7 ++++++- test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/src/java.base/share/classes/javax/crypto/KDF.java b/src/java.base/share/classes/javax/crypto/KDF.java index 5ce067c3e6fad..ef9148cdc7c12 100644 --- a/src/java.base/share/classes/javax/crypto/KDF.java +++ b/src/java.base/share/classes/javax/crypto/KDF.java @@ -482,7 +482,7 @@ private static KDF handleException(NoSuchAlgorithmException e) private void rethrow(InvalidAlgorithmParameterException e) throws InvalidAlgorithmParameterException { var source = serviceIterator == null - ? "specified" : "selected"; + ? "specified" : "previously selected"; if (!skipDebug && pdebug != null) { pdebug.println("A " + this.getAlgorithm() + " derivation cannot be performed " @@ -639,6 +639,11 @@ private Object chooseProvider(String algorithm, derivationSpec); // found a working KDFSpi this.theOne = currOne; + if (!skipDebug && pdebug != null) { + pdebug.println("The provider " + + currOne.provider().getName() + + " is selected"); + } return result; } catch (Exception e) { if (!skipDebug && pdebug != null) { diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java index 309c9157d501f..bff45c02cfa5b 100644 --- a/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java @@ -60,7 +60,7 @@ public static void main(String[] args) throws Exception { // After P1 has been selected, ED448 is no longer supported var k = KDF.getInstance("K"); k.deriveData(NamedParameterSpec.ED25519); - checkMessage("The selected provider P1 does not support this input", + checkMessage("The previously selected provider P1 does not support this input", () -> k.deriveData(NamedParameterSpec.ED448)); } From f44dc9bde2cf47cf7223dc6449377d6414514aa9 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 2 May 2025 14:44:34 -0400 Subject: [PATCH 6/7] fine tuning debug log and exception message --- src/java.base/share/classes/javax/crypto/KDF.java | 11 ++++++----- .../javax/crypto/KDF/KDFDelayedProviderException.java | 4 ++-- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/java.base/share/classes/javax/crypto/KDF.java b/src/java.base/share/classes/javax/crypto/KDF.java index ef9148cdc7c12..ec7bcfa199cb3 100644 --- a/src/java.base/share/classes/javax/crypto/KDF.java +++ b/src/java.base/share/classes/javax/crypto/KDF.java @@ -478,7 +478,7 @@ private static KDF handleException(NoSuchAlgorithmException e) } // Rethrows the IAPE thrown by an implementation, adding an explanation - // on in which situation it fails. + // for the situation in which it fails. private void rethrow(InvalidAlgorithmParameterException e) throws InvalidAlgorithmParameterException { var source = serviceIterator == null @@ -487,12 +487,13 @@ private void rethrow(InvalidAlgorithmParameterException e) pdebug.println("A " + this.getAlgorithm() + " derivation cannot be performed " + "using the supplied derivation " - + "inputs, using the " + source + " " + + "inputs with the " + source + " " + theOne.provider().getName() - + "."); + + " provider."); } - throw new InvalidAlgorithmParameterException("The " + source + " provider " - + theOne.provider.getName() + " does not support this input", e); + throw new InvalidAlgorithmParameterException( + "The " + source + " " + theOne.provider.getName() + + " provider does not support this input", e); } /** diff --git a/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java index bff45c02cfa5b..24ee820826aad 100644 --- a/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java +++ b/test/jdk/javax/crypto/KDF/KDFDelayedProviderException.java @@ -51,7 +51,7 @@ public static void main(String[] args) throws Exception { checkMessage("No provider supports this input", () -> KDF.getInstance("K").deriveData(NamedParameterSpec.X25519)); - checkMessage("The specified provider P1 does not support this input", + checkMessage("The specified P1 provider does not support this input", () -> KDF.getInstance("K", "P1").deriveData(NamedParameterSpec.ED448)); // ED448 is supported by one provider @@ -60,7 +60,7 @@ public static void main(String[] args) throws Exception { // After P1 has been selected, ED448 is no longer supported var k = KDF.getInstance("K"); k.deriveData(NamedParameterSpec.ED25519); - checkMessage("The previously selected provider P1 does not support this input", + checkMessage("The previously selected P1 provider does not support this input", () -> k.deriveData(NamedParameterSpec.ED448)); } From aeb82ccfabacc91d93c6e1bd1d84ad0b96f86b35 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Fri, 9 May 2025 16:00:23 -0400 Subject: [PATCH 7/7] new algorithms in SunJCE --- .../share/classes/com/sun/crypto/provider/SunJCE.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java index 4e5bd1313117d..cc99464dff38c 100644 --- a/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java +++ b/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java @@ -78,6 +78,7 @@ * * - ML-KEM * + * - HKDF-SHA256, HKDF-SHA384, and HKDF-SHA512 */ public final class SunJCE extends Provider { @@ -87,7 +88,7 @@ public final class SunJCE extends Provider { private static final String info = "SunJCE Provider " + "(implements RSA, DES, Triple DES, AES, Blowfish, ARCFOUR, RC2, PBE, " - + "Diffie-Hellman, HMAC, ChaCha20, DHKEM, and ML-KEM)"; + + "Diffie-Hellman, HMAC, ChaCha20, DHKEM, ML-KEM, and HKDF)"; /* Are we debugging? -- for developers */ static final boolean debug = false;