InputKeyingMaterial should be provided as SecretKey, not (only) as byte array #4
Comments
tititin42
changed the title
|
Never thought about this, but the refactor should be easy enough. I will look into this. |
patrickfav
added a commit
that referenced
this issue
Jun 13, 2019
This is to make the lib compatible to security framework that require the use of the JCE to work properly (e.g. HSM front ends). Breaks the hkdfMacFactory interface. refs #4
Merged
|
Released in v1.1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In order to provide compatibility with HSM, the input keying material should be directly provided as SecretKey.
At the moment, you recreate a SecretKey from a byte array, and provide it to the mac instance.
Whereas you should also provide a signature where we can provide a SecretKey which already contain the keying material.
This is preferred to keep compatibility with HSM, the input keying material is not always "readable" depending of the source of the keying material.
This also mean that the keying material should comes from the same source as the mac instance you are generating, but this is already covered by the fact you allow to provide the mac provider.
The text was updated successfully, but these errors were encountered: