From de75770ce95cced5e6c223bc07f29ae110f1fa4b Mon Sep 17 00:00:00 2001
From: Jamil Nimeh <jnimeh@openjdk.org>
Date: Mon, 18 Mar 2019 15:26:59 -0700
Subject: [PATCH] 8218723: Use SunJCE Mac in SecretKeyFactory PBKDF2
 implementation

Reviewed-by: apetcher
---
 .../sun/crypto/provider/PBKDF2KeyImpl.java    |  11 +--
 .../SecretKeyFactory/SecKeyFacSunJCEPrf.java  |  76 +++++++++++++++
 .../crypto/SecretKeyFactory/evilprov.jar      | Bin 0 -> 5127 bytes
 .../crypto/SecretKeyFactory/evilprov/Makefile |  55 +++++++++++
 .../crypto/SecretKeyFactory/evilprov/README   |  15 +++
 .../com/evilprovider/EvilHmacSHA1.java        |  90 ++++++++++++++++++
 .../com/evilprovider/EvilProvider.java        |  40 ++++++++
 .../evilprov/module-info.java                 |  35 +++++++
 8 files changed, 314 insertions(+), 8 deletions(-)
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/SecKeyFacSunJCEPrf.java
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov.jar
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov/Makefile
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov/README
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilHmacSHA1.java
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilProvider.java
 create mode 100644 test/jdk/javax/crypto/SecretKeyFactory/evilprov/module-info.java

diff --git a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
index 64d474d102d..6ea08796d8b 100644
--- a/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
+++ b/src/java.base/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -113,12 +113,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
             } else if (keyLength < 0) {
                 throw new InvalidKeySpecException("Key length is negative");
             }
-            this.prf = Mac.getInstance(prfAlgo);
-            // SunPKCS11 requires a non-empty PBE password
-            if (passwdBytes.length == 0 &&
-                    this.prf.getProvider().getName().startsWith("SunPKCS11")) {
-                this.prf = Mac.getInstance(prfAlgo, SunJCE.getInstance());
-            }
+            this.prf = Mac.getInstance(prfAlgo, SunJCE.getInstance());
             this.key = deriveKey(prf, passwdBytes, salt, iterCount, keyLength);
         } catch (NoSuchAlgorithmException nsae) {
             // not gonna happen; re-throw just in case
@@ -207,7 +202,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
                 }
             }
         } catch (GeneralSecurityException gse) {
-            throw new RuntimeException("Error deriving PBKDF2 keys");
+            throw new RuntimeException("Error deriving PBKDF2 keys", gse);
         }
         return key;
     }
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/SecKeyFacSunJCEPrf.java b/test/jdk/javax/crypto/SecretKeyFactory/SecKeyFacSunJCEPrf.java
new file mode 100644
index 00000000000..356beb31a53
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/SecKeyFacSunJCEPrf.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8218723
+ * @summary Use SunJCE Mac in SecretKeyFactory PBKDF2 implementation
+ * @library evilprov.jar
+ * @library /test/lib
+ * @build jdk.test.lib.Convert
+ * @run main/othervm SecKeyFacSunJCEPrf
+ */
+
+import java.util.Arrays;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.PBEKeySpec;
+import java.security.Provider;
+import java.security.Security;
+import com.evilprovider.*;
+import jdk.test.lib.Convert;
+
+public class SecKeyFacSunJCEPrf {
+
+    // One of the PBKDF2 HMAC-SHA1 test vectors from RFC 6070
+    private static final byte[] SALT = "salt".getBytes();
+    private static final char[] PASS = "password".toCharArray();
+    private static final int ITER = 4096;
+    private static final byte[] EXP_OUT = Convert.hexStringToByteArray(
+            "4B007901B765489ABEAD49D926F721D065A429C1");
+
+    public static void main(String[] args) throws Exception {
+        // Instantiate the Evil Provider and insert it in the
+        // most-preferred position.
+        Provider evilProv = new EvilProvider();
+        System.out.println("3rd Party Provider: " + evilProv);
+        Security.insertProviderAt(evilProv, 1);
+
+        SecretKeyFactory pbkdf2 =
+                SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", "SunJCE");
+        PBEKeySpec pbks = new PBEKeySpec(PASS, SALT, ITER, 160);
+
+        SecretKey secKey1 = pbkdf2.generateSecret(pbks);
+        System.out.println("PBKDF2WithHmacSHA1:\n" +
+                    Convert.byteArrayToHexString(secKey1.getEncoded()));
+        if (Arrays.equals(secKey1.getEncoded(), EXP_OUT)) {
+            System.out.println("Test Vector Passed");
+        } else {
+            System.out.println("Test Vector Failed");
+            System.out.println("Expected Output:\n" +
+                    Convert.byteArrayToHexString(EXP_OUT));
+            throw new RuntimeException();
+        }
+    }
+}
+
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov.jar b/test/jdk/javax/crypto/SecretKeyFactory/evilprov.jar
new file mode 100644
index 0000000000000000000000000000000000000000..5d73de23ee3b0c9c23c91ee6fbd4db62c53d6400
GIT binary patch
literal 5127
zcmaJ_1yqz<*B*K(0SPH#K)M^G8M<Q#CB%`ImXt<9x+SDUQjqS3p`^PJ0clVgWT+pm
z_kN<^{r){`)|$0u?|shu?Dy>F*+)$g37G%@1Ofq-PL?WwTSjpGTUlCDf>mBchFw`g
zMP5c4qRFN#6A;;I^Gcl9e}|?4sf!PrIw*^G@98k=vk)IvHCxQ{O*+i_Z8i*1Pk!at
zG^I%H?mqs52we|ks(!4RmI?#nW8-{FQ8bziK0{d(2D4|$HE&w<q{3d`mnB4K%S};_
z$Wjp5d|M=)=Nq6t-1!QVE^HLD$XAbycFB<Q1Mn_*^0>9faW$>BlfL5#vA_68<20km
zQ9tXQwWA~40O6o$ZcH%;m%$X+R&{|ZeZdN4euk5(IJVG;d&i(UnNa-pE0wtQzVmMl
zL9^`YSqq_z*d{S_^Q=x}0<U|$MUk=dH5)x~cth>r?PXquupzT<P+dY<24&^SGEJIW
z@(bWWtmV;H1~0WQYKmw;?McFPR0IIP?fR?sKXJsrjiZ8u21H&~g$;5Iqq6N!7|+on
ztg$e3)#csPh+5fkrKN0um_-2w^(??kcudagoZt;>)BV*Xmt%$wDrQCk5jjk$5~fcE
z!D~DilBh=Z6BQE4jwXv8InX!>i3f)==AUN1>ZHvkLrTRorF=9VaoFQOi>m+=R-7Z%
zwsug&I%p~E!Gls|wD;=-Kb~lJo{z61IHQWclbuh0rt4cGU=sG;q5EkD27oLF0(Bry
z!C@nIM0`4aud1(SByr0na?QWg5s~}CdiY1kSj@`-42L`nyl(dr@N{?#Mn}}~;e?g9
z5`Pcu{g1Oiru8*P#7a{KhvfOWs*marJkLbG*hMWba)Hj{&0Y$TDGhi56TN+s1m2>*
zFcPH@L6bFl)AMx2fWw5)rKY;cZbVAv-QCyK-CtkytoNmKC13F+z9g=6J$+0lC@&LE
z_kjod7&2|(8zB_DIZ!$j3ltPMMtkCOlqwSRekY&(rbblmWF<z|^}$E{|7!HxyZ%p&
zG$0ZkZ(gd6$`f@RoYCSA*h$CvgI*&=_Zouc7!p7rDG=hF%@={(cd<?~G<>oB5Tm)@
zgA&A%$!SssK%kRP*`H_`uwK=ZNR1hwAd~YYRX%sJ%&)3?9(kF&b#&HLH2HaF6z5qG
z#a*It;~8##8U&h0J-Awd#P35u0NgB)JXD=BM?~EBfw(vjHTX&r7{?W520~3i;%q6%
zw!;NT;2k7m3vH0WRgt0TPCf!+eXo522>chn13A&B@f{7lnWU!!Wg_1VduD>o7m<18
zq!$PhS_I&oKbT@IeAP>v9DV70-YeZf$G}0yp=JOR`vTdh*36C0-Y8CYVra}T%X9dL
zfh0vd-*ZN<SL$d`Qm=2|zxxt6c?Cj3eFtADJ*`GD188tu))9XK03MO9hO;^8e+E0t
zP)|>H6c&W0fIa9G^9dV87B2Hyt}4&A74+*Qk-h58LqFngJ-6`ZXHDs}<9&pnyx^v?
zJK%!!wz?xx#3U;BgyWt}5RH4C9cKiwjni;yQdQx@Emz07*o@X!lQk~$y;up6Z6pJl
zbH&P?UJ4BTBlnnXQ1aVj>B>!|?=!Q*1i+Tlz>Pkv&*5Ha+L^UxiGAc?uKuK4B_hH-
zQRlB`Gb_oZ9GOor;>UeGT-du5)tw>^_V3y3vCoJ^mJf|_P52AgLw8B6HW?<jwdaI&
zuK12S4rr@ZYQQebhaA>VKTuxCz1Up~fdx;m^zefWGIRLv0u}*Sc|d<e5cw66J%hh6
z;>9<bC^#}tZ^g6O(kuOq5UX4!ONlbXYI49fwG;??iHyi$-uzS<yA&rz_3{D~Ck~<o
zf_D|8PgPNX_k?`{=CU_z6w^k`g&~40xlTe>WxbN%P97)X!SBQ@4B2!vFS;(qnrfW@
zV9ujX@Pxjd1CP#>CY@kok=G=Pi{Y%sbZU_4f$R3$=L#zwY5|IAS{DPdAxYf_^k+}s
zoD3u-(0A|~aJMil%*1QC#z4H{x42}Lri;y-+rTV=I0UD%^<|>{UnXQSz2}@?me*eu
zRSrCPhB8A}TwiSVx!a@NhbFR%U2~cT+eDnxDLGeC2*{D5+>n6!oKC(wK*=qS;-ih$
zIm9s6-Tzyl*+Ci~BCFT2T`w*E8T>p`_@&6u<@es1c^59iCZ;?zd}+Lk;ldNi%59IU
zD1LKt#FNdXa@{U7-W~1&hF;Y)=SHopE6RdSWF*8aTbP+v<Zb}^=@lB+)Ro?wJ?^Nh
zhBkQx<G3;qneQv`RYFY}HRI~ESr`!*GHM@*6WTFzxv=A$Us`UxUXko<)54e)GR2zf
zW#mFe$xhI)n^LSHeF&*X*!Q_~#dNE67;I{M`ea~%xkj#P_2~rBiD(?Hp@E0?n(73n
z@|as+w2dXWEZZbjvKDHy5xiA!oP$}vv*tcKQ1`YYga}X70+-jFO%$oJ!hyF*+4f7U
zUA1u`a`$r&&xY0yc6+<ixV@YShP5G_9bDL@*bRQYsW18bb}8MugWVeB;cSDufxv<}
zzvSR%B&BdAKP6qQRNmD-QTXgW>8lPyh>Y2HJEKO+XrV9ax(PS|qkB{ECd{(=$+mOH
zBQExQvEncbnIJvhtNW9npna60T+`^?&S7CXvzgB;>@_xrwMOGzSIRum-BBqmm#9<-
z!RVpp=ty9&oWS{stB7xZv!Z^VqM=31=4qac9?kX>Q8B3o3b^s?TF8$?_@0)xtM{{s
z*DlNNU;-m_rr+@fVM9HeDPa|v>qWY2W06}Hqq*JcN%Aii?eCzQu&!YS=7%%##j@Pz
zZ6IZ#8viD4`}l|HE=9OZICCLtf@RIBQ$)EUb*F?5sd_XcXTxU8YM}%ayL?d$_NbGt
z{j@!uV*)aWSFzpsx}-Wrg+6z)le~B&TZBn!YUE!2%$z_%n{kOjm%!bcg|ocf;K#*$
zr*CTKP6XlTrbJeIfjF%xM&KMh-hKWl`u8O<IH9&txSqqM#c+IXuy@4lqx}*sgT{#q
z&Toy5OXIAW9#%m_z6d3!D~Y|f?YKwHkt>s8umt5ROC?+^z-slL_8rqy0&_u<Q&43U
zXhwUy8X){AsUPYwrO%B1g*@C_v_{aLz>)W{eNFtBiozi511VgAm-dt~ipLO@9gm3f
z4o?Itk*d_v#DT>m>f70b6M8lCh7~{41Ipx`t!~7i*6%S*Cr7hPp${_YRP67!&lheV
zZ_7D5GcS|dhT+Jmf25lZiz^R*XiEV!q#%^{1W5>z^J=(JWj5?X%)UT4lIliX%9o;7
zjTPTXk7u^T#CQ3R1{kq?@GBhYE%15>3E2y+vpU1ua}VgBAkpBpm6i0+_akzyqIDwi
zRn06cooqIQrtNgM<+z!Xm(|NECx@Lz<=nS-FkfYQddPo6qhzh3P!u!(fE)cbjaK|2
z8PNgAza-;j4*-C4t&7lrH=^>Ie*dyxI_b|~yzBq1ZH=9*Ojs>!Ol{eWte_4K29feM
zFmYUIZ)giNkht{KgRF3!hZ0j%R4d5g2En9Q_bW?jol`<l&=%Cxd$16*vq+Dg3tmyE
z0_O2>b;**K8Jm;7B^*ikUqU1b9W$~k6edD2V=o2t68#N)m|8=};)YTUcLO3O;mO>-
zM)m0Fi&Rg5;V)uzH^Y#4&>Q96YSAb<Z&wM@hADvh1O`&4zqNG~PRqXLI2GeMk6QLU
z1oo>Y*C(3MnSd|cMiKHB*eFmL9B_)4y7GbxB`@#gdm1g14U2jN7u@B&{0j@5i&OXh
z>nCOWTQgz+0N41G`~f8LwTF?d^|gXQLjLJd_J_v}S~ngh&K6d7FKnGHj7?tr<^EI5
z|C#W?zqw0a$I4kljUaLooIl~V*8B`1(;~PskSj|zX2i`>)8iP5U-fgAU@gq5QU;0Z
zwru8etE96f&z96p_gmQ{?z{Y0PW~FoF1j9;<JG6>d1R~6<zTBpWAS7_WNmxLrRjU^
z*<^Eb6S5r|WzH_DO;U;S$Lx}b>e$3qAq97x;8|2YtT|45{s5YJ#kTgG;25~0YVgUM
zn&NgOS_)DIvOJEgM)44ag-Zk%60WoK1N_T5=giS~EbIL@#CJ~`T4GN~Ivq|`NuKFJ
z4LFp(yZZ`k^F&G=a*FMD$L5Q=NGrNQhxkf5IH+EsLaW;DM=s%WCU`55aEqK2MG<(V
zW4-(+ImrOtfrO86#yQjx*R#&4EO$fBN(ET4YiC#&XH1&$Vw~nYU=QXA#v&xY$K*S~
zqUSD_e5xITQLC^uvA5M`8<i-7tKMm955lvw)->|K%pq3GY1+?uv-?jJ(Hn+}QWVrT
zgx%?=Q>j+`Q$G<3rM+!&JZe8Uc{}HH+_P0p&;cV~CF#>qd7CqePGPN1SWk4UR?ZO`
zN<;x2h8Y=?u-%#Sc`zp@x0wQcoUm~44m#;!$Wvn&L7JKaT%MjISp~kecAnvKrzsP5
zm(g+B))Q!<Zi4}2Og&rW4Zl3<rFdCpy@=aOB-+vtK>vwZUG2S`6u;HXD_tw;#bBL#
z(Vk6)fk}%i_PP{pJqvHXg@{YdxxkNWXS&9mS+L(*wxXXj3Tk=Wso}eO04Gh!RKiY>
zVIIOQBdVaq(XXqkzhIs?a57#-2_M-?JI_0Tju~3lj1xcFoW|ok8o>QXT5}k-Sz(nn
zf9yJ@*C8d#P9-u-;<f{5yjMw;m6SEg1;tAEq}wJi-J-dO@`#E%p5%(8G#&R!!eO4~
zr7vy^&ocsO%zFbmW|=QVQTi>^7ECJfDui7u=RvObf_Dagpnpq$aHvPhi)ih^@2_2&
zP%>A%r<f0tFsuAQ-&Y*Pc8PGXtEY4xxNMd*hMDEve2U2u*gus$)ysI``aqN{y>s%*
zAs#+P#$7_4`kHs7WTPLn*U`}Q1AHyVrZBR5AR~y~)Zx~Iw4?)k7CPgu9HOWEF{pjs
zB~r*aT~Y7kCWA@Zuu08}D=qyBl`q9U5oGwz#@YH2KkOMb(x-2R$7qK28Yp2y_%;R<
z-fFBvY@!G=xeI6O%7!`)IW`bdad<xnFsYV?_Hmdb?`w9K=gT@Ch~4x|zE3v2fk@X4
z7xi|-{j&@F&tt9jcT4zrtiv@7RPohuMMgE8>)9$k0z>v64~@Jo^5h77%9HcFg}_L|
z9QM_umTJ;!$L9O@_#fr2zEb$!K4Lu_dIlPqG!1=SNl6ZLv8Sh7vp4|u;j+D<&Ie?Q
zcl3p;cH2Ai!+FWJ?l4W++2LSgCKFWwkEBRxVZJ=UA&0}4LWrI;eU1-Ov%tAXc&25D
z0_>z~M~NI43Knmg=;D%Rkzktqf^YnFRV_{#$<pK;7*xPADPD0&;$CVmxlX*YV1sm|
zA0QSphV62=bMj#ug5TCylKm`EHeqcLn1bj6J=do&g=V<4Q#pIT9Ey_dXQ}T^6C;k2
z(KKAp5hOg^?Zyls+}&2le+5KZMQhpK!BzWIeefu)*8JI-ORm`T##Q4E>?(nJo5%gD
z2E$>}7uE0)vw9baealX7)2oa|{5EU3`23-r4>YNLI8ws#j!P_!4-LQaT`Wxqzq->L
z*&8YI2!>@kJt@GPF@U#+vQwUFwv3%mj!?iF*$|`C1k>CSV(MbGohcViUdI?$6u4)U
zk7i}2ZmQ?!_wXZ!GCHQwlJvk2gxUfatT*oo(oN}YeYDW>ujyg)uaOl2kpS@Pg68&>
z!_Cn8yZzgBjhf=`8Ey~6H&+wCOzwKk|77@Q2!_b~nc%h*_<al8*Bkz?1lLpa?F|30
z{y%!)Ml$>|?rXC9Plg)-@n`65`n;jQUuJh5`d{+lCL9CslR^Ka#M|ov03MkCFz&C2
zKTq553#R=Y@dpF{Li=XH+sF9ku>P|Ce+&O_M!pTe&3<mb9KR>b!uc0PaFg)&UZAFk
Ua@|q@0QBpR#&s3a|9Yzb1IfdNZU6uP

literal 0
HcmV?d00001

diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov/Makefile b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/Makefile
new file mode 100644
index 00000000000..918c31f0947
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/Makefile
@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+# Java paths
+#JAVA_BASE=PATH_TO_JAVA_IMG_DIR
+JAVABIN=$(JAVA_BASE)/bin
+JAVAC=$(JAVABIN)/javac
+JAVA=$(JAVABIN)/java
+JAR=$(JAVABIN)/jar 
+JARSIGNER=$(JAVABIN)/jarsigner
+
+# Compile-time flags and paths
+JFLAGS=-Xlint:all
+SRCPATH=com/evilprovider
+CLASSDST=classes
+
+PROVJAR=evilprov.jar
+KSTORE=PATH_TO_KEYSTORE
+KALIAS=PLACE_SIGNING_ALIAS_HERE
+MODVER=1.0
+
+all: $(PROVJAR)
+
+%.class: %.java
+	mkdir -p $(CLASSDST)
+	$(JAVAC) -d $(CLASSDST) $(JFLAGS) $<
+
+$(PROVJAR): $(SRCPATH)/EvilHmacSHA1.class $(SRCPATH)/EvilProvider.class module-info.class
+	$(JAR) --create --file $(PROVJAR) --module-version $(MODVER) -C $(CLASSDST) .
+
+signed: $(PROVJAR)
+	jarsigner -keystore $(KSTORE) $(PROVJAR).jar $(KALIAS)
+
+clean:
+	rm -rf $(CLASSDST) $(PROVJAR)
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov/README b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/README
new file mode 100644
index 00000000000..3bc33a4529e
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/README
@@ -0,0 +1,15 @@
+Everything in this directory is dedicated to building the EvilProvider
+used with the SecKeyFacSunJCEPRF test (JDK-8218723).
+
+The makefile does require a JDK image path to be provided through the
+JAVA_BASE makefile variable.  As an example:
+
+make JAVA_BASE=/usr/java/jdk-11.0.1 evilprov
+
+Since the EvilProvider is a modular jar, JDK 9 or later should be used.
+
+For OpenJDK, no signing is required.  If signing is required (for use
+with Oracle JDK, for instance), you must obtain a JCE signing certificate
+and place it in a keystore, then run the "signed" makefile target (it will
+build the jar file if it does not already exist).
+
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilHmacSHA1.java b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilHmacSHA1.java
new file mode 100644
index 00000000000..017535a8bc4
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilHmacSHA1.java
@@ -0,0 +1,90 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.evilprovider;
+
+import java.security.*;
+import java.security.spec.*;
+import java.nio.ByteBuffer;
+
+import javax.crypto.*;
+
+public final class EvilHmacSHA1 extends MacSpi {
+    private final Mac internalMac;
+
+    public EvilHmacSHA1() throws GeneralSecurityException {
+        internalMac = Mac.getInstance("HmacSHA1", "SunJCE");
+    }
+
+    @Override
+    protected byte[] engineDoFinal() {
+        return internalMac.doFinal();
+    }
+
+    @Override
+    protected int engineGetMacLength() {
+        return internalMac.getMacLength();
+    }
+
+    @Override
+    protected void engineInit(Key key, AlgorithmParameterSpec spec)
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
+        SecretKey sKey;
+        if (key instanceof SecretKey) {
+            sKey = (SecretKey)key;
+        } else {
+            throw new IllegalArgumentException("Key must be a SecretKey");
+        }
+
+        byte[] sKeyEnc = sKey.getEncoded();
+        int keyBits = sKeyEnc.length * 8;
+        if (keyBits < 160) {
+            throw new IllegalArgumentException("Key must be at least 160 bits");
+        }
+
+        // Pass through to init
+        internalMac.init(key, spec);
+    }
+
+    @Override
+    protected void engineReset() {
+        internalMac.reset();
+    }
+
+    @Override
+    protected void engineUpdate(byte input) {
+        internalMac.update(input);
+    }
+
+    @Override
+    protected void engineUpdate(byte[] input, int offset, int len) {
+        internalMac.update(input, offset, len);
+    }
+
+    @Override
+    protected void engineUpdate(ByteBuffer input) {
+        internalMac.update(input);
+    }
+}
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilProvider.java b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilProvider.java
new file mode 100644
index 00000000000..2976e8db206
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/com/evilprovider/EvilProvider.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.evilprovider;
+
+import java.security.*;
+
+public final class EvilProvider extends Provider {
+
+    private static final long serialVersionUID = 11223344550000L;
+
+    public EvilProvider() {
+        super("EvilProvider", "1.0", "Evil Provider");
+        putService(new Provider.Service(this, "Mac", "HmacSHA1",
+                    "com.evilprovider.EvilHmacSHA1", null, null));
+    }
+}
+
diff --git a/test/jdk/javax/crypto/SecretKeyFactory/evilprov/module-info.java b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/module-info.java
new file mode 100644
index 00000000000..d971726946c
--- /dev/null
+++ b/test/jdk/javax/crypto/SecretKeyFactory/evilprov/module-info.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * Provides the evil provider
+ *
+ * @provides java.security.Provider
+ *
+ * @moduleGraph
+ */
+module jdk.evilprovider {
+    provides java.security.Provider with com.evilprovider.EvilProvider;
+}