RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v7]
Martin Balao
mbalao at openjdk.org
Thu Dec 19 03:55:38 UTC 2024
On Thu, 19 Dec 2024 02:29:07 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> Just curious, if I disable the `CKM_CONCATENATE_DATA_AND_BASE` mechanism in the config file, then `addIKM(data).addIKM(key)` still works. I guess that's because the config only applies to JCA/JCE algorithms but not internal implementations. This is designed so, right?
Yes, you're right. The mechanism, by design, can be used to avoid registering services for which there is no support in the token or has been disabled in the configuration. However, we decided not to make `CKM_CONCATENATE_DATA_AND_BASE` a requirement for HKDF services in SunPKCS11. The reason is that there might be a token that does not implement `CKM_CONCATENATE_DATA_AND_BASE` but still be usable for HKDF. By being less strict we can support more tokens and use cases that don't require concatenation. There will still be an error if the token does not support it and it's used.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2552718591
More information about the core-libs-dev
mailing list