RFR: 8350661: PKCS11 HKDF throws ProviderException when requesting a 31-byte AES key [v2]

[Martin Balao]

On Fri, 11 Apr 2025 21:32:47 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> Martin Balao has updated the pull request incrementally with two additional commits since the last revision:
>> 
>>  - Algorithm and key size checking before derivation. Mechanism normalization for TLS.
>>  - Minor import adjustment.
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 251:
> 
>> 249:                     (int) PCKK_TLSMASTER -> {
>> 250:                 return CKK_GENERIC_SECRET;
>> 251:             }
> 
> It's easier to troubleshoot to add a default case and not let it fall through to the exception on line 253? It's possible that P11SecretKeyFactory is enhanced with more KeyInfo, but the newly added keyType is not added here. Lumping different causes into the same exception may be harder to debug.

The exception informs the algorithm, and we know that the algorithm was found in the map because, otherwise, we would have not been able to get the `KeyInfo ki` received by parameter. I can add two separate exceptions if you want, but should not make much of a difference because the reason for the exception is the same: the algorithm is not valid for derivation, regardless if its underlying mechanism is CKK_GENERIC_SECRET or something else.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2040431816