RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v8]
Martin Balao
mbalao at openjdk.org
Tue Jan 7 16:42:56 UTC 2025
On Sat, 4 Jan 2025 00:57:45 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Check disabled PKCS #11 mechanisms when concatenating keys and data.
>>
>> Co-authored-by: Martin Balao Alonso <mbalao at redhat.com>
>> Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java line 1525:
>
>> 1523: } else if (type == KDF) {
>> 1524: try {
>> 1525: return new P11KDF(token, algorithm, (KDFParameters) param,
>
> I'd expect `mechanism` before `param` as mechanism is needed for all services but `param` may not. Can we adjust the ordering here?
Yes, we can swap them.
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_HKDF_PARAMS.java line 30:
>
>> 28: /**
>> 29: * class CK_HKDF_PARAMS provides the parameters to the CKM_HKDF_DERIVE,
>> 30: * CKM_HKDF_DATA and CKM_HKDF_KEY_GEN mechanisms.<p>
>
> CKM_HKDF_KEY_GEN mechanism does not take CK_HKDF_PARAMS, does it?
That's right. I'll fix the doc.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1905760535
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1905756627
More information about the security-dev
mailing list