RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v11]

[Martin Balao]

On Fri, 17 Jan 2025 19:26:36 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> Martin Balao has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Improve TestContext note about expectedOpOut
>>   
>>   Co-authored-by: Martin Balao Alonso <mbalao at redhat.com>
>>   Co-authored-by: Francisco Ferrari Bihurriet <fferrari at redhat.com>
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 117:
> 
>> 115:         boolean isExtract = false, isExpand = false;
>> 116:         boolean isData = retType == byte[].class;
>> 117:         assert isData || retType == SecretKey.class : "Invalid return type.";
> 
> Style comment: 
> 
> I don't see why passing the return-type is preferable here, making this `assert` check necessary. It's only internal code that is passing a `retType` argument anyway. Why not do something similar to what the software implementation does and just return a byte[] from this method?

In some cases we need to return a `SecretKey` (a `P11SecretKey` instance, internally) that represents a key inside the token. In some cases, we can extract its bytes and create a key again with key translation, but it's costly. In some others (e.g. the key is not extractable or is sensitive), we cannot do that.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920668314