RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v11]
Kevin Driver
kdriver at openjdk.org
Fri Jan 17 20:13:43 UTC 2025
On Fri, 17 Jan 2025 19:45:08 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 117:
>>
>>> 115: boolean isExtract = false, isExpand = false;
>>> 116: boolean isData = retType == byte[].class;
>>> 117: assert isData || retType == SecretKey.class : "Invalid return type.";
>>
>> Style comment:
>>
>> I don't see why passing the return-type is preferable here, making this `assert` check necessary. It's only internal code that is passing a `retType` argument anyway. Why not do something similar to what the software implementation does and just return a byte[] from this method?
>
> In some cases we need to return a `SecretKey` (a `P11SecretKey` instance, internally) that represents a key inside the token. In some cases, we can extract its bytes and create a key again with key translation, but it's costly. In some others (e.g. the key is not extractable or is sensitive), we cannot do that.
I see, so you are attempting to cover three cases then:
1) raw bytes
2) present `SecretKey`
3) token `SecretKey`
In case three, the data would never have been available to the provider, so you do not have bytes to return -- and it would not make sense to represent the token as a byte[] I suppose.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920690305
More information about the security-dev
mailing list