RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v11]
Martin Balao
mbalao at openjdk.org
Fri Jan 17 20:22:40 UTC 2025
On Fri, 17 Jan 2025 20:10:53 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> In some cases we need to return a `SecretKey` (a `P11SecretKey` instance, internally) that represents a key inside the token. In some cases, we can extract its bytes and create a key again with key translation, but it's costly. In some others (e.g. the key is not extractable or is sensitive), we cannot do that.
>
> I see, so you are attempting to cover three cases then:
>
> 1) raw bytes
> 2) present `SecretKey`
> 3) token `SecretKey`
>
> In case three, the data would never have been available to the provider, so you do not have bytes to return -- and it would not make sense to represent the token as a byte[] I suppose.
Yes, that's right for case three: `deriveKey` may return a `SecretKey` for which key bytes are opaque from the point of view of OpenJDK.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920695601
More information about the security-dev
mailing list