RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v11]
Kevin Driver
kdriver at openjdk.org
Fri Jan 17 20:29:39 UTC 2025
On Fri, 17 Jan 2025 20:17:23 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> I see, so you are attempting to cover three cases then:
>>
>> 1) raw bytes
>> 2) present `SecretKey`
>> 3) token `SecretKey`
>>
>> In case three, the data would never have been available to the provider, so you do not have bytes to return -- and it would not make sense to represent the token as a byte[] I suppose.
>
> Yes, that's right for case three: `deriveKey` may return a `SecretKey` for which key bytes are opaque from the point of view of OpenJDK.
I guess I was envisioning "partitioning" the calculations where there was indeed access to the values separately from calculations via tokens where things would be opaque. This handles everything together. My original comment was composed before finishing reading the implementation. :)
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920702004
More information about the security-dev
mailing list