On Wed, 22 Dec 2021 00:46:32 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Since the return error code is PKCS11 CKR_ATTRIBUTE_SENSITIVE, does it make > sense to assign `sensitive = true` right at the beginning? I'm not a PKCS11 > expert and not sure if this has any negative effect on > > https://github.com/openjdk/jdk/blob/ea8d3c92c69c393cdbc6c62398f1e9c6adc708d3/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java#L1394 > (where the `sensitive` flag is used). I debated about it, my current thought is to reflect the same value returned by underlying PKCS11 library. Otherwise, it may look confusing to users - why C returns false but Java shows it to be true. This consistency comes with a cost of extra maintenance/code to check and special handle vendor-specific behavior like this NSS token key, i.e. queried to be non-sensitive and extractable , but yet errors out if trying to retrieve the key values. ------------- PR: https://git.openjdk.java.net/jdk/pull/6837
