On Sat, 4 Jan 2025 00:57:45 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> Martin Balao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Check disabled PKCS #11 mechanisms when concatenating keys and data.
>>
>> Co-authored-by: Martin Balao Alonso <mba...@redhat.com>
>> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com>
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java line
> 1525:
>
>> 1523: } else if (type == KDF) {
>> 1524: try {
>> 1525: return new P11KDF(token, algorithm,
>> (KDFParameters) param,
>
> I'd expect `mechanism` before `param` as mechanism is needed for all services
> but `param` may not. Can we adjust the ordering here?
Yes, we can swap them.
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_HKDF_PARAMS.java
> line 30:
>
>> 28: /**
>> 29: * class CK_HKDF_PARAMS provides the parameters to the CKM_HKDF_DERIVE,
>> 30: * CKM_HKDF_DATA and CKM_HKDF_KEY_GEN mechanisms.<p>
>
> CKM_HKDF_KEY_GEN mechanism does not take CK_HKDF_PARAMS, does it?
That's right. I'll fix the doc.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1905760535
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1905756627
