On Fri, 17 Jan 2025 19:26:36 GMT, Kevin Driver <kdri...@openjdk.org> wrote:
>> Martin Balao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Improve TestContext note about expectedOpOut >> >> Co-authored-by: Martin Balao Alonso <mba...@redhat.com> >> Co-authored-by: Francisco Ferrari Bihurriet <fferr...@redhat.com> > > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line > 117: > >> 115: boolean isExtract = false, isExpand = false; >> 116: boolean isData = retType == byte[].class; >> 117: assert isData || retType == SecretKey.class : "Invalid return >> type."; > > Style comment: > > I don't see why passing the return-type is preferable here, making this > `assert` check necessary. It's only internal code that is passing a `retType` > argument anyway. Why not do something similar to what the software > implementation does and just return a byte[] from this method? In some cases we need to return a `SecretKey` (a `P11SecretKey` instance, internally) that represents a key inside the token. In some cases, we can extract its bytes and create a key again with key translation, but it's costly. In some others (e.g. the key is not extractable or is sensitive), we cannot do that. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920668314
