On Fri, 17 Jan 2025 20:10:53 GMT, Kevin Driver <kdri...@openjdk.org> wrote:
>> In some cases we need to return a `SecretKey` (a `P11SecretKey` instance, >> internally) that represents a key inside the token. In some cases, we can >> extract its bytes and create a key again with key translation, but it's >> costly. In some others (e.g. the key is not extractable or is sensitive), we >> cannot do that. > > I see, so you are attempting to cover three cases then: > > 1) raw bytes > 2) present `SecretKey` > 3) token `SecretKey` > > In case three, the data would never have been available to the provider, so > you do not have bytes to return -- and it would not make sense to represent > the token as a byte[] I suppose. Yes, that's right for case three: `deriveKey` may return a `SecretKey` for which key bytes are opaque from the point of view of OpenJDK. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920695601
