On Fri, 17 Jan 2025 20:17:23 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> I see, so you are attempting to cover three cases then: >> >> 1) raw bytes >> 2) present `SecretKey` >> 3) token `SecretKey` >> >> In case three, the data would never have been available to the provider, so >> you do not have bytes to return -- and it would not make sense to represent >> the token as a byte[] I suppose. > > Yes, that's right for case three: `deriveKey` may return a `SecretKey` for > which key bytes are opaque from the point of view of OpenJDK. I guess I was envisioning "partitioning" the calculations where there was indeed access to the values separately from calculations via tokens where things would be opaque. This handles everything together. My original comment was composed before finishing reading the implementation. :) ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1920702004
