On Wed, 9 Apr 2025 06:45:14 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
> I think the usual way to handle this is by calling > `P11KeyGenerator.checkKeySize` We discussed calling `P11KeyGenerator::checkKeySize` with @franferrax but were not sure of taking this approach. We found that for DES(3) cases some fixed values are considered valid but wondered if, in theory, the PKCS 11 library can be configured to be more restrictive and reject some of them. Given that this is an error-path and should be exceptional, we thought that the cost of passing the operation to the token and handling the error was affordable. Perhaps we can do both: check beforehand and handle the error afterwards. I'll give it some more thinking. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2789680355
