On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> Hi, >> >> I would like to request a review for the fix of JDK-8350661. In this fix, we >> translate the native PKCS 11 error code into an >> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` >> API. With that said, different PKCS 11 libraries may throw different errors >> and may even (in theory) delay the error until the key is used, as _SunJCE_ >> does. I believe that this is an improvement but further adjustments may be >> needed in the future. >> >> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`. >> >> Thanks, >> Martin.- > > Martin Balao has updated the pull request incrementally with two additional > commits since the last revision: > > - Algorithm and key size checking before derivation. Mechanism normalization > for TLS. > - Minor import adjustment. What I have found with Tls* keys is that they are in the map but we need to translate their pseudo-mechanism to a valid one (`CKK_GENERIC_SECRET`). Is that enough for #24393? ------------- PR Comment: https://git.openjdk.org/jdk/pull/24526#issuecomment-2795454937
