On Thu, 10 Apr 2025 23:54:03 GMT, Martin Balao <mba...@openjdk.org> wrote:

>> Hi,
>> 
>> I would like to request a review for the fix of JDK-8350661. In this fix, we 
>> translate the native PKCS 11 error code into an 
>> `InvalidAlgorithmParameterException`, as documented in the `KDF::deriveKey` 
>> API. With that said, different PKCS 11 libraries may throw different errors 
>> and may even (in theory) delay the error until the key is used, as _SunJCE_ 
>> does. I believe that this is an improvement but further adjustments may be 
>> needed in the future.
>> 
>> No regressions observed in `test/jdk/sun/security/pkcs11/KDF/TestHKDF.java`.
>> 
>> Thanks,
>> Martin.-
>
> Martin Balao has updated the pull request incrementally with two additional 
> commits since the last revision:
> 
>  - Algorithm and key size checking before derivation. Mechanism normalization 
> for TLS.
>  - Minor import adjustment.

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line 246:

> 244:                         alg.equalsIgnoreCase("Generic")) {
> 245:                     return ki.keyType;
> 246:                 }

What is this check for? It's not immediately clear to me why do we look up the 
keyInfo using `alg` but then again to check to error out when the found keyType 
is CKK_GENERIC_SECRET && alg not equals "Generic". This seems to directly 
contradicts the special workaround for "TlsXXX" in my other PR?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2040315149

Reply via email to