On Tue, 15 Apr 2025 13:23:06 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> I like this idea but the downside I see is that we would need string >> comparison in `P11KDF::getDerivedKeyType` to allow TLS keys. What if we >> merge all `PCKK_TLSPREMASTER`, `PCKK_TLSRSAPREMASTER` and `PCKK_TLSMASTER` >> into `PCKK_TLSKEY` and then do the translation to `CKK_GENERIC_SECRET` as >> needed? This will also help with the new Tls* keys that I am planning to add >> to the map. > > BTW, I don't like the partial "Tls" string comparison much because it's > making an assumption about the algorithm name. A new `PCKK_TLSKEY` pseudo key type looks good to me. Alternatively, and just thinking out loud, how about introducing a new `TlsKeyInfo` and using `ki instanceof TlsKeyInfo` in `P11KDF::getDerivedKeyType`? Perhaps we could also add a new `KeyInfo.supportsHKDF` boolean field and store that information in the map, replacing the whole `P11KDF::getDerivedKeyType` call by a `ki.supportsHKDF` check. This would also solve the `PBEWithHmacSHA224AndAES_256` case. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24526#discussion_r2044984104
