On Wed, 18 Dec 2024 16:38:39 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> I have never been a PKCS11 expert, but the code looks fine to me. The > `import` line at the beginning of `CK_HKDF_PARAMS.java` is useless. Thanks for your review. Unused import removed. > src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java line > 1092: > >> 1090: m(CKM_HKDF_DERIVE, CKM_HKDF_DATA)); >> 1091: d(KDF, "HKDF-SHA512", P11KDF, m(CKM_SHA512_HMAC), >> 1092: m(CKM_HKDF_DERIVE, CKM_HKDF_DATA)); > > We only defined HKDF-SHA256 and later in the Java Security Standard Names doc. We included SHA1 because there could be a legacy use case to support and it's part of the test vectors for RFC 5869 (HMAC-based Extract-and-Expand Key Derivation Function (HKDF)). We don't recommend using it, and will probably filter it out once we have the Filter integrated, but would you be okay with keeping it? ------------- PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2552150153 PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1890761291
