On Thu, 19 Dec 2024 02:29:07 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> Just curious, if I disable the `CKM_CONCATENATE_DATA_AND_BASE` mechanism in > the config file, then `addIKM(data).addIKM(key)` still works. I guess that's > because the config only applies to JCA/JCE algorithms but not internal > implementations. This is designed so, right? Yes, you're right. The mechanism, by design, can be used to avoid registering services for which there is no support in the token or has been disabled in the configuration. However, we decided not to make `CKM_CONCATENATE_DATA_AND_BASE` a requirement for HKDF services in SunPKCS11. The reason is that there might be a token that does not implement `CKM_CONCATENATE_DATA_AND_BASE` but still be usable for HKDF. By being less strict we can support more tokens and use cases that don't require concatenation. There will still be an error if the token does not support it and it's used. ------------- PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2552718591
