On Mon, 22 Sep 2025 23:57:20 GMT, Valerie Peng <[email protected]> wrote:
>> Enable HDKF to work with providers that do not allow secret keys to be
>> created from arbitrary data.
>>
>> This permits the TLS 1.3 handshake to complete with SunPKCS11 provider
>> backed by NSS in FIPS mode.
>>
>> I added a TLS 1.3 test case to an existing test. The new test passes with
>> the HKDF changes, fails without them. Other tier1-3 tests continue to pass.
>
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11HKDF.java line
> 268:
>
>> 266: }
>> 267:
>> 268: private long convertKeyToData(byte[] keyBytes) {
>
> Check `keyBytes` being non-null?
Consider using `SecretKey` argument instead of `byte[]` so it's clear that
`keyBytes` is entirely internal, then add a `finally` block to the `try` block
to erase the key encoding, i.e.
+ } finally {
+ Arrays.fill(keyBytes, (byte)0);
+ }
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27384#discussion_r2370671871
