In order to provide compatibility with HSM, the input keying material should be directly provided as SecretKey.
At the moment, you recreate a SecretKey from a byte array, and provide it to the mac instance.
Whereas you should also provide a signature where we can provide a SecretKey which already contain the keying material.
This is preferred to keep compatibility with HSM, the input keying material is not always "readable" depending of the source of the keying material.
This also mean that the keying material should comes from the same source as the mac instance you are generating, but this is already covered by the fact you allow to provide the mac provider.
In order to provide compatibility with HSM, the input keying material should be directly provided as SecretKey.
At the moment, you recreate a SecretKey from a byte array, and provide it to the mac instance.
Whereas you should also provide a signature where we can provide a SecretKey which already contain the keying material.
This is preferred to keep compatibility with HSM, the input keying material is not always "readable" depending of the source of the keying material.
This also mean that the keying material should comes from the same source as the mac instance you are generating, but this is already covered by the fact you allow to provide the mac provider.