RFR: 8328119: Support HKDF in SunPKCS11 (Preview) [v5]
Martin Balao
mbalao at openjdk.org
Wed Dec 18 19:56:02 UTC 2024
On Wed, 18 Dec 2024 16:38:39 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> I have never been a PKCS11 expert, but the code looks fine to me. The `import` line at the beginning of `CK_HKDF_PARAMS.java` is useless.
Thanks for your review. Unused import removed.
> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java line 1092:
>
>> 1090: m(CKM_HKDF_DERIVE, CKM_HKDF_DATA));
>> 1091: d(KDF, "HKDF-SHA512", P11KDF, m(CKM_SHA512_HMAC),
>> 1092: m(CKM_HKDF_DERIVE, CKM_HKDF_DATA));
>
> We only defined HKDF-SHA256 and later in the Java Security Standard Names doc.
We included SHA1 because there could be a legacy use case to support and it's part of the test vectors for RFC 5869 (HMAC-based Extract-and-Expand Key Derivation Function (HKDF)). We don't recommend using it, and will probably filter it out once we have the Filter integrated, but would you be okay with keeping it?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22215#issuecomment-2552150153
PR Review Comment: https://git.openjdk.org/jdk/pull/22215#discussion_r1890761291
More information about the core-libs-dev
mailing list