RFR: 8341346: Add support for exporting TLS Keying Material [v10]
Sean Mullan
mullan at openjdk.org
Mon May 12 15:09:56 UTC 2025
On Fri, 9 May 2025 21:38:07 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Adds the RFC 5705/8446 TLS Key Exporters API/implementation to JSSE/SunJSSE respectively.
>>
>> CSR is underway.
>>
>> Tests include new unit tests for TLSv1-1.3. Will run tier1-2, plus the JCK API (jck:api/java_security jck:api/javax_crypto jck:api/javax_net jck:api/javax_security jck:api/org_ietf jck:api/javax_xml/crypto)
>
> Bradford Wetmore has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 13 commits:
>
> - Merge branch 'master' into JDK-8341346
> - Adjustments made for JDK-8350830
> - Merge branch 'master' into JDK-8341346
> - Rework to avoid PKCS11 data extraction problems, and enhanced input verification and unit testing
> - More Codereview comments
> - Updated to use the upcoming KDF (still in preview) + bits of JDK-8353578 for compilation)
> - Add in the SharedSecrets SecretKeySpec clearing mechanism
> - More codereview/CSR comments
> - Merge branch 'master' into JDK-8341346
> - Codereview comments.
> - ... and 3 more: https://git.openjdk.org/jdk/compare/68a11850...bd227aa8
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 172:
> 170: * algorithms defined in RFCs 5705/8446.
> 171: * <P>
> 172: * Note RFC 5705 (for (D)TLSv1.2 and earlier) calculates different EKM
s/Note/Note that/
(or just remove "Note" - don't think it is really necessary).
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 187:
> 185: *
> 186: * @implSpec The default implementation throws
> 187: * {@code UnsupportedOperationException}
Missing period at end of sentence.
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 192:
> 190: * {@code label} will be converted to a {@code byte[]}
> 191: * before the operation begins
> 192: * @param context the context bytes used in the EKM calculation
Add something that says `null` is acceptable. i.e. ", or `null` ..."
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 195:
> 193: * @param length the number of bytes of EKM material needed
> 194: *
> 195: * @throws SSLKeyException if the key could not be generated
I prefer "cannot" (present tense).
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 204:
> 202: *
> 203: * @return a {@code SecretKey} that contains {@code length} bytes of the
> 204: * EKM material.
no period necessary.
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 225:
> 223: * character encoding.
> 224: * <P>
> 225: * Depending on the chosen underlying key derivation mechanism, the
This reads like it should maybe be an `@apiNote`.
src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 254:
> 252: *
> 253: * @return a byte array of size {@code length} that contains the EKM
> 254: * material, or null if the derived key material does not support
For "or null if the derived key material does not support encoding" why wouldn't an implementation throw UOE instead?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084853417
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084889527
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084879618
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084887858
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084891743
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084895438
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084899365
More information about the net-dev
mailing list