RFR: 8341346: Add support for exporting TLS Keying Material [v12]
Weijun Wang
weijun at openjdk.org
Tue May 13 13:27:54 UTC 2025
On Tue, 13 May 2025 05:32:34 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Adds the RFC 5705/8446 TLS Key Exporters API/implementation to JSSE/SunJSSE respectively.
>>
>> CSR is underway.
>>
>> Tests include new unit tests for TLSv1-1.3. Will run tier1-2, plus the JCK API (jck:api/java_security jck:api/javax_crypto jck:api/javax_net jck:api/javax_security jck:api/org_ietf jck:api/javax_xml/crypto)
>
> Bradford Wetmore has updated the pull request incrementally with one additional commit since the last revision:
>
> Missed one review comment
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1598:
> 1596: // L length of output keying material in octets
> 1597: // (<= 255*HashLen)
> 1598: if (length >= (255 * cipherSuite.hashAlg.hashLength )) {
The opposite of `<=` is `>`.
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1650:
> 1648: emptyHash = md.digest();
> 1649: } catch (NoSuchAlgorithmException nsae) {
> 1650: throw new RuntimeException(
We usually throw a `ProviderException` here, when some weird configuration removes a basic hash algorithm.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2086821812
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2086826499
More information about the net-dev
mailing list