RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v11]
Valerie Peng
valeriep at openjdk.org
Fri Aug 16 17:56:56 UTC 2024
On Thu, 15 Aug 2024 21:04:56 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 124:
>>
>>> 122: List<SecretKey> salts;
>>> 123: SecretKey inputKeyMaterial;
>>> 124: SecretKey salt;
>>
>> Looking at the implementation, it seems you can just use byte[] for `inputKeyMaterial` and `salt`. Why bother packaging the bytes into a `SecretKey` object and later calling `getEncoded()` to retrieve it again?
>
> We use SecretKey, because sometimes the raw bytes may not be available to us, for example if it's a hardware key.
Well, you can't handle this case and throws InvalidKeyException when there are such keys. When concatenating key objects, you accessed the raw bytes one by one and then use the resulting bytes to create a SecretKey object which is unnecessary...
I've tried making the "SecretKey" to "byte[]" change for `inputKeyMaterial` and `salt` in my local workspace and it simplifies the code.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1720141343
More information about the security-dev
mailing list