RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v10]

Valerie Peng valeriep at openjdk.org
Fri Aug 16 18:21:57 UTC 2024 

On Tue, 13 Aug 2024 00:13:38 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> Kevin Driver has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 16 additional commits since the last revision:
>> 
>>  - update test to include Spi updates
>>  - Update with latest from master
>>    
>>    Merge remote-tracking branch 'origin/master' into kdf-jep-wip
>>    # Please enter a commit message to explain why this merge is necessary,
>>    # especially if it merges an updated upstream into a topic branch.
>>    #
>>    # Lines starting with '#' will be ignored, and an empty message aborts
>>    # the commit.
>>  - add engineGetKDFParameters to the KDFSpi
>>  - code review comment fix for javadoc specification
>>  - change course on null return values from derive methods
>>  - code review comments
>>  - threading refactor + code review comments
>>  - review comments
>>  - review comments
>>  - update code snippet type in KDF
>>  - ... and 6 more: https://git.openjdk.org/jdk/compare/ea293934...dd2ee48f
>
> src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 258:
> 
>> 256:                 byte[] workItemBytes = CipherCore.getKeyBytes(checkIt);
>> 257:                 return new SecretKeySpec(workItemBytes, "Generic");
>> 258:             } else {
> 
> I think this is less error prone and easier to read than what you have below:
> 
>                 ByteArrayOutputStream os = new ByteArrayOutputStream();
>                 for (SecretKey workItem : localKeys) {
>                     try {
>                         os.write(CipherCore.getKeyBytes(workItem));
>                     } catch (IOException e) {
>                         // won't happen
>                     }
>                 }
>                 return new SecretKeySpec(os.toByteArray(), "Generic");
> 
> And if your concerned about the extra copy from `toByteArray()`, you could consider using an internal class `AEADBufferedStream` which extends ByteArrayOutputStream but will return the internal copy to avoid extra mem allocation.

+1.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1720165489

More information about the security-dev mailing list