RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v20]

Kevin Driver kdriver at openjdk.org
Fri Aug 30 21:48:21 UTC 2024 

On Thu, 29 Aug 2024 00:45:30 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   review comments
>
> src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java line 163:
> 
>> 161:          *
>> 162:          * @implNote An implementation should concatenate the input keying
>> 163:          * materials into a single value once all components are available.
> 
> I'm not sure what "once all components are available" means. Technically, it's "...into a single value and pass it to the HKDF-Extract step".
> 
> Also, this method is for end users. The `@implNote` should be added to `ikms` which is called by an implementation. There you can tell the implementation to do the concatenation.

Addressed in https://github.com/openjdk/jdk/pull/20301/commits/e4400b6edaf69d08726a63e2a705784c731648db. Please confirm if resolved.

> src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java line 322:
> 
>> 320:          * Returns an unmodifiable {@code List} of input keying material values
>> 321:          * in the order they were added. Returns an empty list if there are no
>> 322:          * input keying material values.
> 
> Sean asked about where do the byte array IKMs go. Here you should mention that an IKM added by `{@link #addIKM(byte[])}` is converted to a `SecretKeySpec` object. Same for `salts`. Same as in `ExtractThenExpand`.

Addressed in https://github.com/openjdk/jdk/pull/20301/commits/e4400b6edaf69d08726a63e2a705784c731648db. Please confirm if resolved.

> src/java.base/share/classes/javax/crypto/spec/HKDFParameterSpec.java line 431:
> 
>> 429:          *     modification
>> 430:          * @param length
>> 431:          *     the length of the output keying material (must be > 0 and < 255 *
> 
> Maybe you don't need to talk about the length restriction here. The rule is at input.

Addressed in https://github.com/openjdk/jdk/pull/20301/commits/e4400b6edaf69d08726a63e2a705784c731648db. Please confirm if resolved.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1739436294
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1739436470
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1739436411

More information about the security-dev mailing list