RFR: 8325513: Export method for Cipher [v3]
Anthony Scarpino
ascarpino at openjdk.org
Sat May 11 03:36:09 UTC 2024
On Fri, 10 May 2024 22:40:30 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> One use case for this method is HPKE key export. Obviously, the exported key won't have algorithm name being "HPKE".
If `Cipher::init` is passed an AES SecretKey, wouldn't the `Cipher::export` return an AES SecretKey? I don't see the case where it is anything but the original key's algorithm.
This concern comes from the lack of a requirements on value being an algorithm name, and our provider usage is inconsistent with it to. If my memory is correct, SunJCE requires "AES", but other algorithms we don't. So having the user define this value leaves a grey area where users may enter anything. Or in the worse case, the developer not knowing what the key algorithm is (AES or CC20) and needs to keep track of it.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18409#issuecomment-2105512786
More information about the security-dev
mailing list