RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v65]
Weijun Wang
weijun at openjdk.org
Tue May 14 23:30:13 UTC 2024
On Tue, 14 May 2024 22:14:47 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. See [JEP 478](https://openjdk.org/jeps/478).
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>
> re-enable Delayed Provider test
Some more comments on `HkdfKeyDerivation.java`.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 97:
> 95: throw new InvalidParameterSpecException(
> 96: "the algorithm for the resultant SecretKey may not be null or"
> 97: + " empty");
I think this should be an `IllegalArgumentException`.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 136:
> 134: // we should be able to combine these Lists of keys into single
> 135: // SecretKey Objects,
> 136: // unless we were passed something bogus or an unexportable P11 key
There is a bug here. `consolidateKeyMaterial()` returns the key if it's the only one in `ikms`, without checking if it's "bogus". Then, it is passed into `hkdfExtract` and very unfortunately `hmacObj.doFinal(null)` doesn't make any noise.
Same in ExtractThenExpand.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 156:
> 154: // This is bubbling up from the getInstance of the Mac/Hmac.
> 155: // Since we're defining these values internally, it should be
> 156: // safe to "eat" this NSAE.
This could happen if someone filters out the required algorithms. In this case, we usually throw a `ProviderException`.
There are similar cases below.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 364:
> 362: }
> 363:
> 364: return kdfOutput;
Since `deriveKey` is now calling `deriveData`, I suggest checking if `outLen` is the same as the length `kdfOutput` here and call `copyOf` if not. There is no need to call it in `deriveData`.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 370:
> 368: public HkdfSHA256(AlgorithmParameterSpec algParameterSpec)
> 369: throws InvalidAlgorithmParameterException,
> 370: NoSuchAlgorithmException {
You should not throw `NoSuchAlgorithmException` here. This constructor will be directly called by JCA framework and must conform to the spec described in `KDFSpi` that it can only throw `InvalidAlgorithmParameterException`.
-------------
PR Review: https://git.openjdk.org/jdk/pull/18924#pullrequestreview-2056627780
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1600771294
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1600771763
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1600772561
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1600774835
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1600775715
More information about the security-dev
mailing list