RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v26]
Kevin Driver
kdriver at openjdk.org
Wed May 15 15:47:16 UTC 2024
On Tue, 14 May 2024 21:26:02 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> First, very wrong parameters (say, null info, negative length) should not be create-able at all.
>>
>> Then, in some cases, "correct" parameters could still be "invalid". For example, HKDF expand key length cannot exceed HashLen * 255, but HashLen is determined by the KDF algorithm. In this case, maybe an `InvalidAlgorithmParameterException` should be thrown because it does not conform to the spec.
>>
>> Sometimes the implementation just does not support some parameters. For example, in PKCS #11 you cannot provide an arbitrary string as the algorithm name. Also, only if HKDF expand "info" is a well-known value that's recognized by the underlying implementation, `deriveData` is able to return a byte array. See 7a in https://docs.oasis-open.org/pkcs11/pkcs11-profiles/v3.1/os/pkcs11-profiles-v3.1-os.html#_Toc142307348. In these cases, maybe an `UnsupportedOperationException` should be thrown because the implementation does not support them.
>
> Let's leave it as is for now, but make a note to revisit this later.
Ack.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/18924#discussion_r1601879243
More information about the security-dev
mailing list