RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v22]
Viktor Klang
vklang at openjdk.org
Thu Sep 5 15:18:07 UTC 2024
On Fri, 30 Aug 2024 23:26:12 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. See [JEP 478](https://openjdk.org/jeps/478).
>>
>> Work was begun in [another PR](https://github.com/openjdk/jdk/pull/18924).
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>
> change impl class to use byte arrays rather than SecretKey objects where possible
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 167:
> 165: // Since we're defining these values internally, it is unlikely.
> 166: throw new ProviderException(
> 167: "could not instantiate a Mac with the provided algorithm",
There's a bit of inconsistency in using capitalization on abbreviations, examples are: "HKDF" vs "Mac"/"Hmac" vs "ikm". I'd suggest aligning with prior art and use that consistently.
src/java.base/share/classes/com/sun/crypto/provider/HkdfKeyDerivation.java line 354:
> 352: // sized the buffers to their largest possible size up-front,
> 353: // but just in case...
> 354: throw new RuntimeException(sbe);
If this is truly something which should not be possible, it might be better to throw an InternalError.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1745737456
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1745742211
More information about the security-dev
mailing list