RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v22]
Sean Mullan
mullan at openjdk.org
Thu Sep 5 19:26:05 UTC 2024
On Fri, 30 Aug 2024 23:26:12 GMT, Kevin Driver <kdriver at openjdk.org> wrote:
>> Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. See [JEP 478](https://openjdk.org/jeps/478).
>>
>> Work was begun in [another PR](https://github.com/openjdk/jdk/pull/18924).
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
>
> change impl class to use byte arrays rather than SecretKey objects where possible
src/java.base/share/classes/javax/crypto/KDF.java line 89:
> 87: * the {@code deriveKey} or {@code deriveData} method is called, and a provider
> 88: * is chosen that supports the parameters passed to the {@code deriveKey} or
> 89: * {@code deriveData} method. However, if {@code getProviderName} or
This sentence is repeating what you said in the first sentence of the previous paragraph, so I don't think it is needed.
Some suggested re-wordings (and a typo fix on `getKDFParameters` method name), starting this paragraph as:
"If the {@code getProviderName} or {@code getParameters} method is called before the {@code deriveKey} or {@code deriveData} methods, the first provider supporting the KDF algorithm and optional {@code KDFParameters} is chosen. This provider may not support the key material that is subsequently passed to the deriveKey or deriveData methods. Therefore, it is recommended not to call the {@code getProviderName} or {@code getParameters} methods until after a key derivation operation. Once a provider is selected, it cannot be changed."
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1746055279
More information about the security-dev
mailing list