RFR: 8331008: Implement JEP 478: Key Derivation Function API (Preview) [v30]

Sean Mullan mullan at openjdk.org
Thu Sep 12 20:53:29 UTC 2024 

On Wed, 11 Sep 2024 23:06:40 GMT, Kevin Driver <kdriver at openjdk.org> wrote:

>> Introduce an API for Key Derivation Functions (KDFs), which are cryptographic algorithms for deriving additional keys from a secret key and other data. See [JEP 478](https://openjdk.org/jeps/478).
>> 
>> Work was begun in [another PR](https://github.com/openjdk/jdk/pull/18924).
>
> Kevin Driver has updated the pull request incrementally with one additional commit since the last revision:
> 
>   further review comment changes

src/java.base/share/classes/javax/crypto/KDF.java line 82:

> 80:  * ensure that the selected provider can handle the key material that is passed
> 81:  * to those methods - for example, the key material may reside on a
> 82:  * hardware device that only a specific {@code KDF} provider can utilize.

I think we should also add this sentence. This is similar to the provider search algorithm that is documented in all current JCE/JCA getInstance APIs so it is important to repeat it here.

"Once initiated, the selection process traverses the list of registered security providers, starting with the most preferred `Provider`. A new `KDF` object encapsulating the `KDFSpi` implementation from the first provider that supports the specified algorithm and optional parameters is returned."

src/java.base/share/classes/javax/crypto/KDF.java line 281:

> 279:      * Returns a {@code KDF} object that implements the specified algorithm from
> 280:      * the specified security provider. The specified provider must be
> 281:      * registered in the security provider list.

The second sentence should be removed. The Provider is passed in so does not need to be registered.

src/java.base/share/classes/javax/crypto/KDF.java line 461:

> 459:      * Returns a {@code KDF} object that implements the specified algorithm from
> 460:      * the specified provider and is initialized with the specified parameters.
> 461:      * The specified provider must be registered in the security provider list.

The second sentence should be removed. The Provider is passed in so does not need to be registered.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1757561670
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1757565061
PR Review Comment: https://git.openjdk.org/jdk/pull/20301#discussion_r1757565494

More information about the security-dev mailing list