New JEP Draft: Key Derivation Function API
Wei-Jun Wang
weijun.wang at oracle.com
Wed Apr 2 19:00:22 UTC 2025
Hi all,
JEP 478: Key Derivation Function API (Preview) [1] was included in JDK 24. We propose to finalize it in JDK 25 without modification. The new JEP is available at https://openjdk.org/jeps/8353275.
Since JDK 24, a PKCS #11 implementation of HKDF [2] has been integrated into an early build of JDK 25, and several in-progress efforts are using the preview API as-is:
1. A refactoring of the DH-Based Key Encapsulation Mechanism (DHKEM) [3] in its ExtractAndExpand step.
2. An implementation of Hybrid Public Key Encryption (HPKE) [4] in its key schedule setup and secret export.
3. A TLS 1.3 refactoring [5] in its key derivation process.
There has been no feedback suggesting changes to the API. The current set of integrations and refactorings demonstrates that the API is capable and flexible enough to support a variety of use cases as designed.
We welcome your feedback on the proposal.
Thanks,
Weijun
[1] https://openjdk.org/jeps/478
[2] https://bugs.openjdk.org/browse/JDK-8328119
[3] https://github.com/openjdk/jdk/pull/18411/files#diff-f92a5f15c7a2657b5b7e07d3b129ac7e483a25e35982a803fb137e31b4f9211f
[4] https://github.com/openjdk/jdk/pull/18411
[5] https://github.com/openjdk/jdk/pull/23974
More information about the security-dev
mailing list