RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API
Bradford Wetmore
wetmore at openjdk.org
Fri Apr 4 23:07:49 UTC 2025
On Wed, 2 Apr 2025 21:43:19 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
> This PR removes the internal JSSE HKDF impl and changes to use the KDF API for the HKDF support from JCA/JCE providers.
>
> This is just code refactoring. Known-answer regression test for the internal JSSE HKDF impl is removed as the test vectors are already covered by the HKDF impl in SunJCE provider.
>
> Thanks in advance for the review~
The rest looks good.
Nice to get this done finally!
src/java.base/share/classes/sun/security/ssl/Utilities.java line 150:
> 148: String sanitizedAlg = digestAlg.replace("-", "");
> 149: return switch (sanitizedAlg) {
> 150: case "SHA256", "SHA384", "SHA512" -> "HKDF-" + sanitizedAlg;
This is a nit, but currently we don't have SHA512 in `CipherSuite.HashAlg`. You can leave it for any future enhancements.
-------------
Marked as reviewed by wetmore (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/24393#pullrequestreview-2744199375
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2029495768
More information about the security-dev
mailing list