RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API
Bradford Wetmore
wetmore at openjdk.org
Fri Apr 4 23:07:51 UTC 2025
On Thu, 3 Apr 2025 00:51:44 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/KAKeyDerivation.java line 120:
>>
>>> 118: SecretKey earlySecret = hkdf.deriveKey("TlsEarlySecret",
>>> 119: HKDFParameterSpec.ofExtract().addSalt(zeros)
>>> 120: .addIKM(ikm).extractOnly());
>>
>> Maybe no need for `addSalt(zeros)`. I remember salt is by default zeros for HKDF.
>
> Yes, I am on the fence about this. Given the specified value is the same as the default, it can be removed. I kept it there so the new code matches the original code completely. Not much difference either way I think.
I like having it there to communicate that is really the intent.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2029534765
More information about the security-dev
mailing list