RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API [v4]
Daniel Jeliński
djelinski at openjdk.org
Fri Apr 25 10:43:57 UTC 2025
On Thu, 17 Apr 2025 21:35:36 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> This PR removes the internal JSSE HKDF impl and changes to use the KDF API for the HKDF support from JCA/JCE providers.
>>
>> This is just code refactoring. Known-answer regression test for the internal JSSE HKDF impl is removed as the test vectors are already covered by the HKDF impl in SunJCE provider.
>>
>> Thanks in advance for the review~
>
> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>
> Undo the special workaround for JSSE in PKCS11 HKDF impl.
still LGTM.
src/java.base/share/classes/com/sun/crypto/provider/DHKEM.java line 260:
> 258: if (eae_prk instanceof SecretKeySpec s) {
> 259: SharedSecrets.getJavaxCryptoSpecAccess()
> 260: .clearSecretKeySpec(s);
I wish we could use `s.destroy()` here instead.
-------------
Marked as reviewed by djelinski (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/24393#pullrequestreview-2793711649
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2059999631
More information about the security-dev
mailing list