RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API [v4]
Valerie Peng
valeriep at openjdk.org
Fri Apr 25 19:10:55 UTC 2025
On Fri, 25 Apr 2025 15:41:09 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Undo the special workaround for JSSE in PKCS11 HKDF impl.
>
> src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java line 851:
>
>> 849: return hkdf.deriveKey("TlsBinderKey",
>> 850: HKDFParameterSpec.expandOnly(earlySecret, hkdfInfo,
>> 851: hashAlg.hashLength));
>
> Is it possible to combine the 2 `deriveKey` calls above into a single Extract-Then-Expand call? Then you don't need to clean up `earlySecret`.
Should be possible, let me give it a try. Thanks~
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2060758979
More information about the security-dev
mailing list