RFR: 8353578: Refactor existing usage of internal HKDF impl to use the KDF API [v6]
Sean Mullan
mullan at openjdk.org
Wed Apr 30 15:59:55 UTC 2025
On Tue, 29 Apr 2025 21:44:26 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> This PR removes the internal JSSE HKDF impl and changes to use the KDF API for the HKDF support from JCA/JCE providers.
>>
>> This is just code refactoring. Known-answer regression test for the internal JSSE HKDF impl is removed as the test vectors are already covered by the HKDF impl in SunJCE provider.
>>
>> Thanks in advance for the review~
>
> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>
> Add comment about not using the same HKDF instance.
src/java.base/share/classes/sun/security/ssl/ServerHello.java line 624:
> 622:
> 623: SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
> 624: SecretKey handshakeSecret = handshakeKD.deriveKey(
It looks like this can be cleared after it is used to derive the key. Similar comment on line 1310.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2068969063
More information about the security-dev
mailing list