RFR: 8314323: Implement JEP 527: TLS 1.3 Hybrid Key Exchange [v16]
Weijun Wang
weijun at openjdk.org
Sat Dec 6 18:10:15 UTC 2025
On Sat, 6 Dec 2025 17:24:55 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Implement hybrid key exchange support for TLS 1.3 by adding three post-quantum hybrid named groups: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024.
>> Please see [JEP 527](https://openjdk.org/jeps/527) for details about this change.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Updates with Brad's comments
src/java.base/share/classes/sun/security/ssl/DHasKEM.java line 38:
> 36: import javax.crypto.KeyAgreement;
> 37: import javax.crypto.SecretKey;
> 38: import javax.crypto.spec.SecretKeySpec;
Useless import.
src/java.base/share/classes/sun/security/ssl/Hybrid.java line 41:
> 39: import java.security.InvalidAlgorithmParameterException;
> 40: import java.security.InvalidKeyException;
> 41: import java.security.InvalidParameterException;
Useless import.
src/java.base/share/classes/sun/security/ssl/Hybrid.java line 144:
> 142: throw new ProviderException("Failed to initialize hybrid " +
> 143: "keypair generator", e);
> 144: }
No need to catch either of the exceptions.
src/java.base/share/classes/sun/security/ssl/Hybrid.java line 363:
> 361: @Override
> 362: public SecretKey engineDecapsulate(byte[] encapsulation, int from,
> 363: int to, String algorithm) throws DecapsulateException {
You might want to check the length of `encapsulation`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2595183964
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2595195602
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2595182671
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2595203845
More information about the security-dev
mailing list