RFR: 8189441: Define algorithm names for keys derived from KeyAgreement [v12]

Sean Mullan mullan at openjdk.org
Wed Jan 8 17:55:56 UTC 2025 

On Tue, 7 Jan 2025 19:55:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Allow `Generic` as an algorithm in the `KeyAgreement::generateSecret(alg)` method.
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   address Sean's comments

A few more minor comments.

src/java.base/share/classes/javax/crypto/KeyAgreement.java line 675:

> 673:      *      regardless of whether the key is extractable. If {@code algorithm}
> 674:      *      is specified as "Generic" and it is supported by the implementation,
> 675:      *      the full shared secret will be returned.

s/will be/is/

src/java.base/share/classes/javax/crypto/KeyAgreementSpi.java line 221:

> 219:      *      regardless of whether the key is extractable. If {@code algorithm}
> 220:      *      is specified as "Generic" and it is supported by the implementation,
> 221:      *      the full shared secret will be returned.

s/will be/is/

src/java.base/share/classes/sun/security/ec/XDHKeyAgreement.java line 214:

> 212:         if (!KeyUtil.isSupportedKeyAgreementOutputAlgorithm(algorithm)) {
> 213:             throw new NoSuchAlgorithmException(
> 214:                     "Unsupported secret key algorithm " + algorithm);

Might be clearer to add a `:` after algorithm, also more consistent with DHKeyAgreement.

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11KeyAgreement.java line 273:

> 271:         if (KeyUtil.isSupportedKeyAgreementOutputAlgorithm(algorithm)) {
> 272:             // For now, only perform native derivation for TlsPremasterSecret
> 273:             // as that is required for FIPS compliance and Generic for KDF.

Suggest breaking into two sentences: "For now, only perform native derivation for TlsPremasterSecret and Generic algorithms. TlsPremasterSecret is required for FIPS compliance and Generic is required for input to KDF."

-------------

PR Review: https://git.openjdk.org/jdk/pull/22650#pullrequestreview-2537785380
PR Review Comment: https://git.openjdk.org/jdk/pull/22650#discussion_r1907571511
PR Review Comment: https://git.openjdk.org/jdk/pull/22650#discussion_r1907571698
PR Review Comment: https://git.openjdk.org/jdk/pull/22650#discussion_r1907558770
PR Review Comment: https://git.openjdk.org/jdk/pull/22650#discussion_r1907564666

More information about the security-dev mailing list