RFR: 8325448: Hybrid Public Key Encryption [v18]

Sean Mullan mullan at openjdk.org
Thu May 1 15:18:53 UTC 2025 

On Thu, 24 Apr 2025 21:24:49 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Implement HPKE as defined in https://datatracker.ietf.org/doc/rfc9180/.
>> ![HPKEParameterSpec · 11 54 · 04-21](https://github.com/user-attachments/assets/da309585-db51-40d6-b291-3d38040d6292)
>
> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   engineGetBlockSize and engineGetOutputSize returns 0 when not initialized

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java line 46:

> 44:         senderCipher.init(Cipher.ENCRYPT_MODE, kp.getPublic(), ps);
> 45: 
> 46:         // Retrieve the actual parameters used from the sender.

"from the sender" sound like it is being retrieved from the sender side over the network. Suggest replacing this with "from the senderCipher".

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java line 50:

> 48:                 .getParameterSpec(HPKEParameterSpec.class);
> 49: 
> 50:         // Retrieve the key encapsulation message (the KEM output) from the sender.

Same comment as above about "from the sender".

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java line 51:

> 49: 
> 50:         // Retrieve the key encapsulation message (the KEM output) from the sender.
> 51:         // It can also be retrieved using sender.getIV().

s/sender/senderCipher/

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java line 54:

> 52:         byte[] kemEncap = actual.encapsulation();
> 53: 
> 54:         // The HPKE recipient side is initialized with its own private key,

This is a question, not a comment. How does the recipient know what algorithm identifiers to use? Would these be exchanged as part of a protocol that used HPKE?

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java line 60:

> 58:         HPKEParameterSpec pr = HPKEParameterSpec
> 59:                 .of(actual.kem_id(), actual.kdf_id(), actual.aead_id())
> 60:                 .info("app_info".getBytes(StandardCharsets.UTF_8))

Question, not necessarily a comment. Why is info also needed for decryption? Isn't it only needed on the encryption side when deriving the key?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070378295
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070378786
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070381394
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070382844
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070394105

More information about the security-dev mailing list