RFR: 8341346: Add support for exporting TLS Keying Material [v3]
Artur Barashev
abarashev at openjdk.org
Thu May 1 18:28:47 UTC 2025
On Wed, 30 Apr 2025 23:38:03 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Adds the RFC 5705/8446 TLS Key Exporters API/implementation to JSSE/SunJSSE respectively.
>>
>> CSR is underway.
>>
>> Tests include new unit tests for TLSv1-1.3. Will run tier1-2, plus the JCK API (jck:api/java_security jck:api/javax_crypto jck:api/javax_net jck:api/javax_security jck:api/org_ietf jck:api/javax_xml/crypto)
>
> Bradford Wetmore has updated the pull request incrementally with one additional commit since the last revision:
>
> Moved too fast
test/jdk/javax/net/ssl/ExtendedSSLSession/TLSKeyExporters.java line 277:
> 275: private static void runExporterTests(
> 276: ExtendedSSLSession cessls,
> 277: ExtendedSSLSession sessls) throws Exception {
Replace with `clientSession` and `serverSession` for readability?
test/jdk/javax/net/ssl/ExtendedSSLSession/TLSKeyExporters.java line 296:
> 294: // Inputs exactly equal. Use exportKeyMaterialKey()
> 295: clientBytes = cessls.exportKeyMaterialKey("hello",
> 296: bytes, 128).getEncoded();
Should we add tests with EKM material length other than 128?
test/jdk/javax/net/ssl/ExtendedSSLSession/TLSKeyExporters.java line 324:
> 322: serverBytes = sessls.exportKeyMaterialData("goodbye",
> 323: bytes, 128);
> 324: if (Arrays.equals(clientBytes, serverBytes)) {
Replace with `assertEquals/assertNotEquals` this and other test cases?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2070621428
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2070623132
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2070624936
More information about the security-dev
mailing list