RFR: 8341346: Add support for exporting TLS Keying Material [v7]
Weijun Wang
weijun at openjdk.org
Wed May 7 16:31:14 UTC 2025
On Wed, 7 May 2025 05:47:30 GMT, Bradford Wetmore <wetmore at openjdk.org> wrote:
>> Adds the RFC 5705/8446 TLS Key Exporters API/implementation to JSSE/SunJSSE respectively.
>>
>> CSR is underway.
>>
>> Tests include new unit tests for TLSv1-1.3. Will run tier1-2, plus the JCK API (jck:api/java_security jck:api/javax_crypto jck:api/javax_net jck:api/javax_security jck:api/org_ietf jck:api/javax_xml/crypto)
>
> Bradford Wetmore has updated the pull request incrementally with one additional commit since the last revision:
>
> Updated to use the upcoming KDF (still in preview) + bits of JDK-8353578 for compilation)
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1694:
> 1692:
> 1693: // ...now the final expand.
> 1694: SecretKey key = hkdf.deriveKey(label,
PKCS #11 is picky about key algorithm names and I'm not sure if `label` is always accepted. The KDF API has the algorithm in the method arguments so it's left to user to specify one. I'm not sure how the export keying material will be used. If it is used in encryption, the algorithm may need to be something like "AES".
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2078033799
More information about the security-dev
mailing list