JEP 510: HKDFParameterSpec.expandOnly(byte[] prk)
Daniel Jeliński
djelinski1 at gmail.com
Mon May 19 14:06:30 UTC 2025
Hi Sebastian,
The PRK argument always comes from a LabeledExtract output in the RFC
you cite. You can use extract + thenExpand, or generate key material
for expand with deriveKey. Is there any case where you need the prk as
a byte array?
Note that certain providers (PKCS11) may or may not support
externally-supplied byte arrays as PRK, and should always be used with
a SecretKey.
Regards,
Daniel
pon., 19 maj 2025 o 12:22 Sebastian Stenzel
<sebastian.stenzel at gmail.com> napisał(a):
>
> Hi,
>
> I’m using the HKDF extract and expand steps separately for this step [1] in HPKE.
>
> In this case I need to pass a byte[] prk to expandOnly(…), however the API only accepts a SecretKey, forcing me to wrap the bytes just for them to be unwrapped by the expand operation again. Probably this has already been discussed, so please feel free to point me to any existing rationale.
>
> Otherwise, is it too late to ask you to add a `expandOnly(byte[] prk)` function?
>
> Cheers,
> Sebastian
>
> [1] https://www.rfc-editor.org/rfc/rfc9180#section-4-10
More information about the security-dev
mailing list