On Wed, 2 Apr 2025 23:22:40 GMT, Weijun Wang <[email protected]> wrote:
>> This PR removes the internal JSSE HKDF impl and changes to use the KDF API
>> for the HKDF support from JCA/JCE providers.
>>
>> This is just code refactoring. Known-answer regression test for the internal
>> JSSE HKDF impl is removed as the test vectors are already covered by the
>> HKDF impl in SunJCE provider.
>>
>> Thanks in advance for the review~
>
> src/java.base/share/classes/sun/security/ssl/KAKeyDerivation.java line 120:
>
>> 118: SecretKey earlySecret = hkdf.deriveKey("TlsEarlySecret",
>> 119: HKDFParameterSpec.ofExtract().addSalt(zeros)
>> 120: .addIKM(ikm).extractOnly());
>
> Maybe no need for `addSalt(zeros)`. I remember salt is by default zeros for
> HKDF.
Yes, I am on the fence about this. Given the specified value is the same as the
default, it can be removed. I kept it there so the new code matches the
original code completely. Not much difference either way I think.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2025829592
