On Fri, 25 Apr 2025 18:40:17 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/KAKeyDerivation.java line 131: >> >>> 129: >>> 130: // derive handshake secret >>> 131: return hkdf.deriveKey(type, HKDFParameterSpec.ofExtract() >> >> The line above may fail because the `hkdf` object has been used once on line >> 121 with zero-valued salt and IKM, which selected the software-based HKDF >> from SunJCE. At this point, however, `sharedSecret` is the result of ECDH >> and may be non-extractable if produced by an HSM, making it incompatible >> with the SunJCE implementation. To avoid this issue, get a new `hkdf` by >> calling `hkdf = KDF.getInstance(hashAlg.hkdfAlgorithm)` before this line. > > Hmm, ok, interesting scenario. I add another `KDF.getInstance()` call as you > suggested just to be safe. I think that deserves a code comment; it's far from obvious why we do that. Also, we will make P11 work with zero-valued salt soon. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2060870152
