On Tue, 29 Apr 2025 21:44:26 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> This PR removes the internal JSSE HKDF impl and changes to use the KDF API >> for the HKDF support from JCA/JCE providers. >> >> This is just code refactoring. Known-answer regression test for the internal >> JSSE HKDF impl is removed as the test vectors are already covered by the >> HKDF impl in SunJCE provider. >> >> Thanks in advance for the review~ > > Valerie Peng has updated the pull request incrementally with one additional > commit since the last revision: > > Add comment about not using the same HKDF instance. src/java.base/share/classes/sun/security/ssl/ServerHello.java line 624: > 622: > 623: SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc); > 624: SecretKey handshakeSecret = handshakeKD.deriveKey( It looks like this can be cleared after it is used to derive the key. Similar comment on line 1310. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24393#discussion_r2068969063
