Re: RFR: 8325448: Hybrid Public Key Encryption [v18]

[Sean Mullan]

On Thu, 24 Apr 2025 21:24:49 GMT, Weijun Wang <wei...@openjdk.org> wrote:

>> Implement HPKE as defined in https://datatracker.ietf.org/doc/rfc9180/.
>> ![HPKEParameterSpec · 11 54 · 
>> 04-21](https://github.com/user-attachments/assets/da309585-db51-40d6-b291-3d38040d6292)
>
> Weijun Wang has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   engineGetBlockSize and engineGetOutputSize returns 0 when not initialized

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java
 line 46:

> 44:         senderCipher.init(Cipher.ENCRYPT_MODE, kp.getPublic(), ps);
> 45: 
> 46:         // Retrieve the actual parameters used from the sender.

"from the sender" sound like it is being retrieved from the sender side over 
the network. Suggest replacing this with "from the senderCipher".

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java
 line 50:

> 48:                 .getParameterSpec(HPKEParameterSpec.class);
> 49: 
> 50:         // Retrieve the key encapsulation message (the KEM output) from 
> the sender.

Same comment as above about "from the sender".

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java
 line 51:

> 49: 
> 50:         // Retrieve the key encapsulation message (the KEM output) from 
> the sender.
> 51:         // It can also be retrieved using sender.getIV().

s/sender/senderCipher/

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java
 line 54:

> 52:         byte[] kemEncap = actual.encapsulation();
> 53: 
> 54:         // The HPKE recipient side is initialized with its own private 
> key,

This is a question, not a comment. How does the recipient know what algorithm 
identifiers to use? Would these be exchanged as part of a protocol that used 
HPKE?

src/java.base/share/classes/javax/crypto/spec/snippet-files/PackageSnippets.java
 line 60:

> 58:         HPKEParameterSpec pr = HPKEParameterSpec
> 59:                 .of(actual.kem_id(), actual.kdf_id(), actual.aead_id())
> 60:                 .info("app_info".getBytes(StandardCharsets.UTF_8))

Question, not necessarily a comment. Why is info also needed for decryption? 
Isn't it only needed on the encryption side when deriving the key?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070378295
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070378786
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070381394
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070382844
PR Review Comment: https://git.openjdk.org/jdk/pull/18411#discussion_r2070394105