On Fri, 9 May 2025 21:38:07 GMT, Bradford Wetmore <wetm...@openjdk.org> wrote:
>> Adds the RFC 5705/8446 TLS Key Exporters API/implementation to JSSE/SunJSSE >> respectively. >> >> CSR is underway. >> >> Tests include new unit tests for TLSv1-1.3. Will run tier1-2, plus the JCK >> API (jck:api/java_security jck:api/javax_crypto jck:api/javax_net >> jck:api/javax_security jck:api/org_ietf jck:api/javax_xml/crypto) > > Bradford Wetmore has updated the pull request with a new target base due to a > merge or a rebase. The pull request now contains 13 commits: > > - Merge branch 'master' into JDK-8341346 > - Adjustments made for JDK-8350830 > - Merge branch 'master' into JDK-8341346 > - Rework to avoid PKCS11 data extraction problems, and enhanced input > verification and unit testing > - More Codereview comments > - Updated to use the upcoming KDF (still in preview) + bits of JDK-8353578 > for compilation) > - Add in the SharedSecrets SecretKeySpec clearing mechanism > - More codereview/CSR comments > - Merge branch 'master' into JDK-8341346 > - Codereview comments. > - ... and 3 more: https://git.openjdk.org/jdk/compare/68a11850...bd227aa8 src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 172: > 170: * algorithms defined in RFCs 5705/8446. > 171: * <P> > 172: * Note RFC 5705 (for (D)TLSv1.2 and earlier) calculates different > EKM s/Note/Note that/ (or just remove "Note" - don't think it is really necessary). src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 187: > 185: * > 186: * @implSpec The default implementation throws > 187: * {@code UnsupportedOperationException} Missing period at end of sentence. src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 192: > 190: * {@code label} will be converted to a {@code byte[]} > 191: * before the operation begins > 192: * @param context the context bytes used in the EKM calculation Add something that says `null` is acceptable. i.e. ", or `null` ..." src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 195: > 193: * @param length the number of bytes of EKM material needed > 194: * > 195: * @throws SSLKeyException if the key could not be generated I prefer "cannot" (present tense). src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 204: > 202: * > 203: * @return a {@code SecretKey} that contains {@code length} bytes of > the > 204: * EKM material. no period necessary. src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 225: > 223: * character encoding. > 224: * <P> > 225: * Depending on the chosen underlying key derivation mechanism, the This reads like it should maybe be an `@apiNote`. src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java line 254: > 252: * > 253: * @return a byte array of size {@code length} that contains the EKM > 254: * material, or null if the derived key material does not > support For "or null if the derived key material does not support encoding" why wouldn't an implementation throw UOE instead? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084853417 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084889527 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084879618 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084887858 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084891743 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084895438 PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2084899365
