On Thu, 4 Dec 2025 14:50:32 GMT, Weijun Wang <[email protected]> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Remove null check to not assume key is returned
>
> src/java.base/share/classes/sun/security/ssl/Hybrid.java line 459:
>
>> 457:
>> 458: static boolean isXDH(String name) {
>> 459: return name != null && name.equals("X25519");
>
> Can `name` in the two methods above be null? This might be hiding a bug.
>
> Also, I think it's not worth putting them into a separate class `APS`.
Removed class `APS` (and checking null name).
> src/java.base/share/classes/sun/security/ssl/KAKeyDerivation.java line 184:
>
>> 182: KEM.getInstance(algorithmName, provider) :
>> 183: KEM.getInstance(algorithmName);
>> 184: KEM.Encapsulator e = kem.newEncapsulator(pk);
>
> `newEncapsulator` is called without an `SecureRandom` argument. Is this
> intended? Otherwise, we had a chance to pass in a user-provided random when
> `KEMSenderPossession` is created and it can be passed here.
Fixed. Creating a `KEMSenderPossession` should have started with a
`SecureRandom`.
> src/java.base/share/classes/sun/security/ssl/KEMKeyExchange.java line 116:
>
>> 114: private final PublicKey publicKey;
>> 115:
>> 116: KEMReceiverPossession(NamedGroup namedGroup, SecureRandom
>> random) {
>
> `random` is ignored. Is this intended?
Fixed. `random` should be used in `kpg.initialize()`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2593270703
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2593271507
PR Review Comment: https://git.openjdk.org/jdk/pull/27614#discussion_r2593271045
