8347289: HKDF delayed provider selection failed with non-extractable PRK #22976
Conversation
|
👋 Welcome back weijun! A progress list of the required criteria for merging this PR into |
|
@wangweij This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 55 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
| @@ -180,8 +180,8 @@ protected byte[] engineDeriveData(AlgorithmParameterSpec derivationSpec) | |||
| } else if (derivationSpec instanceof HKDFParameterSpec.Expand anExpand) { | |||
| // set this value in the "if" | |||
| if ((pseudoRandomKey = anExpand.prk().getEncoded()) == null) { | |||
| throw new AssertionError( | |||
| "PRK is required for HKDFParameterSpec.Expand"); | |||
| throw new InvalidAlgorithmParameterException( | |||
There was a problem hiding this comment.
My only question here is whether the Expand could be created without a PRK for any other reason besides it being non-extractable. If we think so (even if it's just user-error), then perhaps the wording of the message for the IAPE should be revised from the currently proposed text.
There was a problem hiding this comment.
In the creation of the Expand object, we've already guaranteed that PRK the object must be non null. The only problem here is its encoding.
There was a problem hiding this comment.
I don't want to explicitly mention the null encoding so the wording is a little vague. What do you suggest?
There was a problem hiding this comment.
Ah, you're right. I wondered if it was just the encoding that was null in this case, rather than the object itself. I didn't double-check but just read through the delta.
I think your wording should suffice, upon further reflection. It would be overly verbose to say something like "Cannot retrieve PRK bytes ..." or even "Cannot retrieve encoded PRK bytes ...".
This is probably fine to leave as-is.
|
/integrate |
|
Going to push as commit db7fa6a.
Your commit was automatically rebased without conflicts. |
openjdk
bot
removed
ready
|
/backport :jdk24 |
|
@wangweij the backport was successfully created on the branch backport-wangweij-db7fa6a2-jdk24 in my personal fork of openjdk/jdk. To create a pull request with this backport targeting openjdk/jdk:jdk24, just click the following link: The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:
If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jdk: |
A non-extractable PRK in HKDF Expand-Only is an invalid input, not an internal error.
Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/22976/head:pull/22976$ git checkout pull/22976Update a local copy of the PR:
$ git checkout pull/22976$ git pull https://git.openjdk.org/jdk.git pull/22976/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 22976View PR using the GUI difftool:
$ git pr show -t 22976Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/22976.diff
Using Webrev
Link to Webrev Comment