On Thu, 15 May 2025 04:26:30 GMT, Bradford Wetmore <[email protected]> wrote:
>> src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1682:
>>
>>> 1680: // ...now the final expand.
>>> 1681: return (deriveKey ?
>>> 1682:
>>> hkdf.deriveKey("TlsExporterKeyingMaterial",
>>
>> Using a registered algorithm will make this method work, but I'm not sure if
>> the resulting key can be used further. Do you know any typical use cases for
>> the EKM?
>
> From a previous comment:
>
> IIUC, the exported keying material can be used for any purpose or algorithm,
> so we really can't make an good educated guess what it might be. They could
> be Keys (Ciphers), byte array/value challenges, or even just data that will
> be signed. This is just doing a quick read of some of the IANA definitions
> which link to some of the known use cases:
>
>
> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels
Personally, I would like to give user the chance to specify the algorithm
themselves. A "TlsExporterKeyingMaterial" key will not be accepted by an AES
cipher. If you are not ready for this, I'd rather only provide the
`exportKeyingMaterialData` method now.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/24976#discussion_r2091851924
