# HG changeset patch # User jnimeh # Date 1527867359 25200 # Node ID 0c13b82d3274ef725fcaba9222bdd06f5daae431 # Parent 6a168579df31e885bd50c49a875a5e67fad62e8d Address TLS 1.3 rollup comments in HKDF, CertificateStatus and CertStatusExtension Summary: Address TLS 1.3 rollup comments in HKDF, CertificateStatus and CertStatusExtension diff -r 6a168579df31 -r 0c13b82d3274 src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java --- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Fri Jun 01 08:11:45 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Fri Jun 01 08:35:59 2018 -0700 @@ -323,7 +323,6 @@ final List responderIds; final List extensions; - private final int encodedLen; private final int ridListLen; private final int extListLen; @@ -356,7 +355,6 @@ throw new SSLProtocolException( "Invalid OCSP status request: insufficient data"); } - this.encodedLen = encoded.length; List rids = new ArrayList<>(); List exts = new ArrayList<>(); @@ -424,7 +422,6 @@ String ridStr = ""; if (!responderIds.isEmpty()) { ridStr = responderIds.toString(); - } String extsStr = ""; diff -r 6a168579df31 -r 0c13b82d3274 src/java.base/share/classes/sun/security/ssl/CertificateStatus.java --- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Fri Jun 01 08:11:45 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Fri Jun 01 08:35:59 2018 -0700 @@ -39,7 +39,37 @@ import static sun.security.ssl.CertificateMessage.*; /** - * Pack of the CertificateStatus handshake message. + * Consumers and producers for the CertificateStatus handshake message. + * This message takes one of two related but slightly different forms, + * depending on the type of stapling selected by the server. The message + * data will be of the form(s): + * + * [status_request, RFC 6066] + * + * struct { + * CertificateStatusType status_type; + * select (status_type) { + * case ocsp: OCSPResponse; + * } response; + * } CertificateStatus; + * + * opaque OCSPResponse<1..2^24-1>; + * + * [status_request_v2, RFC 6961] + * + * struct { + * CertificateStatusType status_type; + * select (status_type) { + * case ocsp: OCSPResponse; + * case ocsp_multi: OCSPResponseList; + * } response; + * } CertificateStatus; + * + * opaque OCSPResponse<0..2^24-1>; + * + * struct { + * OCSPResponse ocsp_response_list<1..2^24-1>; + * } OCSPResponseList; */ final class CertificateStatus { static final SSLConsumer handshakeConsumer = diff -r 6a168579df31 -r 0c13b82d3274 src/java.base/share/classes/sun/security/ssl/HKDF.java --- a/src/java.base/share/classes/sun/security/ssl/HKDF.java Fri Jun 01 08:11:45 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/HKDF.java Fri Jun 01 08:35:59 2018 -0700 @@ -43,7 +43,7 @@ * digest algorithm will be used by the HMAC function as part of the HKDF * derivation process. */ -class HKDF { +final class HKDF { private final String hmacAlg; private final Mac hmacObj; private final int hmacLen; @@ -182,57 +182,4 @@ return new SecretKeySpec(kdfOutput, 0, outLen, keyAlg); } - - /** - * Perform the HKDF Extract-then-Expand operation. - * - * @param inputKey the input keying material provided as a - * {@code SecretKey}. - * @param salt a salt value, implemented as a {@code SecretKey}. A - * {@code null} value is allowed, which will internally use an array of - * zero bytes the same size as the underlying hash output length. - * @param info optional context-specific info. A {@code null} value is - * allowed in which case a zero-length byte array will be used. - * @param outLen the length of the resulting {@code SecretKey} - * @param keyAlg the algorithm name applied to the resulting - * {@code SecretKey} - * - * @return the resulting derivation stored in a {@code SecretKey} object. - * - * @throws InvalidKeyException if initialization of the underlying HMAC - * process fails with the salt during the extract phase, or with the - * resulting PRK during the expand phase. - */ - SecretKey extractExpand(SecretKey inputKey, SecretKey salt, byte[] info, - int outLen, String keyAlg) throws InvalidKeyException { - SecretKey prk = extract(salt, inputKey, "HKDF-PRK"); - return expand(prk, info, outLen, keyAlg); - } - - /** - * Perform the HKDF Extract-then-Expand operation. - * - * @param inputKey the input keying material provided as a - * {@code SecretKey}. - * @param salt a salt value as cleartext bytes. A {@code null} value is - * allowed, which will internally use an array of zero bytes the same - * size as the underlying hash output length. - * @param info optional context-specific info. A {@code null} value is - * allowed in which case a zero-length byte array will be used. - * @param outLen the length of the resulting {@code SecretKey} - * @param keyAlg the algorithm name applied to the resulting - * {@code SecretKey} - * - * @return the resulting derivation stored in a {@code SecretKey} object. - * - * @throws InvalidKeyException if initialization of the underlying HMAC - * process fails with the salt during the extract phase, or with the - * resulting PRK during the expand phase. - */ - SecretKey extractExpand(SecretKey inputKey, byte[] salt, byte[] info, - int outLen, String keyAlg) throws InvalidKeyException { - byte[] saltBytes = (salt != null) ? salt : new byte[hmacLen]; - return extractExpand(inputKey, - new SecretKeySpec(saltBytes, "HKDF-PRK"), info, outLen, keyAlg); - } }