Address TLS 1.3 rollup comments in HKDF, CertificateStatus and CertStatusExtension
Summary: Address TLS 1.3 rollup comments in HKDF, CertificateStatus and CertStatusExtension
--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Fri Jun 01 08:11:45 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java Fri Jun 01 08:35:59 2018 -0700
@@ -323,7 +323,6 @@
final List<ResponderId> responderIds;
final List<Extension> extensions;
- private final int encodedLen;
private final int ridListLen;
private final int extListLen;
@@ -356,7 +355,6 @@
throw new SSLProtocolException(
"Invalid OCSP status request: insufficient data");
}
- this.encodedLen = encoded.length;
List<ResponderId> rids = new ArrayList<>();
List<Extension> exts = new ArrayList<>();
@@ -424,7 +422,6 @@
String ridStr = "<empty>";
if (!responderIds.isEmpty()) {
ridStr = responderIds.toString();
-
}
String extsStr = "<empty>";
--- a/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Fri Jun 01 08:11:45 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java Fri Jun 01 08:35:59 2018 -0700
@@ -39,7 +39,37 @@
import static sun.security.ssl.CertificateMessage.*;
/**
- * Pack of the CertificateStatus handshake message.
+ * Consumers and producers for the CertificateStatus handshake message.
+ * This message takes one of two related but slightly different forms,
+ * depending on the type of stapling selected by the server. The message
+ * data will be of the form(s):
+ *
+ * [status_request, RFC 6066]
+ *
+ * struct {
+ * CertificateStatusType status_type;
+ * select (status_type) {
+ * case ocsp: OCSPResponse;
+ * } response;
+ * } CertificateStatus;
+ *
+ * opaque OCSPResponse<1..2^24-1>;
+ *
+ * [status_request_v2, RFC 6961]
+ *
+ * struct {
+ * CertificateStatusType status_type;
+ * select (status_type) {
+ * case ocsp: OCSPResponse;
+ * case ocsp_multi: OCSPResponseList;
+ * } response;
+ * } CertificateStatus;
+ *
+ * opaque OCSPResponse<0..2^24-1>;
+ *
+ * struct {
+ * OCSPResponse ocsp_response_list<1..2^24-1>;
+ * } OCSPResponseList;
*/
final class CertificateStatus {
static final SSLConsumer handshakeConsumer =
--- a/src/java.base/share/classes/sun/security/ssl/HKDF.java Fri Jun 01 08:11:45 2018 -0700
+++ b/src/java.base/share/classes/sun/security/ssl/HKDF.java Fri Jun 01 08:35:59 2018 -0700
@@ -43,7 +43,7 @@
* digest algorithm will be used by the HMAC function as part of the HKDF
* derivation process.
*/
-class HKDF {
+final class HKDF {
private final String hmacAlg;
private final Mac hmacObj;
private final int hmacLen;
@@ -182,57 +182,4 @@
return new SecretKeySpec(kdfOutput, 0, outLen, keyAlg);
}
-
- /**
- * Perform the HKDF Extract-then-Expand operation.
- *
- * @param inputKey the input keying material provided as a
- * {@code SecretKey}.
- * @param salt a salt value, implemented as a {@code SecretKey}. A
- * {@code null} value is allowed, which will internally use an array of
- * zero bytes the same size as the underlying hash output length.
- * @param info optional context-specific info. A {@code null} value is
- * allowed in which case a zero-length byte array will be used.
- * @param outLen the length of the resulting {@code SecretKey}
- * @param keyAlg the algorithm name applied to the resulting
- * {@code SecretKey}
- *
- * @return the resulting derivation stored in a {@code SecretKey} object.
- *
- * @throws InvalidKeyException if initialization of the underlying HMAC
- * process fails with the salt during the extract phase, or with the
- * resulting PRK during the expand phase.
- */
- SecretKey extractExpand(SecretKey inputKey, SecretKey salt, byte[] info,
- int outLen, String keyAlg) throws InvalidKeyException {
- SecretKey prk = extract(salt, inputKey, "HKDF-PRK");
- return expand(prk, info, outLen, keyAlg);
- }
-
- /**
- * Perform the HKDF Extract-then-Expand operation.
- *
- * @param inputKey the input keying material provided as a
- * {@code SecretKey}.
- * @param salt a salt value as cleartext bytes. A {@code null} value is
- * allowed, which will internally use an array of zero bytes the same
- * size as the underlying hash output length.
- * @param info optional context-specific info. A {@code null} value is
- * allowed in which case a zero-length byte array will be used.
- * @param outLen the length of the resulting {@code SecretKey}
- * @param keyAlg the algorithm name applied to the resulting
- * {@code SecretKey}
- *
- * @return the resulting derivation stored in a {@code SecretKey} object.
- *
- * @throws InvalidKeyException if initialization of the underlying HMAC
- * process fails with the salt during the extract phase, or with the
- * resulting PRK during the expand phase.
- */
- SecretKey extractExpand(SecretKey inputKey, byte[] salt, byte[] info,
- int outLen, String keyAlg) throws InvalidKeyException {
- byte[] saltBytes = (salt != null) ? salt : new byte[hmacLen];
- return extractExpand(inputKey,
- new SecretKeySpec(saltBytes, "HKDF-PRK"), info, outLen, keyAlg);
- }
}