8325448: Hybrid Public Key Encryption

[wangweij]

Implement HPKE as defined in https://datatracker.ietf.org/doc/rfc9180/.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change requires CSR request JDK-8366437 to be approved
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issues

• JDK-8325448: Hybrid Public Key Encryption (Enhancement - P3)
• JDK-8366437: Hybrid Public Key Encryption (CSR)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/18411/head:pull/18411
$ git checkout pull/18411

Update a local copy of the PR:
$ git checkout pull/18411
$ git pull https://git.openjdk.org/jdk.git pull/18411/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 18411

View PR using the GUI difftool:
$ git pr show -t 18411

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/18411.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@wangweij The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[bridgekeeper]

@wangweij This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[wangweij]

/csr

[openjdk]

@wangweij has indicated that a compatibility and specification (CSR) request is needed for this pull request.

@wangweij please create a CSR request for issue JDK-8325448 with the correct fix version. This pull request cannot be integrated until the CSR request is approved.

[bridgekeeper]

@wangweij This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[bridgekeeper]

@wangweij This pull request has been inactive for more than 16 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

[wangweij]

/open

[openjdk]

@wangweij This pull request is now open

[bridgekeeper]

@wangweij This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[mlbridge]

Webrevs

• 47: Full - Incremental (52c4d84b)
• 46: Full - Incremental (4d5b15f7)
• 45: Full (b5112151)
• 44: Full (8c6cffa4)
• 43: Full - Incremental (b86797a6)
• 42: Full (1ec31cf5)
• 41: Full - Incremental (a6949f51)
• 40: Full - Incremental (cef55578)
• 39: Full - Incremental (bdd00bd8)
• 38: Full - Incremental (d4c237f3)
• 37: Full - Incremental (cbce8305)
• 36: Full - Incremental (8dbc0502)
• 35: Full - Incremental (29cb2541)
• 34: Full - Incremental (4772004a)
• 33: Full - Incremental (b42a855f)
• 32: Full - Incremental (fba0da9a)
• 31: Full - Incremental (31c3f698)
• 30: Full - Incremental (2d7631e4)
• 29: Full - Incremental (008a5a6f)
• 28: Full - Incremental (5b4767b1)
• 27: Full - Incremental (04a45d4b)
• 26: Full - Incremental (56730ee8)
• 25: Full - Incremental (a67d06d1)
• 24: Full - Incremental (2c86d905)
• 23: Full (5a84603e)
• 22: Full - Incremental (e83a4a1b)
• 21: Full - Incremental (653b56c5)
• 20: Full - Incremental (787702da)
• 19: Full - Incremental (30c79948)
• 18: Full (f819de2e)
• 17: Full - Incremental (a4f59e38)
• 16: Full - Incremental (15d0b85f)
• 15: Full - Incremental (fff8e324)
• 14: Full - Incremental (17dceaa9)
• 13: Full - Incremental (0796a423)
• 12: Full - Incremental (c578ef5d)
• 11: Full - Incremental (25d2fb17)
• 10: Full - Incremental (18e05389)
• 09: Full - Incremental (4bb17504)
• 08: Full - Incremental (9360dfd2)
• 07: Full - Incremental (5b0f319c)
• 06: Full - Incremental (1839c739)
• 05: Full - Incremental (8342e7d4)
• 04: Full - Incremental (92712652)
• 03: Full - Incremental (8ae9a521)
• 02: Full - Incremental (7e525f12)
• 01: Full - Incremental (58773645)
• 00: Full (412efec2)

[seanjmullan]

Ok.

[seanjmullan]

Hi Sebastian, the API you suggested is only the KEM step, and it should be made internal inside HPKE.

At the end of the day, HPKE is still a cipher. I understand the key encapsulation message (aka, KEM ciphertext) is different from a traditional IV, but they share some key characteristics: 1) generated by the sender after initialization, 2) cryptographically random, 3) then made public, 4) has critical impact on encryption result.

To avoid some of this potential confusion, I think it could help to expand on the description of Cipher.getIV() to describe this new use case for IV, something like changing this sentence:

"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password."

to:

"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password, or in the case of HPKE (Hybrid Public Key Encryption) where IV contains the encapsulation of the KEM shared secret."

[wangweij]

Hi Sebastian, the API you suggested is only the KEM step, and it should be made internal inside HPKE.
At the end of the day, HPKE is still a cipher. I understand the key encapsulation message (aka, KEM ciphertext) is different from a traditional IV, but they share some key characteristics: 1) generated by the sender after initialization, 2) cryptographically random, 3) then made public, 4) has critical impact on encryption result.

To avoid some of this potential confusion, I think it could help to expand on the description of Cipher.getIV() to describe this new use case for IV, something like changing this sentence:

"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password."

to:

"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password, or in the case of HPKE (Hybrid Public Key Encryption) where IV contains the encapsulation of the KEM shared secret."

Good idea. Somehow I hesitate to update the base spec directly. Shall we put the whole paragraph into an @apiNote? A similar paragraph also appears in CipherSpi::engineGetIV.

[seanjmullan]

Hi Sebastian, the API you suggested is only the KEM step, and it should be made internal inside HPKE.
At the end of the day, HPKE is still a cipher. I understand the key encapsulation message (aka, KEM ciphertext) is different from a traditional IV, but they share some key characteristics: 1) generated by the sender after initialization, 2) cryptographically random, 3) then made public, 4) has critical impact on encryption result.

To avoid some of this potential confusion, I think it could help to expand on the description of Cipher.getIV() to describe this new use case for IV, something like changing this sentence:
"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password."
to:
"This is useful in the case where a random IV was created, or in the context of password-based encryption or decryption, where the IV is derived from a user-supplied password, or in the case of HPKE (Hybrid Public Key Encryption) where IV contains the encapsulation of the KEM shared secret."

Good idea. Somehow I hesitate to update the base spec directly. Shall we put the whole paragraph into an @apiNote? A similar paragraph also appears in CipherSpi::engineGetIV.

Yes, making this text an API note, which is what it really is, is a really good idea.

[wangweij]

New commit pushed. The with methods can no longer be used to "reset" a field to its default value, for example, calling withInfo(new byte[0]) to remove the non-default info or withAuthKey(null) to revert to mode_base.

Reasons:

1. Allowing a default value might hide unintended empty user input.
2. It's hard to manage all the fields in an HPKEParameterSpec object and reuse it back and forth.

[ascarpino]

Is a null check needed for key and params? It appears Cipher leaves that to the SPI to accept or reject.

[wangweij]

If key is null, you will see "InvalidKeyException: Not an asymmetric key". I assume that's also OK?

I'll deal with params, there is a similar exception but unfortunately I called params.getClass() there.

[ascarpino]

Why are the methods in this class capitalized?

[wangweij]

I like using the original function names from the RFC. If you don't like, I can modify them to Java-style.

[ascarpino]

Is key_sechedule_context worth zero'ing?

[wangweij]

Maybe not? psk_id does not sound like a secret thing. I understand psk is.