Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8341346

Add support for exporting TLS Keying Material

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: P3 P3
    • 25
    • 21, 24
    • security-libs

      RFC5705 defines and RFC8446 updates keying material exporters for TLS:
      - https://www.rfc-editor.org/rfc/rfc5705.html
      - https://www.rfc-editor.org/rfc/rfc8446#section-7.5

      There are a number of new exporter mechanisms registered, including those from RFCs 5216/6347/5281, 5764, 6083, 8471, 9431, 9190, 9261, 9427, and several M2M entries.

      Many other TLS implementations already support it:
      - https://pkg.go.dev/crypto/tls#ConnectionState.ExportKeyingMaterial
      - https://docs.openssl.org/1.1.1/man3/SSL_export_keying_material
      - https://downloads.bouncycastle.org/java/docs/bctls-jdk18on-javadoc/org/bouncycastle/tls/TlsContext.html#exportKeyingMaterial-java.lang.String-byte:A-int-

      5G mobile specs mandate the use of TLS session at app level for JWE:
      - https://www.tech-invite.com/3m33/toc/tinv-3gpp-33-501_zk.html#e-13-2-4-4-1

      Things to do:
      - Define the scope of support for this feature considering all the security implications.
      - Add support for this feature to OpenJDK TLS implementation.

            wetmore Bradford Wetmore
            abarashev Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: