Summary

Moving Key Derivation Function API to final. The KDF API was introduced in JDK 24 as a preview feature.

Problem

There has been no request for any change to the KDF API preview feature. Since JDK 24, a PKCS #11 implementation of HKDF has been integrated into an early build of JDK 25, and several in-progress efforts are using the preview API as-is:

1. An implementation of Hybrid Public Key Encryption (HPKE) in its key schedule setup and secret export.
2. A refactoring of existing usage of internal HKDF implementation in TLS 1.3 and DHKEM in their key derivation processes.

The current set of integrations and refactorings demonstrates that the API is capable and flexible enough to support a variety of use cases as designed. Therefore ready to be finalized unmodified

Solution

Moving Key Derivation Function API to final.

Specification

1. Remove the annotation of the following entry in the Feature enum in jdk/internal/javac/PreviewFeature.java. The enum field is kept to make sure boot cycle build runs correctly:

   @JEP(number=478, title="Key Derivation Function API", status="Preview")
   KEY_DERIVATION,

2. For the javax.crypto.KDF, javax.crypto.KDFParameters, javax.crypto.KDFSpi, javax.crypto.spec.HKDFParameterSpec, javax.crypto.spec.HKDFParameterSpec$Builder, javax.crypto.spec.HKDFParameterSpec$Extract, javax.crypto.spec.HKDFParameterSpec$Expand, and javax.crypto.spec.HKDFParameterSpec$ExtractThenExpand classes, modify the @since 24 tags to @since 25, and remove the following annotation:

   @PreviewFeature(feature = PreviewFeature.Feature.KEY_DERIVATION)

3. Remove the @ParticipatesInPreview annotation from the module-info.java file of the jdk.crypto.cryptoki module. The PKCS11 HKDF implementation no longer requires it.