Class Hkdf

java.lang.Object
cloud.opencode.base.crypto.kdf.Hkdf
All Implemented Interfaces:
KdfEngine
public final class Hkdf extends Object implements KdfEngine
HMAC-based Key Derivation Function (HKDF) implementation - RFC 5869 compliant KDF using HMAC 基于 HMAC 的密钥派生函数实现 - 符合 RFC 5869 标准的 KDF,使用 HMAC

Features | 主要功能:

  • HKDF-SHA256 and HKDF-SHA512 - HKDF-SHA256 和 HKDF-SHA512
  • Extract-then-expand key derivation - 提取-扩展密钥派生

Usage Examples | 使用示例:

Hkdf hkdf = Hkdf.sha256();
byte[] key = hkdf.deriveKey(ikm, salt, info, 32);

Security | 安全性:

  • Thread-safe: Yes - 线程安全: 是
  • Null-safe: Yes - 空值安全: 是
Since:
JDK 25, opencode-base-crypto V1.0.0
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Summary

    Modifier and Type
    Method
    Description
    byte[]
    derive(byte[] inputKeyMaterial, byte[] salt, byte[] info, int length)
    Derives a key from input key material with salt and info parameters 使用盐值和信息参数从输入密钥材料派生密钥
    byte[]
    derive(byte[] inputKeyMaterial, int length)
    Derives a key from input key material with default parameters 使用默认参数从输入密钥材料派生密钥
    byte[]
    deriveKey(byte[] ikm, byte[] salt, byte[] info, int length)
    Derives key material from input keying material (IKM) with optional salt 从输入密钥材料和可选盐值派生密钥
    byte[]
    deriveKey(byte[] ikm, byte[] info, int length)
    Derives key material from input keying material (IKM) 从输入密钥材料派生密钥
    byte[][]
    deriveKeys(byte[] salt, byte[] ikm, byte[][] infos, int[] lengths)
    Derives multiple keys from the same input key material with different info contexts 使用不同的信息上下文从相同的输入密钥材料派生多个密钥
    byte[]
    expand(byte[] prk, byte[] info, int length)
    HKDF-Expand: Expands a pseudorandom key to desired length HKDF-扩展:将伪随机密钥扩展到所需长度
    byte[]
    extract(byte[] salt, byte[] ikm)
    HKDF-Extract: Extracts a pseudorandom key from input key material HKDF-提取:从输入密钥材料中提取伪随机密钥
    byte[]
    extractAndExpand(byte[] salt, byte[] ikm, byte[] info, int length)
    HKDF-Extract-and-Expand: Combines extract and expand in one call HKDF-提取并扩展:在一次调用中结合提取和扩展
    String
    getAlgorithm()
    Gets the algorithm name 获取算法名称
    int
    getHashLength()
    Gets the hash output length 获取哈希输出长度
    static Hkdf
    sha256()
    Creates an HKDF instance with SHA-256 使用 SHA-256 创建 HKDF 实例
    static Hkdf
    sha384()
    Creates an HKDF instance with SHA-384 使用 SHA-384 创建 HKDF 实例
    static Hkdf
    sha512()
    Creates an HKDF instance with SHA-512 使用 SHA-512 创建 HKDF 实例

    Methods inherited from class Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • sha256

      public static Hkdf sha256()
      Creates an HKDF instance with SHA-256 使用 SHA-256 创建 HKDF 实例
      Returns:
      new HKDF instance using HmacSHA256

    • sha384

      public static Hkdf sha384()
      Creates an HKDF instance with SHA-384 使用 SHA-384 创建 HKDF 实例
      Returns:
      new HKDF instance using HmacSHA384

    • sha512

      public static Hkdf sha512()
      Creates an HKDF instance with SHA-512 使用 SHA-512 创建 HKDF 实例
      Returns:
      new HKDF instance using HmacSHA512

    • deriveKey

      public byte[] deriveKey(byte[] ikm, byte[] info, int length)
      Derives key material from input keying material (IKM) 从输入密钥材料派生密钥
      Parameters:
      ikm - input keying material
      info - optional context and application specific information (can be null)
      length - desired output length in bytes (max 255 * hashLength)
      Returns:
      derived key material
      Throws:
      NullPointerException - if ikm is null
      IllegalArgumentException - if length is invalid

    • deriveKey

      public byte[] deriveKey(byte[] ikm, byte[] salt, byte[] info, int length)
      Derives key material from input keying material (IKM) with optional salt 从输入密钥材料和可选盐值派生密钥
      Parameters:
      ikm - input keying material
      salt - optional salt value (can be null, defaults to hashLength zeros)
      info - optional context and application specific information (can be null)
      length - desired output length in bytes (max 255 * hashLength)
      Returns:
      derived key material
      Throws:
      NullPointerException - if ikm is null
      IllegalArgumentException - if length is invalid

    • extract

      public byte[] extract(byte[] salt, byte[] ikm)
      HKDF-Extract: Extracts a pseudorandom key from input key material HKDF-提取:从输入密钥材料中提取伪随机密钥
      Parameters:
      salt - the salt value (if null or empty, a string of zeros is used)
      ikm - the input key material
      Returns:
      the pseudorandom key (PRK)
      Throws:
      NullPointerException - if ikm is null
      OpenCryptoException - if extraction fails

    • expand

      public byte[] expand(byte[] prk, byte[] info, int length)
      HKDF-Expand: Expands a pseudorandom key to desired length HKDF-扩展:将伪随机密钥扩展到所需长度
      Parameters:
      prk - the pseudorandom key from extract phase
      info - the context and application specific information (can be null)
      length - the desired output key length in bytes
      Returns:
      the output key material (OKM)
      Throws:
      NullPointerException - if prk is null
      IllegalArgumentException - if length is invalid
      OpenCryptoException - if expansion fails

    • getAlgorithm

      public String getAlgorithm()
      Gets the algorithm name 获取算法名称
      Specified by:
      getAlgorithm in interface KdfEngine
      Returns:
      the HMAC algorithm name

    • getHashLength

      public int getHashLength()
      Gets the hash output length 获取哈希输出长度
      Returns:
      hash length in bytes

    • extractAndExpand

      public byte[] extractAndExpand(byte[] salt, byte[] ikm, byte[] info, int length)
      HKDF-Extract-and-Expand: Combines extract and expand in one call HKDF-提取并扩展:在一次调用中结合提取和扩展
      Parameters:
      salt - the salt value (can be null)
      ikm - the input key material
      info - the context and application specific information (can be null)
      length - the desired output key length in bytes
      Returns:
      the output key material (OKM)
      Throws:
      NullPointerException - if ikm is null
      IllegalArgumentException - if length is invalid
      OpenCryptoException - if derivation fails

    • deriveKeys

      public byte[][] deriveKeys(byte[] salt, byte[] ikm, byte[][] infos, int[] lengths)
      Derives multiple keys from the same input key material with different info contexts 使用不同的信息上下文从相同的输入密钥材料派生多个密钥
      Parameters:
      salt - the salt value (can be null)
      ikm - the input key material
      infos - array of context information for each derived key
      lengths - array of desired lengths for each derived key
      Returns:
      array of derived keys
      Throws:
      NullPointerException - if ikm, infos, or lengths is null
      IllegalArgumentException - if infos and lengths arrays have different lengths
      OpenCryptoException - if derivation fails

    • derive

      public byte[] derive(byte[] inputKeyMaterial, byte[] salt, byte[] info, int length)
      Description copied from interface: KdfEngine
      Derives a key from input key material with salt and info parameters 使用盐值和信息参数从输入密钥材料派生密钥
      Specified by:
      derive in interface KdfEngine
      Parameters:
      inputKeyMaterial - the input key material (IKM)
      salt - the salt value (can be null or empty for some algorithms)
      info - the context and application specific information (can be null)
      length - the desired output key length in bytes
      Returns:
      the derived key

    • derive

      public byte[] derive(byte[] inputKeyMaterial, int length)
      Description copied from interface: KdfEngine
      Derives a key from input key material with default parameters 使用默认参数从输入密钥材料派生密钥
      Specified by:
      derive in interface KdfEngine
      Parameters:
      inputKeyMaterial - the input key material (IKM)
      length - the desired output key length in bytes
      Returns:
      the derived key