Merge branch 'main' into nano-base-key

mkleene · web-flow · commit 7336d2b902ff · 2025-07-28T21:45:46.000+02:00
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -4,8 +4,6 @@ on:
   schedule:
     - cron: '0 13 * * 1' # At 1:00 PM UTC every Monday
   pull_request:
-    paths:
-      - '.github/workflows/codeql.yaml'
 
 jobs:
   analyze:
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java b/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
@@ -29,6 +29,8 @@
 
 public class ECKeyPair {
 
+    private static final int SHA256_BYTES = 32;
+
     static {
         Security.addProvider(new BouncyCastleProvider());
     }
@@ -232,8 +234,12 @@ public static byte[] computeECDHKey(ECPublicKey publicKey, ECPrivateKey privateK
         }
     }
 
+    /**
+     * Returns a HKDF key derived from the provided salt and secret
+     * that is 32 bytes (256 bits) long.
+     */
     public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
-        byte[] key = new byte[secret.length];
+        byte[] key = new byte[SHA256_BYTES];
         HKDFParameters params = new HKDFParameters(secret, salt, null);
 
         HKDFBytesGenerator hkdf = new HKDFBytesGenerator(SHA256Digest.newInstance());
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
@@ -13,6 +13,7 @@
 import java.util.Base64;
 
 import static io.opentdf.platform.sdk.NanoTDFType.ECCurve.SECP256R1;
+import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
@@ -117,6 +118,19 @@ void extractPemPubKeyFromX509() throws CertificateException, IOException, NoSuch
         byte[] key = ECKeyPair.calculateHKDF(ECKeys.salt.getBytes(StandardCharsets.UTF_8), symmetricKey);
         System.out.println(Arrays.toString(key));
         System.out.println(key.length);
+
+        assertThat(key.length).isEqualTo(32); // SHA-256 produces a 32-byte key
+    }
+
+    @Test
+    void createSymmetricKeysWithOtherCurves() {
+        ECKeyPair pubPair = new ECKeyPair(NanoTDFType.ECCurve.SECP384R1, ECKeyPair.ECAlgorithm.ECDH);
+        ECKeyPair keyPair = new ECKeyPair(NanoTDFType.ECCurve.SECP384R1, ECKeyPair.ECAlgorithm.ECDH);
+
+        byte[] sharedSecret = ECKeyPair.computeECDHKey(pubPair.getPublicKey(), keyPair.getPrivateKey());
+        byte[] encryptionKey = ECKeyPair.calculateHKDF(ECKeys.salt.getBytes(StandardCharsets.UTF_8), sharedSecret);
+
+        assertThat(encryptionKey).hasSize(32); // SHA-256 produces a 32-byte key
     }
 
     @Test

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@`
`29`	`29`
`30`	`30`	`public class ECKeyPair {`
`31`	`31`
	`32`	`+ private static final int SHA256_BYTES = 32;`
	`33`	`+`
`32`	`34`	`static {`
`33`	`35`	`Security.addProvider(new BouncyCastleProvider());`
`34`	`36`	`}`
`@@ -232,8 +234,12 @@ public static byte[] computeECDHKey(ECPublicKey publicKey, ECPrivateKey privateK`
`232`	`234`	`}`
`233`	`235`	`}`
`234`	`236`
	`237`	`+ /**`
	`238`	`+ * Returns a HKDF key derived from the provided salt and secret`
	`239`	`+ * that is 32 bytes (256 bits) long.`
	`240`	`+ */`
`235`	`241`	`public static byte[] calculateHKDF(byte[] salt, byte[] secret) {`
`236`		`- byte[] key = new byte[secret.length];`
	`242`	`+ byte[] key = new byte[SHA256_BYTES];`
`237`	`243`	`HKDFParameters params = new HKDFParameters(secret, salt, null);`
`238`	`244`
`239`	`245`	`HKDFBytesGenerator hkdf = new HKDFBytesGenerator(SHA256Digest.newInstance());`