AlgorithmParameterSpecHKDFParameterSpec.Expand, HKDFParameterSpec.Extract, HKDFParameterSpec.ExtractThenExpandpublic interface HKDFParameterSpec extends AlgorithmParameterSpec
In the Extract and Extract-then-Expand cases, users may call the
addIKM and/or addSalt methods repeatedly (and chain these calls). This provides for use-cases where a portion of the input keying material (IKM) resides in a non-extractable SecretKey and the whole IKM cannot be provided as a single object. The same feature is available for salts.
The above feature is particularly useful for "labeled" HKDF Extract used in TLS 1.3 and HPKE, where the IKM consists of concatenated components, which may include both byte arrays and (possibly non-extractable) secret keys.
Examples:
// this usage depicts the initialization of an HKDF-Extract AlgorithmParameterSpec
AlgorithmParameterSpec derivationSpec =
HKDFParameterSpec.ofExtract()
.addIKM(label)
.addIKM(ikm)
.addSalt(salt).extractOnly();
// this usage depicts the initialization of an HKDF-Expand AlgorithmParameterSpec
AlgorithmParameterSpec derivationSpec =
HKDFParameterSpec.expandOnly(prk, info, 32);
// this usage depicts the initialization of an HKDF-ExtractExpand AlgorithmParameterSpec
AlgorithmParameterSpec derivationSpec =
HKDFParameterSpec.ofExtract()
.addIKM(ikm)
.addSalt(salt).thenExpand(info, 32);
| Modifier and Type | Interface | Description |
|---|---|---|
static final class |
HKDFParameterSpec.Builder |
This Builder builds Extract and ExtractThenExpand objects. |
static final class |
HKDFParameterSpec.Expand |
Defines the input parameters of an Expand operation as defined in RFC 5869. |
static final class |
HKDFParameterSpec.Extract |
Defines the input parameters of an Extract operation as defined in RFC 5869. |
static final class |
HKDFParameterSpec.ExtractThenExpand |
Defines the input parameters of an Extract-then-Expand operation as defined in RFC 5869. |
| Modifier and Type | Method | Description |
|---|---|---|
static HKDFParameterSpec.Expand |
expandOnly |
Creates an Expand object. |
static HKDFParameterSpec.Builder |
ofExtract() |
Returns a Builder for building Extract and ExtractThenExpand objects. |
static HKDFParameterSpec.Builder ofExtract()
Builder for building Extract and ExtractThenExpand objects.Builder
static HKDFParameterSpec.Expand expandOnly(SecretKey prk, byte[] info, int length)
Expand object.prk - the pseudorandom key (PRK); must not be null
info - the optional context and application specific information (may be null); the byte array is cloned to prevent subsequent modificationlength - the length of the output keying material (must be greater than 0)Expand objectNullPointerException - if the prk argument is null
IllegalArgumentException - if length is not greater than 0
© 1993, 2025, Oracle and/or its affiliates. All rights reserved.
Documentation extracted from Debian's OpenJDK Development Kit package.
Licensed under the GNU General Public License, version 2, with the Classpath Exception.
Various third party code in OpenJDK is licensed under different licenses (see Debian package).
Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/crypto/spec/HKDFParameterSpec.html