Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]

via GitHub Mon, 13 May 2024 05:00:19 -0700


jrihtarsic commented on code in PR #271:
URL: 
https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1598354663



##########
src/main/java/org/apache/xml/security/utils/KeyUtils.java:
##########
@@ -247,34 +245,76 @@
         }
     }
 
-
     /**
-     * Derive a key encryption key from a shared secret and 
keyDerivationParameter. Currently only the ConcatKDF is supported.
+     * Derive a key encryption key from a shared secret and 
keyDerivationParameter.
+     * Currently only the ConcatKDF and HMAC-base Extract-and-Expand Key 
Derivation
+     * Function (HKDF) are supported.
+     *
      * @param sharedSecret the shared secret
      * @param keyDerivationParameter the key derivation parameters
      * @return the derived key encryption key
+     * @throws IllegalArgumentException if the keyDerivationParameter is null
      * @throws XMLSecurityException if the key derivation algorithm is not 
supported
      */
     public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, 
KeyDerivationParameters keyDerivationParameter)
             throws XMLSecurityException {
-        int iKeySize = keyDerivationParameter.getKeyBitLength()/8;
+
+        if (keyDerivationParameter == null) {
+            throw new 
IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters"));
+        }
+
         String keyDerivationAlgorithm = keyDerivationParameter.getAlgorithm();
-        if 
(!EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(keyDerivationAlgorithm))
 {
-            throw new XMLEncryptionException( "unknownAlgorithm",
-                    keyDerivationAlgorithm);
+        if (keyDerivationParameter instanceof HKDFParams) {
+            return deriveKeyEncryptionKey(sharedSecret, (HKDFParams) 
keyDerivationParameter);
+        } else if (keyDerivationParameter instanceof ConcatKDFParams) {
+            return deriveKeyEncryptionKey(sharedSecret, (ConcatKDFParams) 
keyDerivationParameter);
+        }
+
+        throw new XMLEncryptionException("KeyDerivation.UnsupportedAlgorithm", 
keyDerivationAlgorithm,
+                keyDerivationParameter.getClass().getName());
+    }
+
+    /**
+     * Derive a key using the HMAC-based Extract-and-Expand Key Derivation
+     * Function (HKDF) with implementation instance {@link HKDFParams}.
+     *
+     * @param sharedSecret the shared secret
+     * @param hkdfParameter the HKDF parameters
+     * @return the derived key encryption key.
+     * @throws XMLSecurityException if the key derivation parameters are 
invalid or
+     *       the hmac algorithm is not supported.
+     */
+    public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, 
HKDFParams hkdfParameter)

Review Comment:
   Method renamed



##########
src/main/java/org/apache/xml/security/utils/KeyUtils.java:
##########
@@ -247,34 +245,76 @@
         }
     }
 
-
     /**
-     * Derive a key encryption key from a shared secret and 
keyDerivationParameter. Currently only the ConcatKDF is supported.
+     * Derive a key encryption key from a shared secret and 
keyDerivationParameter.
+     * Currently only the ConcatKDF and HMAC-base Extract-and-Expand Key 
Derivation
+     * Function (HKDF) are supported.
+     *
      * @param sharedSecret the shared secret
      * @param keyDerivationParameter the key derivation parameters
      * @return the derived key encryption key
+     * @throws IllegalArgumentException if the keyDerivationParameter is null
      * @throws XMLSecurityException if the key derivation algorithm is not 
supported
      */
     public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, 
KeyDerivationParameters keyDerivationParameter)
             throws XMLSecurityException {
-        int iKeySize = keyDerivationParameter.getKeyBitLength()/8;
+
+        if (keyDerivationParameter == null) {
+            throw new 
IllegalArgumentException(I18n.translate("KeyDerivation.MissingParameters"));
+        }
+
         String keyDerivationAlgorithm = keyDerivationParameter.getAlgorithm();
-        if 
(!EncryptionConstants.ALGO_ID_KEYDERIVATION_CONCATKDF.equals(keyDerivationAlgorithm))
 {
-            throw new XMLEncryptionException( "unknownAlgorithm",
-                    keyDerivationAlgorithm);
+        if (keyDerivationParameter instanceof HKDFParams) {
+            return deriveKeyEncryptionKey(sharedSecret, (HKDFParams) 
keyDerivationParameter);
+        } else if (keyDerivationParameter instanceof ConcatKDFParams) {
+            return deriveKeyEncryptionKey(sharedSecret, (ConcatKDFParams) 
keyDerivationParameter);
+        }
+
+        throw new XMLEncryptionException("KeyDerivation.UnsupportedAlgorithm", 
keyDerivationAlgorithm,
+                keyDerivationParameter.getClass().getName());
+    }
+
+    /**
+     * Derive a key using the HMAC-based Extract-and-Expand Key Derivation
+     * Function (HKDF) with implementation instance {@link HKDFParams}.
+     *
+     * @param sharedSecret the shared secret
+     * @param hkdfParameter the HKDF parameters
+     * @return the derived key encryption key.
+     * @throws XMLSecurityException if the key derivation parameters are 
invalid or
+     *       the hmac algorithm is not supported.
+     */
+    public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, 
HKDFParams hkdfParameter)
+            throws XMLSecurityException {
+
+        if 
(!EncryptionConstants.ALGO_ID_KEYDERIVATION_HKDF.equals(hkdfParameter.getAlgorithm())){
+            throw new 
XMLEncryptionException("KeyDerivation.UnsupportedAlgorithm", 
hkdfParameter.getAlgorithm(),
+                    HKDFParams.class.getName());
         }
-        ConcatKDFParams ckdfParameter = (ConcatKDFParams) 
keyDerivationParameter;
 
-        // get parameters
-        String digestAlgorithm = ckdfParameter.getDigestAlgorithm();
+        HKDF kdf = new HKDF();
+        return kdf.deriveKey(sharedSecret, hkdfParameter);
+    }
 
-        String algorithmID = ckdfParameter.getAlgorithmID();
-        String partyUInfo = ckdfParameter.getPartyUInfo();
-        String partyVInfo = ckdfParameter.getPartyVInfo();
-        String suppPubInfo = ckdfParameter.getSuppPubInfo();
-        String suppPrivInfo = ckdfParameter.getSuppPrivInfo();
+    /**
+     * Derive a key using the Concatenation Key Derivation Function (ConcatKDF)
+     * with implementation instance {@link ConcatKDFParams}.
+     *
+     * @param sharedSecret the shared secret/ input keying material
+     * @param ckdfParameter the ConcatKDF parameters
+     * @return the derived key
+     * @throws XMLSecurityException if the key derivation parameters are 
invalid or
+     *        the hash algorithm is not supported.
+     */
+    public static byte[] deriveKeyEncryptionKey(byte[] sharedSecret, 
ConcatKDFParams ckdfParameter)

Review Comment:
   Method renamed



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] Implementation of the HKDF derivation function [santuario-xml-security-java]

Reply via email to