[
https://issues.apache.org/jira/browse/WSS-710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17828206#comment-17828206
]
Joze Rihtarsic commented on WSS-710:
------------------------------------
[~coheigea]
Before I provide the PR I would need your advice/confirmation on how to
implement this.
I want to make two configuration options:
The first is quick one: to just set key derivation algorithm and key
derivation is then configured with default values which are
* for ConcatKDF
** DigestMethod: MessMessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256
** AlgorithmId: "0000"
** PartyUInfo: ""
** PartyVInfo: ""
** SuppPubInfo: null
** SuppPrivInfo: null
** Key size depends on ENC_KEY_TRANSPORT
* And for HKDF
** PRF: XMLSignature.ALGO_ID_MAC_HMAC_SHA256
** Info: null
** Salt: pseudorandom value in size of key
** Key size depends on ENC_KEY_TRANSPORT
The configuration can be done like this:
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION,ConfigurationConstants.ENCRYPTION);
outProperties.put(ConfigurationConstants.ENC_PROP_FILE, "wss-ecdh.properties");
outProperties.put(ConfigurationConstants.ENCRYPTION_USER, encAlias);
outProperties.put(ConfigurationConstants.ENC_SYM_ALGO,
WSS4JConstants.AES_256_GCM);
outProperties.put(ConfigurationConstants.ENC_KEY_TRANSPORT,
WSS4JConstants.KEYWRAP_AES128);
outProperties.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD,
"http://www.w3.org/2021/04/xmldsig-more#x25519";);
*outProperties.put(ConfigurationConstants.ENC_KEY_DERIVATION_FUNCTION,
"http://www.w3.org/2009/xmlenc11#ConcatKDF";);*
another is more configurable approach where users/developers can pass the
org.apache.xml.security.encryption.params.KeyDerivationParameters
For example
*KeyDerivationParameters kdfParams = new ConcatKDFParams(keyBitLen,
MessageDigestAlgorithm.ALGO_ID_DIGEST_SHA256);*
*kdfParams.setAlgorithmId(00363532534541);*
*kdfParams.setPartyUInfo("00DFC9DB773C588F8F");*
*kdfParams.setPartyVInfo("00DFDA76F7AB09B7C9");*
*kdfParams.setSuppPubInfo(null);*
*kdfParams.setSuppPrivInfo(null);*
....
Map<String, Object> outProperties = new HashMap<>();
outProperties.put(ConfigurationConstants.ACTION,ConfigurationConstants.ENCRYPTION);
outProperties.put(ConfigurationConstants.ENC_PROP_FILE, "wss-ecdh.properties");
outProperties.put(ConfigurationConstants.ENCRYPTION_USER, encAlias);
outProperties.put(ConfigurationConstants.ENC_SYM_ALGO,
WSS4JConstants.AES_256_GCM);
outProperties.put(ConfigurationConstants.ENC_KEY_TRANSPORT,
WSS4JConstants.KEYWRAP_AES128);
outProperties.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD,
"http://www.w3.org/2021/04/xmldsig-more#x25519";);
*outProperties.put(ConfigurationConstants.ENC_KEY_DERIVATION_PARAMETERS,
kdfParams);*
Are these two approaches acceptable for WSS4J?
> Implementation of the configuration options to set KeyDerivation parameters
> ----------------------------------------------------------------------------
>
> Key: WSS-710
> URL: https://issues.apache.org/jira/browse/WSS-710
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Core
> Affects Versions: 4.0.0, 3.0.3
> Reporter: Joze Rihtarsic
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> The santuarion/xmlsec library has (will have)
> [https://github.com/apache/santuario-xml-security-java/pull/271]
> two options for key agreement to set key derivation methods
> The existing ConcatKDF (see the scheme:
> [xmlenc-core1|https://www.w3.org/TR/xmlenc-core1/#sec-ConcatKDF]
> The HKDF (see the scheme from upcoming standard
> [draft-eastlake-rfc9231bis|https://www.ietf.org/archive/id/draft-eastlake-rfc9231bis-xmlsec-uris-03.html]
> )
> The purpose of this task is to enable configurations for the key agreement
> method , to be able to configure one of the two options
> * ConcatKDF with parameter :
> {{{}AlgorithmID{}}}, {{{}PartyUInfo{}}}, {{{}PartyVInfo{}}}, {{SuppPubInfo}}
> and {{SuppPrivInfo}} amd digest
> * HKDF with parameter : PRF, Salt and Info
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
