Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of the HKDF derivation function #271

Merged
merged 16 commits into from
May 27, 2024

Conversation

jrihtarsic
Copy link
Contributor

@jrihtarsic jrihtarsic commented Jan 19, 2024

Purpose of the PR is to implement support for the HMAC-based Extract-and-Expand Key Derivation Function (HKDF [RFC5869]) used by the KeyAgreement method.
The details of the PR are in the ticket SANTUARIO-607

The code is contributed on behalf of the European Commission’s edelivery project to support eDelivery AS4 2.0 profile.

@jrihtarsic
Copy link
Contributor Author

jrihtarsic commented Jan 19, 2024

@coheigea please note that we did not yet receive final feedback from IETF regarding the
HKDF scheme. For now we are using the one defined bellow
src/main/resources/bindings/schemas/dsig-more_2021_04.xsd

I will let you know when this PR will be finalized for the review.

@jrihtarsic
Copy link
Contributor Author

Hi @coheigea I want to inform you that the update for HKDF xsd scheme for RFC9231
https://datatracker.ietf.org/doc/draft-eastlake-rfc9231bis-xmlsec-uris/
was accepted and the PR can be reviewed now.

Copy link
Contributor

@coheigea coheigea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seanjmullan Can you have a look as well please?

@coheigea
Copy link
Contributor

@jrihtarsic I'm going to call a vote on 4.0.2/3.0.4 to get the Key Agreement feature released and unblock the next CXF release. The HKDF will have to wait until the next release.

@jrihtarsic jrihtarsic requested a review from coheigea February 16, 2024 08:54
@jrihtarsic
Copy link
Contributor Author

@coheigea understand and thanks for the info. I look forward to the first version of the key agreement option as part of the cxf.

@seanjmullan
Copy link
Member

@seanjmullan Can you have a look as well please?

I can try to look at this over the next couple of weeks. I was off work for a while so I am still catching up with things.

@coheigea
Copy link
Contributor

@seanjmullan Just a reminder please, as this PR blocks another Pr in WSS4J

@coheigea
Copy link
Contributor

@jrihtarsic Can you remove the whitespace changes in this PR? It makes it difficult to get to the actual changes

@jrihtarsic
Copy link
Contributor Author

I reverted the "cleaning of the code" (empty lines) from commit PR updates (docs and clean empty lines)

Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed some of it, so far just a few minor comments. Will need another day or two to finish reviewing.

@jrihtarsic
Copy link
Contributor Author

@seanjmullan Thank you for checking it. And no worries about time. I'd rather see my code thoroughly vetted by a security expert than to skip/miss some security issues or bugs. So take as much time as you need.

Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still reviewing, but here are some more comments.

@jrihtarsic jrihtarsic requested a review from seanjmullan May 2, 2024 06:07
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates looks good.

@coheigea
Copy link
Contributor

coheigea commented May 8, 2024

@seanjmullan Is it ready to be merged from your PoV?

@coheigea
Copy link
Contributor

coheigea commented May 8, 2024

@jrihtarsic There is a build error:

[INFO] -------------------------------------------------------------
Error:  COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
Error:  /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLCipherTest.java:[581,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams
Error:  /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11BrainpoolTest.java:[123,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams

@jrihtarsic
Copy link
Contributor Author

The branch is now updated with latest changes from the main, the build after the merge should pass now.

@seanjmullan
Copy link
Member

@seanjmullan Is it ready to be merged from your PoV?

Yes, although I think we should try to add the secureValidation mode support before we post the next release.

@jrihtarsic
Copy link
Contributor Author

jrihtarsic commented May 15, 2024

Yes, although I think we should try to add the secureValidation mode support before we post the next release.
@seanjmullan I can make the PR for this by the end of the next week.
The scope is shortly described here: SANTUARIO-620, please let me know if I should implement anything else.

@coheigea
Copy link
Contributor

@jrihtarsic Do you need this merged to 3.0.x as well?

@jrihtarsic
Copy link
Contributor Author

@jrihtarsic Do you need this merged to 3.0.x as well?

@coheigea, yes indeed we would need it in 3.0.x so that we can use the latest feature with current apache/cxf

@coheigea coheigea merged commit d8c9e86 into apache:main May 27, 2024
3 checks passed
coheigea pushed a commit that referenced this pull request May 27, 2024
* HKDF derivation function

* HKDF derivation function updates

* PR updates (docs and clean empty lines)

* Revert cleaning the code: empty lines from commit 491a7d3

* PR: Update comments

* Fix PR comments

* Fix PR comments

* change XMLSecurityException with XMLEncryptionException for XMLCipherUtils.constructKeyDerivationParameter

* fx the type in the documentation

* Update branch with changes on main 'main' to fix build after merge

* Rename the confusing overloading of methods KeyUtils.deriveKeyEncryptionKey

* Remove XMLChipper.getJCEMacHashForUri URI/JCE name mapping and reuse JCEMapper.translateURItoJCEID

---------

Co-authored-by: RIHTARSIC Joze <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants