Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementation of the HKDF derivation function #271

Merged
merged 16 commits into from
May 27, 2024
Merged

Implementation of the HKDF derivation function #271

merged 16 commits into from
May 27, 2024

Conversation

jrihtarsic
Copy link
Contributor

@jrihtarsic jrihtarsic commented Jan 19, 2024
edited
Loading

Purpose of the PR is to implement support for the HMAC-based Extract-and-Expand Key Derivation Function (HKDF [RFC5869]) used by the KeyAgreement method.
The details of the PR are in the ticket SANTUARIO-607

The code is contributed on behalf of the European Commission’s edelivery project to support eDelivery AS4 2.0 profile.

@jrihtarsic
Copy link
Contributor Author

jrihtarsic commented Jan 19, 2024
edited
Loading

@coheigea please note that we did not yet receive final feedback from IETF regarding the
HKDF scheme. For now we are using the one defined bellow
src/main/resources/bindings/schemas/dsig-more_2021_04.xsd

I will let you know when this PR will be finalized for the review.

@jrihtarsic
Copy link
Contributor Author

Hi @coheigea I want to inform you that the update for HKDF xsd scheme for RFC9231
https://datatracker.ietf.org/doc/draft-eastlake-rfc9231bis-xmlsec-uris/
was accepted and the PR can be reviewed now.

coheigea
coheigea requested changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@coheigea coheigea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@seanjmullan Can you have a look as well please?

src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFParamsImpl.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFParamsImpl.java Show resolved Hide resolved
src/test/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFTest.java Outdated Show resolved Hide resolved
src/test/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFTest.java Outdated Show resolved Hide resolved
@coheigea
Copy link
Contributor

@jrihtarsic I'm going to call a vote on 4.0.2/3.0.4 to get the Key Agreement feature released and unblock the next CXF release. The HKDF will have to wait until the next release.

@jrihtarsic jrihtarsic requested a review from coheigea February 16, 2024 08:54
@jrihtarsic
Copy link
Contributor Author

@coheigea understand and thanks for the info. I look forward to the first version of the key agreement option as part of the cxf.

@seanjmullan
Copy link
Member

@seanjmullan Can you have a look as well please?

I can try to look at this over the next couple of weeks. I was off work for a while so I am still catching up with things.

@jrihtarsic jrihtarsic mentioned this pull request Mar 19, 2024
Merged
@coheigea
Copy link
Contributor

@seanjmullan Just a reminder please, as this PR blocks another Pr in WSS4J

@coheigea
Copy link
Contributor

@jrihtarsic Can you remove the whitespace changes in this PR? It makes it difficult to get to the actual changes

@jrihtarsic
Copy link
Contributor Author

I reverted the "cleaning of the code" (empty lines) from commit PR updates (docs and clean empty lines)

seanjmullan
seanjmullan reviewed Mar 21, 2024
View reviewed changes
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reviewed some of it, so far just a few minor comments. Will need another day or two to finish reviewing.

src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/resource/xmlsecurity_en.properties Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/params/HKDFParams.java Outdated Show resolved Hide resolved
@jrihtarsic
Copy link
Contributor Author

@seanjmullan Thank you for checking it. And no worries about time. I'd rather see my code thoroughly vetted by a security expert than to skip/miss some security issues or bugs. So take as much time as you need.

seanjmullan
seanjmullan reviewed Apr 22, 2024
View reviewed changes
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still reviewing, but here are some more comments.

src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/KeyDerivationMethod.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/KDFParams.java Outdated Show resolved Hide resolved
...java/org/apache/xml/security/encryption/keys/content/derivedKey/KeyDerivationMethodImpl.java Show resolved Hide resolved
src/main/java/org/apache/xml/security/utils/KeyUtils.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/utils/KeyUtils.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/params/HKDFParams.java Outdated Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java Show resolved Hide resolved
src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java Outdated Show resolved Hide resolved
@jrihtarsic jrihtarsic requested a review from seanjmullan May 2, 2024 06:07
seanjmullan
seanjmullan approved these changes May 6, 2024
View reviewed changes
Copy link
Member

@seanjmullan seanjmullan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updates looks good.

src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java Outdated Show resolved Hide resolved
@coheigea
Copy link
Contributor

coheigea commented May 8, 2024

@seanjmullan Is it ready to be merged from your PoV?

@coheigea
Copy link
Contributor

coheigea commented May 8, 2024

@jrihtarsic There is a build error:

[INFO] -------------------------------------------------------------
Error:  COMPILATION ERROR : 
[INFO] -------------------------------------------------------------
Error:  /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLCipherTest.java:[581,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams
Error:  /home/runner/work/santuario-xml-security-java/santuario-xml-security-java/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11BrainpoolTest.java:[123,58] ConcatKDFParams(int,java.lang.String) has protected access in org.apache.xml.security.encryption.params.ConcatKDFParams

@jrihtarsic
Copy link
Contributor Author

The branch is now updated with latest changes from the main, the build after the merge should pass now.

@seanjmullan
Copy link
Member

@seanjmullan Is it ready to be merged from your PoV?

Yes, although I think we should try to add the secureValidation mode support before we post the next release.

@jrihtarsic
Copy link
Contributor Author

jrihtarsic commented May 15, 2024
edited
Loading

Yes, although I think we should try to add the secureValidation mode support before we post the next release.
@seanjmullan I can make the PR for this by the end of the next week.
The scope is shortly described here: SANTUARIO-620, please let me know if I should implement anything else.

@coheigea
Copy link
Contributor

@jrihtarsic Do you need this merged to 3.0.x as well?

@jrihtarsic
Copy link
Contributor Author

@jrihtarsic Do you need this merged to 3.0.x as well?

@coheigea, yes indeed we would need it in 3.0.x so that we can use the latest feature with current apache/cxf

@coheigea coheigea merged commit d8c9e86 into apache:main May 27, 2024
3 checks passed
coheigea pushed a commit that referenced this pull request May 27, 2024
@jrihtarsic @coheigea
Implementation of the HKDF derivation function (#271)
883ff16 
* HKDF derivation function

* HKDF derivation function updates

* PR updates (docs and clean empty lines)

* Revert cleaning the code: empty lines from commit 491a7d3

* PR: Update comments

* Fix PR comments

* Fix PR comments

* change XMLSecurityException with XMLEncryptionException for XMLCipherUtils.constructKeyDerivationParameter

* fx the type in the documentation

* Update branch with changes on main 'main' to fix build after merge

* Rename the confusing overloading of methods KeyUtils.deriveKeyEncryptionKey

* Remove XMLChipper.getJCEMacHashForUri URI/JCE name mapping and reuse JCEMapper.translateURItoJCEID

---------

Co-authored-by: RIHTARSIC Joze <joze.rihtarsic@ext.ec.europa.eu>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seanjmullan seanjmullan seanjmullan approved these changes

@coheigea coheigea coheigea approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrihtarsic @coheigea @seanjmullan