[jira] [Updated] (CXF-8126) Support for Key Agreement using ECDH-ES

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (CXF-8126) Support for Key Agreement using ECDH-ES

Colm O hEigeartaigh (Jira)

     [ https://issues.apache.org/jira/browse/CXF-8126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Cosmin Baciu updated CXF-8126:
------------------------------
    Description:
Hi,

We are using CXF 3.2.6 and WS-Security for encryption.

We would like to use ECDH-ES for the Key Agreement. We did an investigation to check if CXF/WSS4J supports it and the result was negative. We could only find references to ECDH in the Jose modue.

Would it be possible to confirm the result of our investigation?

If indeed it's not yet supported would it be possible to give us some hints how to support it? 

Please find below an example of the <ds:KeyInfo> section(extracted from [https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]) using ECDH-ES for the Key Agreement.

 
{code:java}
<ds:KeyInfo>
    <xenc:EncryptedKey>
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
      <!-- describes the key encryption key -->
      <ds:KeyInfo>
        <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
          <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
            <xenc11:ConcatKDFParams AlgorithmID="00" PartyUInfo="" PartyVInfo="">
              <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            </xenc11:ConcatKDFParams>
          </xenc11:KeyDerivationMethod>
          <xenc:OriginatorKeyInfo>
            <ds:KeyValue>
              <dsig11:ECKeyValue>
                <!-- ephemeral ECC public key of the originator -->
              </dsig11:ECKeyValue>
            </ds:KeyValue>
          </xenc:OriginatorKeyInfo>
          <xenc:RecipientKeyInfo>
            <ds:X509Data>
              <ds:X509SKI></ds:X509SKI>
              <!-- hint for the recipient's private key -->
            </ds:X509Data>
          </xenc:RecipientKeyInfo>
        </xenc:AgreementMethod>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue><!-- encrypted AES content encryption key --></xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedKey>
  </ds:KeyInfo>{code}

  was:
Hi,

We are using CXF 3.2.6 and WS-Security for encryption.

We would like to use ECDH-ES for the Key Agreement. We did an investigation to check if CXF/WSS4J supports it and the result was negative. We could only find references to ECDH in the Jose modue.

Would it be possible to confirm the result of our investigation?

If indeed it's not yet supported would it be possible to give us some hints how to support it? 

Please find below an example of the <ds:KeyInfo> section(extracted from [https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]) using ECDH-ES for the Key Agreement.

 
<ds:KeyInfo><xenc:EncryptedKey><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/><!-- describes the key encryption key --><ds:KeyInfo><xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES"><xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF"><xenc11:ConcatKDFParams AlgorithmID="00" PartyUInfo="" PartyVInfo=""><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/></xenc11:ConcatKDFParams></xenc11:KeyDerivationMethod><xenc:OriginatorKeyInfo><ds:KeyValue><dsig11:ECKeyValue><!-- ephemeral ECC public key of the originator --></dsig11:ECKeyValue></ds:KeyValue></xenc:OriginatorKeyInfo><xenc:RecipientKeyInfo><ds:X509Data><ds:X509SKI></ds:X509SKI><!-- hint for the recipient's private key --></ds:X509Data></xenc:RecipientKeyInfo></xenc:AgreementMethod></ds:KeyInfo><xenc:CipherData><xenc:CipherValue><!-- encrypted AES content encryption key --></xenc:CipherValue></xenc:CipherData></xenc:EncryptedKey></ds:KeyInfo>


> Support for Key Agreement using ECDH-ES
> ---------------------------------------
>
>                 Key: CXF-8126
>                 URL: https://issues.apache.org/jira/browse/CXF-8126
>             Project: CXF
>          Issue Type: New Feature
>          Components: WS-* Components
>    Affects Versions: 3.2.6
>            Reporter: Cosmin Baciu
>            Priority: Major
>
> Hi,
> We are using CXF 3.2.6 and WS-Security for encryption.
> We would like to use ECDH-ES for the Key Agreement. We did an investigation to check if CXF/WSS4J supports it and the result was negative. We could only find references to ECDH in the Jose modue.
> Would it be possible to confirm the result of our investigation?
> If indeed it's not yet supported would it be possible to give us some hints how to support it? 
> Please find below an example of the <ds:KeyInfo> section(extracted from [https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]) using ECDH-ES for the Key Agreement.
>  
> {code:java}
> <ds:KeyInfo>
>     <xenc:EncryptedKey>
>       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
>       <!-- describes the key encryption key -->
>       <ds:KeyInfo>
>         <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
>           <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
>             <xenc11:ConcatKDFParams AlgorithmID="00" PartyUInfo="" PartyVInfo="">
>               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>             </xenc11:ConcatKDFParams>
>           </xenc11:KeyDerivationMethod>
>           <xenc:OriginatorKeyInfo>
>             <ds:KeyValue>
>               <dsig11:ECKeyValue>
>                 <!-- ephemeral ECC public key of the originator -->
>               </dsig11:ECKeyValue>
>             </ds:KeyValue>
>           </xenc:OriginatorKeyInfo>
>           <xenc:RecipientKeyInfo>
>             <ds:X509Data>
>               <ds:X509SKI></ds:X509SKI>
>               <!-- hint for the recipient's private key -->
>             </ds:X509Data>
>           </xenc:RecipientKeyInfo>
>         </xenc:AgreementMethod>
>       </ds:KeyInfo>
>       <xenc:CipherData>
>         <xenc:CipherValue><!-- encrypted AES content encryption key --></xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedKey>
>   </ds:KeyInfo>{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)