You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2019/10/08 08:50:00 UTC

[jira] [Commented] (CXF-8126) Support for Key Agreement using ECDH-ES

    [ https://issues.apache.org/jira/browse/CXF-8126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946636#comment-16946636 ] 

Colm O hEigeartaigh commented on CXF-8126:
------------------------------------------

Hi,

It's correct that CXF / WSS4J do not support Key Agreement. The underlying reason is that it is not supported in Apache Santuario, which provides the XML Encryption implementation:

[https://github.com/apache/santuario-java]

If you are interested, please consider creating a pull request for this feature there and I will review it.

Colm.

> Support for Key Agreement using ECDH-ES
> ---------------------------------------
>
>                 Key: CXF-8126
>                 URL: https://issues.apache.org/jira/browse/CXF-8126
>             Project: CXF
>          Issue Type: New Feature
>          Components: WS-* Components
>    Affects Versions: 3.2.6
>            Reporter: Cosmin Baciu
>            Priority: Major
>
> Hi,
> We are using CXF 3.2.6 and WS-Security for encryption.
> We would like to use ECDH-ES for the Key Agreement. We did an investigation to check if CXF/WSS4J supports it and the result was negative. We could only find references to ECDH in the Jose modue.
> Would it be possible to confirm the result of our investigation?
> If indeed it's not yet supported would it be possible to give us some hints how to support it? 
> Please find below an example of the <ds:KeyInfo> section(extracted from [https://www.w3.org/TR/xmlenc-core1/#sec-ECDH-ES]) using ECDH-ES for the Key Agreement.
>  
> {code:java}
> <ds:KeyInfo>
>     <xenc:EncryptedKey>
>       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes128"/>
>       <!-- describes the key encryption key -->
>       <ds:KeyInfo>
>         <xenc:AgreementMethod Algorithm="http://www.w3.org/2009/xmlenc11#ECDH-ES">
>           <xenc11:KeyDerivationMethod Algorithm="http://www.w3.org/2009/xmlenc11#ConcatKDF">
>             <xenc11:ConcatKDFParams AlgorithmID="00" PartyUInfo="" PartyVInfo=""> 
>               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>             </xenc11:ConcatKDFParams>
>           </xenc11:KeyDerivationMethod>
>           <xenc:OriginatorKeyInfo>
>             <ds:KeyValue>
>               <dsig11:ECKeyValue>
>                 <!-- ephemeral ECC public key of the originator -->
>               </dsig11:ECKeyValue>
>             </ds:KeyValue>
>           </xenc:OriginatorKeyInfo>
>           <xenc:RecipientKeyInfo>
>             <ds:X509Data>
>               <ds:X509SKI></ds:X509SKI>
>               <!-- hint for the recipient's private key -->
>             </ds:X509Data>
>           </xenc:RecipientKeyInfo>
>         </xenc:AgreementMethod>
>       </ds:KeyInfo>
>       <xenc:CipherData>
>         <xenc:CipherValue><!-- encrypted AES content encryption key --></xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedKey>
>   </ds:KeyInfo>{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)