- edited description
Allow for pluggable Concatenation Key Derivation Function
While the actual benefit of doing so seems somewhat dubious to a dilettante like myself, there has been interest expressed in allowing for the pluggable use of a different implementation of the Concatenation Key Derivation Function (using SHA-256) used by the ECDH JWE algorithms. Which, for example, would permit using a FIPS-validated implementation such as is provided by Bouncy Castle FIPS Java API rather than the default implementation in jose4j.
In order to do this, as of v0.7.7, one needs to implement ConcatenationKeyDerivationFunctionWithSha256
and provide the fully-qualified name of the implementation class as the value of the system property, org.jose4j.jwe.kdf.ConcatenationKeyDerivationFunctionWithSha256
So, for example, this is an implementation using bc-fips 1.0.2
package com.somecompany.stuff;
import org.bouncycastle.crypto.KDFCalculator;
import org.bouncycastle.crypto.fips.FipsKDF;
import org.jose4j.jwe.kdf.ConcatenationKeyDerivationFunctionWithSha256;
public class BcFipsConcatKeyDerivationFunctionWithSha256 implements ConcatenationKeyDerivationFunctionWithSha256
{
public byte[] kdf(byte[] sharedSecret, int keydatalen, byte[] otherInfo)
{
FipsKDF.AgreementKDFParameters kdfParams = FipsKDF
.CONCATENATION
.withPRF(FipsKDF.AgreementKDFPRF.SHA256)
.using(sharedSecret)
.withIV(otherInfo);
FipsKDF.AgreementOperatorFactory agreementOperatorFactory = new FipsKDF.AgreementOperatorFactory();
KDFCalculator<FipsKDF.AgreementKDFParameters> kdfCalculator = agreementOperatorFactory.createKDFCalculator(kdfParams);
byte[] derivedKeyMaterial = new byte[keydatalen / 8];
kdfCalculator.generateBytes(derivedKeyMaterial);
return derivedKeyMaterial;
}
}
And setting the following system property before first use will tell jose4j’s KdfUtil
to use it rather than it’s normal ConcatKeyDerivationFunction
org.jose4j.jwe.kdf.ConcatenationKeyDerivationFunctionWithSha256=com.somecompany.stuff.BcFipsConcatKeyDerivationFunctionWithSha256
Comments (6)
-
reporter -
reporter - edited description
-
reporter - changed status to resolved
done with 988ef6d
-
reporter - edited description
-
reporter - changed status to closed
released with jose4j-0.7.7 - April 20, 2021
-
reporter - edited description
- Log in to comment