jrihtarsic commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1576234627
########## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDF.java: ########## @@ -0,0 +1,177 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.encryption.XMLCipherUtil; +import org.apache.xml.security.exceptions.XMLSecurityException; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; +import java.nio.ByteBuffer; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static java.lang.System.Logger.Level.DEBUG; + +/** + * The implementation of the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869. + * <p> + * The HKDF algorithm is defined as follows: + * <pre> + * N = ceil(L/HashLen) + * T = T(1) | T(2) | T(3) | ... | T(N) + * OKM = first L bytes of T + * where: + * T(0) = empty string (zero length) + * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01) + * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02) + * T(3) = HMAC-Hash(PRK, T(2) | info | 0x03) + * ... + * </pre> + */ +public class HKDF implements DerivationAlgorithm { + + private static final System.Logger LOG = System.getLogger(HKDF.class.getName()); + private final String hmacHashAlgorithmURI; + private final Mac hmac; + + /** + * Constructor HKDF initializes the Mac object with the given algorithmURI and salt. + * + * @param hmacHashAlgorithmURI the Hash algorithm + * @param salt the salt value to initialize the MAC algorithm. + * @throws XMLSecurityException if the key derivation initialization fails for any reason + */ + public HKDF(String hmacHashAlgorithmURI, byte[] salt) throws XMLSecurityException { + this.hmacHashAlgorithmURI = hmacHashAlgorithmURI; + LOG.log(DEBUG, "Init HmacHash AlgorithmURI: [{}]", hmacHashAlgorithmURI); + hmac = initHMac(salt, true); + } + + /** + * Derives a key from the given secret and info. Method extracts the key and then expands it to the keyLength. + * + * @param secret The "shared" secret to use for key derivation + * @param info The "info" parameter for key derivation describing purpose or derivation key context + * @param offset the starting position in derived keying material of size: offset + keyLength + * @param keyLength The length of the key to derive + * @return the derived key using HKDF for the given parameters. + * @throws XMLSecurityException if the key derivation fails for any reason + */ + @Override + public byte[] deriveKey(byte[] secret, byte[] info, int offset, long keyLength) throws XMLSecurityException { Review Comment: Indeed it is hard to imagine key size to need long type. But the interface for DerivationAlgorithm was taken from ws-wss4 project https://github.com/apache/ws-wss4j/blob/master/ws-security-common/src/main/java/org/apache/wss4j/common/derivedKey/DerivationAlgorithm.java The idea behind was to reduce duplication of the code there (wss4j) and use methods from xmlsec .. to make wss4j slimmer/cleaner Anyhow will change to int. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@santuario.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
