From 5222180ea4b884b843b792dc4d64cfab9553765e Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Fri, 22 Nov 2024 12:26:06 +0100 Subject: [PATCH 1/6] Refs #19921. Add new `preferred_key_agreement` property to auth plugin section. Signed-off-by: Miguel Company --- docs/fastdds/security/auth_plugin/auth_plugin.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/fastdds/security/auth_plugin/auth_plugin.rst b/docs/fastdds/security/auth_plugin/auth_plugin.rst index 3bbb6045d..b3b081dc4 100644 --- a/docs/fastdds/security/auth_plugin/auth_plugin.rst +++ b/docs/fastdds/security/auth_plugin/auth_plugin.rst @@ -56,6 +56,12 @@ The following table outlines the properties used for the DDS:\Auth\:PKI-DH plugi If the *password* property is not present, then the value supplied in the |br| *private_key* property must contain the decrypted private key. |br| The *password* property is ignored if the *private_key* is given in PKCS#11 scheme. + * - preferred_key_agreement *(optional)* + - The preferred algorithm to use for generating the session's shared secret |br| + at the end of the authentication phase. Supported values are: |br| + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + Will default to ``ECDH`` if the property is not present. .. note:: All listed properties have "dds.sec.auth.builtin.PKI-DH." prefix. From c26746747f7e60305035414035898f2cede3c9e5 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Fri, 22 Nov 2024 12:50:45 +0100 Subject: [PATCH 2/6] Refs #19921. Add new `preferred_key_agreement` property to property policies section. Signed-off-by: Miguel Company --- docs/fastdds/property_policies/security.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/fastdds/property_policies/security.rst b/docs/fastdds/property_policies/security.rst index 7c593a978..a7092e932 100644 --- a/docs/fastdds/property_policies/security.rst +++ b/docs/fastdds/property_policies/security.rst @@ -42,6 +42,12 @@ The following table outlines the properties used for the :ref:`DDS\:Auth\:PKI-DH If the *password* property is not present, then the value supplied in the |br| *private_key* property must contain the decrypted private key. |br| The *password* property is ignored if the *private_key* is given in PKCS#11 scheme. + * - preferred_key_agreement *(optional)* + - The preferred algorithm to use for generating the session's shared secret |br| + at the end of the authentication phase. Supported values are: |br| + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + Will default to ``ECDH`` if the property is not present. .. note:: All properties listed above have the ``dds.sec.auth.builtin.PKI-DH."`` prefix. From 48887abf7b27a235fcc8ba397ebbc42279723d30 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Fri, 22 Nov 2024 13:00:37 +0100 Subject: [PATCH 3/6] Refs #19921. Add new `preferred_key_agreement` property to snippets. Signed-off-by: Miguel Company --- code/DDSCodeTester.cpp | 3 +++ code/XMLTester.xml | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/code/DDSCodeTester.cpp b/code/DDSCodeTester.cpp index 08b229b9c..58dda0b94 100644 --- a/code/DDSCodeTester.cpp +++ b/code/DDSCodeTester.cpp @@ -642,6 +642,9 @@ void dds_domain_examples() pqos.properties().properties().emplace_back( "dds.sec.auth.builtin.PKI-DH.password", "domainParticipantPassword"); + pqos.properties().properties().emplace_back( + "dds.sec.auth.builtin.PKI-DH.preferred_key_agreement", + "ECDH"); //!-- } { diff --git a/code/XMLTester.xml b/code/XMLTester.xml index ea249964c..40fab6886 100644 --- a/code/XMLTester.xml +++ b/code/XMLTester.xml @@ -3050,6 +3050,10 @@ dds.sec.auth.builtin.PKI-DH.password domainParticipantPassword + + dds.sec.auth.builtin.PKI-DH.preferred_key_agreement + ECDH + From 28d33348468ff26cf36421f13be64f0feb4067f4 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Mon, 25 Nov 2024 08:41:04 +0100 Subject: [PATCH 4/6] Refs #19921. Fix doc8. Signed-off-by: Miguel Company --- docs/fastdds/property_policies/security.rst | 8 ++++---- docs/fastdds/security/auth_plugin/auth_plugin.rst | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/fastdds/property_policies/security.rst b/docs/fastdds/property_policies/security.rst index a7092e932..52db37303 100644 --- a/docs/fastdds/property_policies/security.rst +++ b/docs/fastdds/property_policies/security.rst @@ -42,12 +42,12 @@ The following table outlines the properties used for the :ref:`DDS\:Auth\:PKI-DH If the *password* property is not present, then the value supplied in the |br| *private_key* property must contain the decrypted private key. |br| The *password* property is ignored if the *private_key* is given in PKCS#11 scheme. - * - preferred_key_agreement *(optional)* + * - ``preferred_key_agreement`` *(optional)* - The preferred algorithm to use for generating the session's shared secret |br| at the end of the authentication phase. Supported values are: |br| - a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| - b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| - Will default to ``ECDH`` if the property is not present. + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + Will default to ``ECDH`` if the property is not present. .. note:: All properties listed above have the ``dds.sec.auth.builtin.PKI-DH."`` prefix. diff --git a/docs/fastdds/security/auth_plugin/auth_plugin.rst b/docs/fastdds/security/auth_plugin/auth_plugin.rst index b3b081dc4..f818bddd3 100644 --- a/docs/fastdds/security/auth_plugin/auth_plugin.rst +++ b/docs/fastdds/security/auth_plugin/auth_plugin.rst @@ -59,9 +59,9 @@ The following table outlines the properties used for the DDS:\Auth\:PKI-DH plugi * - preferred_key_agreement *(optional)* - The preferred algorithm to use for generating the session's shared secret |br| at the end of the authentication phase. Supported values are: |br| - a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| - b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| - Will default to ``ECDH`` if the property is not present. + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + Will default to ``ECDH`` if the property is not present. .. note:: All listed properties have "dds.sec.auth.builtin.PKI-DH." prefix. From c43e0bd276834fa7a1be4bfa9119ec029e369e8c Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Wed, 27 Nov 2024 09:42:37 +0100 Subject: [PATCH 5/6] Refs #22280. Apply suggestion. Signed-off-by: Miguel Company --- docs/fastdds/library_overview/includes/functionalities.rst | 3 ++- docs/fastdds/security/auth_plugin/auth_plugin.rst | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/fastdds/library_overview/includes/functionalities.rst b/docs/fastdds/library_overview/includes/functionalities.rst index b12f5897f..af7f07b34 100644 --- a/docs/fastdds/library_overview/includes/functionalities.rst +++ b/docs/fastdds/library_overview/includes/functionalities.rst @@ -40,7 +40,8 @@ Security * Authentication of remote DomainParticipants. The **DDS:Auth:PKI-DH** plugin provides authentication using a trusted Certificate Authority (CA) and ECDSA Digital Signature Algorithms to perform the mutual authentication. - It also establishes a shared secret using Elliptic Curve Diffie-Hellman (ECDH) Key Agreement protocol. + It also establishes a shared secret using either Elliptic Curve Diffie-Hellman (ECDH) or MODP-2048 Diffie-Hellman (DH) + as Key Agreement protocol. * Access control of entities. The **DDS:Access:Permissions** plugin provides access control to DomainParticipants at the DDS Domain and Topic level. * Encryption of data. diff --git a/docs/fastdds/security/auth_plugin/auth_plugin.rst b/docs/fastdds/security/auth_plugin/auth_plugin.rst index f818bddd3..1b7d4af7c 100644 --- a/docs/fastdds/security/auth_plugin/auth_plugin.rst +++ b/docs/fastdds/security/auth_plugin/auth_plugin.rst @@ -24,7 +24,8 @@ The authentication plugin implemented in Fast DDS is referred to as "DDS:\Auth\: `DDS Security `_ specification. The DDS:\Auth\:PKI-DH plugin uses a trusted *Certificate Authority* (CA) and the ECDSA Digital Signature Algorithms to perform the mutual authentication. -It also establishes a shared secret using Elliptic Curve Diffie-Hellman (ECDH) Key Agreement Methods. +It also establishes a shared secret using either Elliptic Curve Diffie-Hellman (ECDH) or MODP-2048 Diffie-Hellman (DH) +as Key Agreement protocol. This shared secret can be used by other security plugins as :ref:`crypto-aes-gcm-gmac`. The DDS:\Auth\:PKI-DH authentication plugin, can be activated setting the |DomainParticipantQos| From 59be02f5a85cae742ec13e8611b120f095a95af8 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Wed, 27 Nov 2024 10:15:08 +0100 Subject: [PATCH 6/6] Refs #19921. Add `AUTO` value to new option. Signed-off-by: Miguel Company --- docs/fastdds/property_policies/security.rst | 3 ++- docs/fastdds/security/auth_plugin/auth_plugin.rst | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/fastdds/property_policies/security.rst b/docs/fastdds/property_policies/security.rst index 52db37303..81b97b6fd 100644 --- a/docs/fastdds/property_policies/security.rst +++ b/docs/fastdds/property_policies/security.rst @@ -47,7 +47,8 @@ The following table outlines the properties used for the :ref:`DDS\:Auth\:PKI-DH at the end of the authentication phase. Supported values are: |br| a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| - Will default to ``ECDH`` if the property is not present. + c) ``AUTO`` for selecting the key agreement based on the signature algorithm in the Identity CA's certificate. |br| + Will default to ``AUTO`` if the property is not present. .. note:: All properties listed above have the ``dds.sec.auth.builtin.PKI-DH."`` prefix. diff --git a/docs/fastdds/security/auth_plugin/auth_plugin.rst b/docs/fastdds/security/auth_plugin/auth_plugin.rst index 1b7d4af7c..96de66885 100644 --- a/docs/fastdds/security/auth_plugin/auth_plugin.rst +++ b/docs/fastdds/security/auth_plugin/auth_plugin.rst @@ -62,7 +62,8 @@ The following table outlines the properties used for the DDS:\Auth\:PKI-DH plugi at the end of the authentication phase. Supported values are: |br| a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| - Will default to ``ECDH`` if the property is not present. + c) ``AUTO`` for selecting the key agreement based on the signature algorithm in the Identity CA's certificate. |br| + Will default to ``AUTO`` if the property is not present. .. note:: All listed properties have "dds.sec.auth.builtin.PKI-DH." prefix.