Updates to Group OSCORE after recent interoperability testing

Interop testing was done during the IETF 116 Hackathon. Main changes: - Changed logic for selection of HKDF to use for derivation of pairwise keys & keystream - Support for empty credential for Group Manager (if no GM is used) Signed-off-by: Rikard Höglund <rikard.hoglund@ri.se>
rikard-sics · Apr 16, 2023 · 49a78a6 · 49a78a6
1 parent 2e9adfe
commit 49a78a6
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 16 deletions.
diff --git a/californium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/Decryptor.java b/californium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/Decryptor.java
@@ -33,6 +33,7 @@
 
 import com.upokecenter.cbor.CBORObject;
 
+import org.eclipse.californium.cose.AlgorithmID;
 import org.eclipse.californium.cose.Attribute;
 import org.eclipse.californium.cose.CoseException;
 import org.eclipse.californium.cose.CounterSign1;
@@ -83,6 +84,7 @@ protected static byte[] decryptAndDecode(Encrypt0Message enc, Message message, O
 		byte[] partialIV = null;
 		byte[] aad = null;
 
+		AlgorithmID decryptionAlg = ctx.getAlg();
 		CBORObject piv = enc.findAttribute(HeaderKeys.PARTIAL_IV);
 
 		if (isRequest) {
@@ -164,6 +166,7 @@ protected static byte[] decryptAndDecode(Encrypt0Message enc, Message message, O
 
 			// If group mode is used prepare the signature checking
 			if (groupModeMessage) {
+				decryptionAlg = ((GroupRecipientCtx) ctx).getAlgSignEnc();
 				// Decrypt the signature.
 				if (isRequest || piv != null) {
 					byte[] pivFromMessage = enc.findAttribute(HeaderKeys.PARTIAL_IV).GetByteString();
@@ -192,7 +195,7 @@ protected static byte[] decryptAndDecode(Encrypt0Message enc, Message message, O
 
 		try {
 			// TODO: Get and set Recipient ID (KID) here too?
-			enc.addAttribute(HeaderKeys.Algorithm, ctx.getAlg().AsCBOR(), Attribute.DO_NOT_SEND);
+			enc.addAttribute(HeaderKeys.Algorithm, decryptionAlg.AsCBOR(), Attribute.DO_NOT_SEND);
 			enc.addAttribute(HeaderKeys.IV, CBORObject.FromObject(nonce), Attribute.DO_NOT_SEND);
 			plaintext = enc.decrypt(key);
 
@@ -430,9 +433,9 @@ private static void decryptSignature(Encrypt0Message enc, CounterSign1 sign, Gro
 
 		// Derive the keystream
 		String digest = "";
-		if (ctx.getAlgKeyAgreement().toString().contains("HKDF_256")) {
+		if (ctx.getKdf().toString().contains("SHA_256")) {
 			digest = "SHA256";
-		} else if (ctx.getAlgKeyAgreement().toString().contains("HKDF_512")) {
+		} else if (ctx.getKdf().toString().contains("SHA_512")) {
 			digest = "SHA512";
 		}
 

diff --git a/californium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/Encryptor.java b/californium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/Encryptor.java
@@ -77,6 +77,8 @@ protected static byte[] encryptAndEncode(Encrypt0Message enc, OSCoreCtx ctx, Mes
 			throws OSException {
 		boolean isRequest = message instanceof Request;
 
+		AlgorithmID encryptionAlg = ctx.getAlg();
+
 		try {
 			byte[] key = ctx.getSenderKey();
 			byte[] partialIV = null;
@@ -161,6 +163,7 @@ protected static byte[] encryptAndEncode(Encrypt0Message enc, OSCoreCtx ctx, Mes
 					key = ((GroupSenderCtx) ctx).getPairwiseSenderKey(recipientRID);
 				} else {
 					// If group mode is used prepare adding the signature
+					encryptionAlg = ((GroupSenderCtx) ctx).getAlgSignEnc();
 					prepareSignature(enc, ctx, aad, message);
 				}
 
@@ -169,7 +172,7 @@ protected static byte[] encryptAndEncode(Encrypt0Message enc, OSCoreCtx ctx, Mes
 			enc.setExternal(aad);
 
 			enc.addAttribute(HeaderKeys.IV, CBORObject.FromObject(nonce), Attribute.DO_NOT_SEND);
-			enc.addAttribute(HeaderKeys.Algorithm, ctx.getAlg().AsCBOR(), Attribute.DO_NOT_SEND);
+			enc.addAttribute(HeaderKeys.Algorithm, encryptionAlg.AsCBOR(), Attribute.DO_NOT_SEND);
 
 			enc.encrypt(key);
 
@@ -411,9 +414,9 @@ private static void encryptSignature(Encrypt0Message enc, GroupSenderCtx ctx, by
 
 		// Derive the keystream
 		String digest = "";
-		if (ctx.getAlgKeyAgreement().toString().contains("HKDF_256")) {
+		if (ctx.getKdf().toString().contains("SHA_256")) {
 			digest = "SHA256";
-		} else if (ctx.getAlgKeyAgreement().toString().contains("HKDF_512")) {
+		} else if (ctx.getKdf().toString().contains("SHA_512")) {
 			digest = "SHA512";
 		}
 

diff --git a/...fornium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/OSSerializer.java b/...fornium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/OSSerializer.java
@@ -347,9 +347,12 @@ public static byte[] updateAADForGroup(OSCoreCtx ctx, byte[] aadBytes, Message m
 		groupAadEnc.Add(CBORObject.FromObject(senderPublicKey));
 
 		// Add the Group Manager's public key
-		// System.out.println("Sender public key: " +
-		// Utils.bytesToHex(senderPublicKey));
-		groupAadEnc.Add(CBORObject.FromObject(gmPublicKey));
+		// System.out.println("gmPublicKey: " + Utils.bytesToHex(gmPublicKey));
+		if (gmPublicKey == null || gmPublicKey.length == 0) {
+			groupAadEnc.Add(CBORObject.Null);
+		} else {
+			groupAadEnc.Add(gmPublicKey);
+		}
 
 		return groupAadEnc.EncodeToBytes();
 	}

diff --git a/...rnium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/group/GroupCtx.java b/...rnium-extended/cf-oscore/src/main/java/org/eclipse/californium/oscore/group/GroupCtx.java
@@ -363,9 +363,9 @@ public void addToDb(String uri, HashMapCtxDB db) throws OSException {
 	byte[] deriveGroupEncryptionKey() {
 
 		String digest = "";
-		if (algKeyAgreement.toString().contains("HKDF_256")) {
+		if (senderCtx.getKdf().toString().contains("SHA_256")) {
 			digest = "SHA256";
-		} else if (algKeyAgreement.toString().contains("HKDF_512")) {
+		} else if (senderCtx.getKdf().toString().contains("SHA_512")) {
 			digest = "SHA512";
 		}
 
@@ -402,9 +402,9 @@ byte[] derivePairwiseSenderKey(byte[] recipientId, byte[] recipientKey, OneKey r
 		}
 
 		String digest = "";
-		if (algKeyAgreement.toString().contains("HKDF_256")) {
+		if (senderCtx.getKdf().toString().contains("SHA_256")) {
 			digest = "SHA256";
-		} else if (algKeyAgreement.toString().contains("HKDF_512")) {
+		} else if (senderCtx.getKdf().toString().contains("SHA_512")) {
 			digest = "SHA512";
 		}
 
@@ -453,9 +453,9 @@ byte[] derivePairwiseRecipientKey(byte[] recipientId, byte[] recipientKey, OneKe
 		}
 
 		String digest = "";
-		if (algKeyAgreement.toString().contains("HKDF_256")) {
+		if (senderCtx.getKdf().toString().contains("SHA_256")) {
 			digest = "SHA256";
-		} else if (algKeyAgreement.toString().contains("HKDF_512")) {
+		} else if (senderCtx.getKdf().toString().contains("SHA_512")) {
 			digest = "SHA512";
 		}
 

diff --git a/...nded/cf-oscore/src/test/java/org/eclipse/californium/oscore/group/GroupOscoreCtxTest.java b/...nded/cf-oscore/src/test/java/org/eclipse/californium/oscore/group/GroupOscoreCtxTest.java
@@ -168,7 +168,8 @@ public void testContextDerivationSha512() throws OSException {
 		assertArrayEquals("Incorrect GM public key", gmPublicKey, commonCtx.getGmPublicKey());
 		assertArrayEquals("Incorrect master secret", master_secret, commonCtx.getSenderCtx().getMasterSecret());
 
-		byte[] correctGroupEncryptionKey = StringUtil.hex2ByteArray("b2a2df8dca9627613f8a2a9ec7a256c6");
+		byte[] correctGroupEncryptionKey = StringUtil.hex2ByteArray("eaedbbcd9dd887cbe2294fd05b08b43c");
+
 		assertArrayEquals("Incorrect group encryption key", correctGroupEncryptionKey,
 				commonCtx.getGroupEncryptionKey());