New property to select preferred key agreement algorithm (#5413) (#5442) (#5444)

mergify[bot] · MiguelCompany · web-flow · commit fd74fc534498 · 2025-07-24T12:57:17.000+02:00
* New property to select preferred key agreement algorithm (#5413) * Refs #19921. Implement selection of key agreement. * Refs #19921. Change default to ECDH. * Refs #19921. Add unit test. * Refs #19921. Factor out duplicated publisher code on BB test. * Refs #19921. Factor out duplicated subscriber code on BB test. * Refs #19921. Add new parameter to BB test. * Refs #19921. Apply new parameter on publisher properties. * Refs #19921. Apply new parameter on subscriber properties. * Refs #19921. Improve emplace_back calls. * Refs #19921. Uncrustify. * Refs #22280. Use `DH` alias instead of `RSA`. * Refs #22280. Add new property to communication tests XML profiles. * Refs #22280. Fix unit test. * Refs #22280. Configure key agreement on BB test depending on process id. * Refs #19921. Add `AUTO` value to new option. * Refs #19921. Add `AUTO` value to blackbox test. * Refs #22280. Remove unused lambda capture. * Refs #22280. Fix failing blackbox tests. * Update versions.md --------- (cherry picked from commit 8a99a07) * Fix conflicts. * Change default value to `DH`. --------- Signed-off-by: Miguel Company <miguelcompany@eprosima.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> Co-authored-by: Miguel Company <miguelcompany@eprosima.com>
diff --git a/src/cpp/security/authentication/PKIDH.cpp b/src/cpp/security/authentication/PKIDH.cpp
@@ -54,6 +54,7 @@
 
 #include <cassert>
 #include <algorithm>
+#include <utility>
 
 #define S1(x) #x
 #define S2(x) S1(x)
@@ -1117,6 +1118,37 @@ ValidationResult_t PKIDH::validate_local_identity(
         password = &empty_password;
     }
 
+    std::string key_agreement_algorithm = DH_2048_256;
+    std::string* key_agreement_property =
+            PropertyPolicyHelper::find_property(auth_properties, "preferred_key_agreement");
+    if (nullptr != key_agreement_property)
+    {
+        const std::pair<std::string, std::string> key_agreement_allowed_values[] = {
+            {DH_2048_256, DH_2048_256},
+            {ECDH_prime256v1, ECDH_prime256v1},
+            {"ECDH", ECDH_prime256v1},
+            {"DH", DH_2048_256},
+            {"AUTO", "AUTO"}
+        };
+
+        key_agreement_algorithm = "";
+        for (const auto& allowed_value : key_agreement_allowed_values)
+        {
+            if (key_agreement_property->compare(allowed_value.first) == 0)
+            {
+                key_agreement_algorithm = allowed_value.second;
+                break;
+            }
+        }
+
+        if (key_agreement_algorithm.empty())
+        {
+            exception = _SecurityException_("Invalid key agreement algorithm '" + *key_agreement_property + "'");
+            EMERGENCY_SECURITY_LOGGING("PKIDH", exception.what());
+            return ValidationResult_t::VALIDATION_FAILED;
+        }
+    }
+
     PKIIdentityHandle* ih = &PKIIdentityHandle::narrow(*get_identity_handle(exception));
 
     (*ih)->store_ = load_identity_ca(*identity_ca, (*ih)->there_are_crls_, (*ih)->sn, (*ih)->algo,
@@ -1126,6 +1158,20 @@ ValidationResult_t PKIDH::validate_local_identity(
     {
         ERR_clear_error();
 
+        if (key_agreement_algorithm == "AUTO")
+        {
+            if ((*ih)->algo == RSA_SHA256)
+            {
+                key_agreement_algorithm = DH_2048_256;
+            }
+            else
+            {
+                key_agreement_algorithm = ECDH_prime256v1;
+            }
+        }
+
+        (*ih)->kagree_alg_ = key_agreement_algorithm;
+
         if (identity_crl != nullptr)
         {
             X509_CRL* crl = load_crl(*identity_crl, exception);
@@ -1332,7 +1378,6 @@ ValidationResult_t PKIDH::begin_handshake_request(
     bproperty.propagate(true);
     (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));
 
-    // TODO(Ricardo) Only support right now DH+MODP-2048-256
     // c.kagree_algo.
     bproperty.name("c.kagree_algo");
     bproperty.value().assign(lih->kagree_alg_.begin(),
@@ -1702,7 +1747,6 @@ ValidationResult_t PKIDH::begin_handshake_reply(
     bproperty.propagate(true);
     (*handshake_handle_aux)->handshake_message_.binary_properties().push_back(std::move(bproperty));
 
-    // TODO(Ricardo) Only support right now DH+MODP-2048-256
     // c.kagree_algo.
     bproperty.name("c.kagree_algo");
     bproperty.value().assign((*handshake_handle_aux)->kagree_alg_.begin(),
diff --git a/test/blackbox/common/BlackboxTestsSecurity.cpp b/test/blackbox/common/BlackboxTestsSecurity.cpp
diff --git a/test/dds/communication/security/secure_msg_crypto_besteffort_pub_profile.xml b/test/dds/communication/security/secure_msg_crypto_besteffort_pub_profile.xml
@@ -34,6 +34,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainpubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>ECDH</value>
+                        </property>
                         <!-- Activate DDS:Crypto:AES-GCM-GMAC plugin -->
                         <property>
                             <name>dds.sec.crypto.plugin</name>
diff --git a/test/dds/communication/security/secure_msg_submsg_crypto_besteffort_pub_profile.xml b/test/dds/communication/security/secure_msg_submsg_crypto_besteffort_pub_profile.xml
@@ -33,6 +33,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainpubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>DH</value>
+                        </property>
                         <!-- Activate DDS:Crypto:AES-GCM-GMAC plugin -->
                         <property>
                             <name>dds.sec.crypto.plugin</name>
diff --git a/test/dds/communication/security/secure_msg_submsg_crypto_besteffort_sub_profile.xml b/test/dds/communication/security/secure_msg_submsg_crypto_besteffort_sub_profile.xml
@@ -33,6 +33,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainsubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>ECDH</value>
+                        </property>
                         <!-- Activate DDS:Crypto:AES-GCM-GMAC plugin -->
                         <property>
                             <name>dds.sec.crypto.plugin</name>
diff --git a/test/dds/communication/security/secure_submsg_crypto_besteffort_pub_profile.xml b/test/dds/communication/security/secure_submsg_crypto_besteffort_pub_profile.xml
@@ -33,6 +33,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainpubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>ECDH</value>
+                        </property>
                         <!-- Activate DDS:Crypto:AES-GCM-GMAC plugin -->
                         <property>
                             <name>dds.sec.crypto.plugin</name>
diff --git a/test/dds/communication/security/secure_submsg_crypto_besteffort_sub_profile.xml b/test/dds/communication/security/secure_submsg_crypto_besteffort_sub_profile.xml
@@ -33,6 +33,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainsubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>DH</value>
+                        </property>
                         <!-- Activate DDS:Crypto:AES-GCM-GMAC plugin -->
                         <property>
                             <name>dds.sec.crypto.plugin</name>
diff --git a/test/dds/communication/security/simple_secure_besteffort_pub_profile.xml b/test/dds/communication/security/simple_secure_besteffort_pub_profile.xml
@@ -26,6 +26,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainpubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>ECDH</value>
+                        </property>
                         <!-- Activate Access:Permissions plugin -->
                         <property>
                             <name>dds.sec.access.plugin</name>
diff --git a/test/dds/communication/security/simple_secure_besteffort_sub_profile.xml b/test/dds/communication/security/simple_secure_besteffort_sub_profile.xml
@@ -26,6 +26,10 @@
                             <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
                             <value>file://mainsubkey.pem</value>
                         </property>
+                        <property>
+                            <name>dds.sec.auth.builtin.PKI-DH.preferred_key_agreement</name>
+                            <value>DH</value>
+                        </property>
                         <!-- Activate Access:Permissions plugin -->
                         <property>
                             <name>dds.sec.access.plugin</name>
diff --git a/test/unittest/security/authentication/AuthenticationPluginTests.hpp b/test/unittest/security/authentication/AuthenticationPluginTests.hpp
@@ -166,6 +166,7 @@ TEST_F(AuthenticationPluginTest, handshake_process_ok)
             ValidationResult_t::VALIDATION_FAILED;
 
     participant_attr.properties = get_valid_policy();
+    participant_attr.properties.properties().emplace_back("dds.sec.auth.builtin.PKI-DH.preferred_key_agreement", "DH");
 
     result = plugin.validate_local_identity(&local_identity_handle1,
                     adjusted_participant_key1,
diff --git a/test/unittest/security/authentication/BuiltinPKIDHTests.cpp b/test/unittest/security/authentication/BuiltinPKIDHTests.cpp
@@ -403,6 +403,75 @@ void AuthenticationPluginTest::check_shared_secrets(
     ASSERT_TRUE(*sharedsecret_1 == *sharedsecret_2);
 }
 
+TEST_F(AuthenticationPluginTest, validate_local_identity_kagree_algo)
+{
+    const std::string correct_values[] =
+    {
+        "DH",
+        "ECDH",
+        "DH+MODP-2048-256",
+        "ECDH+prime256v1-CEUM"
+    };
+
+    const std::string wrong_values[] =
+    {
+        "RSA+MODP-2048-256",
+        "ECDH+MODP-2048-256",
+        "RSA",
+        "ECDH+prime256v1",
+        "unknown",
+        ""
+    };
+
+    auto test_fn = [this](
+        const std::string& alg,
+        ValidationResult_t expected_result) -> void
+            {
+                IdentityHandle* local_identity_handle = nullptr;
+                GUID_t adjusted_participant_key;
+                uint32_t domain_id = 0;
+                RTPSParticipantAttributes participant_attr;
+                GUID_t candidate_participant_key;
+                SecurityException exception;
+                ValidationResult_t result = ValidationResult_t::VALIDATION_FAILED;
+
+                fill_candidate_participant_key(candidate_participant_key);
+                participant_attr.properties = get_valid_policy();
+                participant_attr.properties.properties().emplace_back(
+                    Property("dds.sec.auth.builtin.PKI-DH.preferred_key_agreement", alg));
+                result = plugin.validate_local_identity(&local_identity_handle,
+                                adjusted_participant_key,
+                                domain_id,
+                                participant_attr,
+                                candidate_participant_key,
+                                exception);
+
+                ASSERT_TRUE(result == expected_result);
+                if (ValidationResult_t::VALIDATION_OK == result)
+                {
+                    ASSERT_TRUE(local_identity_handle != nullptr);
+                    check_local_identity_handle(*local_identity_handle);
+                    ASSERT_TRUE(adjusted_participant_key != GUID_t::unknown());
+                    ASSERT_TRUE(plugin.return_identity_handle(local_identity_handle, exception));
+                }
+                else
+                {
+                    ASSERT_TRUE(local_identity_handle == nullptr);
+                    ASSERT_TRUE(adjusted_participant_key == GUID_t::unknown());
+                }
+            };
+
+    for (const std::string& value : correct_values)
+    {
+        test_fn(value, ValidationResult_t::VALIDATION_OK);
+    }
+
+    for (const std::string& value : wrong_values)
+    {
+        test_fn(value, ValidationResult_t::VALIDATION_FAILED);
+    }
+}
+
 TEST_F(AuthenticationPluginTest, validate_local_identity_validation_ok_with_pwd)
 {
     IdentityHandle* local_identity_handle = nullptr;
diff --git a/versions.md b/versions.md
@@ -1,6 +1,8 @@
 Forthcoming
 -----------
 
+* New property to configure the preferred key agreement algorithm.
+
 Version 2.14.3
 --------------
 
