bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard

Published 20 hours ago verified publisher icon bcgit

PreShared Key support in Bouncy Castle JSSE Provider

Open sbernard31 opened this issue 1 year ago • 2 comments

I understand that Bouncy Castle have support of PSK over (D)TLS. But If I get it correctly this in not included in BouncyCastleJsseProvider Provider ?

Is there a way to get PSK available through JSSE API ? If no, Is there plan about that ? I see there is some side project which tries to achieve that but I don't really like the idea to rely on this kind of small project. (and they only support SSLSocketFactory not SSLEngine)

(Sorry If asked many question about what is supported in Bouncy Castle because I'm currently try to understand if I should try to use it in Leshan an open source java implementation of LWM2M)

sbernard31 avatar Mar 14 '24 16:03 sbernard31

@sbernard31 Likely this is an issue for OpenJDK; per https://bugs.openjdk.org/browse/JDK-8049402, it doesn't look like it supports point 4 ("Out-of-band PSK establishment") in the interfaces. Without interfaces from the JDK itself, it is (likely) impossible to implement this through the JSSE API... Unless perhaps we hack a fake, non-X509 (for PSK only) ~X509Certificate~ KeyManager class that we can detect in our underlying implementation. This is rather ugly and unlikely to be accepted, plus would make interoperability with any later JDK-provided PSK-in-JSSE harder, if they provide something different than our KeyManager in typing.

I'd suggest perhaps commenting on that issue if directly using the underlying BC TLS implementation isn't feasible.

Note that this is achieved by that project by creating a custom SSLSocket/... interface that wraps our direct TLS implementation. It doesn't really support general interfaces for PSK. My 2c

cipherboy avatar Mar 26 '24 12:03 cipherboy

@cipherboy Thx for your answer :pray:

I get your point. I understand that missing API for PSK in JSSE API is an issue. I try to discuss about that on security-dev mailing list of OpenJDK : https://mail.openjdk.org/pipermail/security-dev/2024-March/038906.html

But I also see there is project which deal with current API implementing KeyManager. See : PSKKeyManager from conscrypt project.

I know this is not ideal because we should have a common interface like X509KeyManager in OpenJDK but do you think this could be a way ? I mean Bouncy Castle could create it's own PSKKeyManager for JSSE. Then eventually we can try to push it in OpenJDK ?

sbernard31 avatar Apr 08 '24 14:04 sbernard31