PSK TLS implementation with Tomcat or Netty

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PSK TLS implementation with Tomcat or Netty

Fabian Eriksson

Hello again!


Yesterday I wrote to this mailing list asking how to integrate an HSM with PSK TLS where I got an answer with the following solution:

I should create an alternative TlsKeyExchange implementation which returns my own implementation of TlsSecret, psuedo code below:

MyTlsKeyExchange extends TlsPSKKeyExchange {

    public TlsSecret generatePreMasterSecret() {return MyTlsSecret(...);}

}

public class MyTlsSecret extends AbstractTlsSecret {

...

    public TlsSecret deriveUsingPRF(final int prfAlgorithm, final byte[] labelSeed, final int length) 

    {

        call hsm()

    }

}

Everything works fine! But, the next step is how to wire the changes I did (see above) with Tomcat8, or Netty.

How I see it I have two roads I could take:

1. Is the easiest way to do it to by implementing Tomcat's own ServerSocketFactory (https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/tomcat/util/net/ServerSocketFactory.html, or Netty's equivalent interface) and tell Tomcat that this is the SSL implementation I want to us?

 2. Would it be easier to take my PSKTLSServer implementation and link it together with Bouncycastle's JSSE provider (which is currently version 0.9)?

I would appreciate pointers to code examples :)


BR

Fabian Eriksson

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SV: [dev-crypto] PSK TLS implementation with Tomcat or Netty

Klas Eriksson

Hi


I believe the tomcat interface is deprecated since I cannot find it in tomcat 8.5 or tomcat 9.0.

So, adding PSK support to the BcJSSE seems like your best option.

Would be interesting to know if PSK JSSE support is on some BC road-map...:)


br

klas




Från: Fabian Eriksson <[hidden email]>
Skickat: den 23 maj 2017 17:21
Till: [hidden email]
Ämne: [dev-crypto] PSK TLS implementation with Tomcat or Netty
 

Hello again!


Yesterday I wrote to this mailing list asking how to integrate an HSM with PSK TLS where I got an answer with the following solution:

I should create an alternative TlsKeyExchange implementation which returns my own implementation of TlsSecret, psuedo code below:

MyTlsKeyExchange extends TlsPSKKeyExchange {

    public TlsSecret generatePreMasterSecret() {return MyTlsSecret(...);}

}

public class MyTlsSecret extends AbstractTlsSecret {

...

    public TlsSecret deriveUsingPRF(final int prfAlgorithm, final byte[] labelSeed, final int length) 

    {

        call hsm()

    }

}

Everything works fine! But, the next step is how to wire the changes I did (see above) with Tomcat8, or Netty.

How I see it I have two roads I could take:

1. Is the easiest way to do it to by implementing Tomcat's own ServerSocketFactory (https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/tomcat/util/net/ServerSocketFactory.html, or Netty's equivalent interface) and tell Tomcat that this is the SSL implementation I want to us?


 2. Would it be easier to take my PSKTLSServer implementation and link it together with Bouncycastle's JSSE provider (which is currently version 0.9)?

I would appreciate pointers to code examples :)


BR

Fabian Eriksson

Loading...