From 58b4d3098b678871f3ee0feffa64354332f47aa4 Mon Sep 17 00:00:00 2001 From: Miguel Company Date: Wed, 11 Dec 2024 16:20:55 +0100 Subject: [PATCH] Document new `transmit_algorithms_as_legacy` on builtin security plugins (#974) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Refs #19925. Add documentation of new property in PKIDH. Signed-off-by: Miguel Company * Refs #19925. Add documentation of new property in Permissions. Signed-off-by: Miguel Company * Apply suggestions from code review Co-authored-by: Mario Domínguez López <116071334+Mario-DL@users.noreply.github.com> Signed-off-by: Miguel Company --------- Signed-off-by: Miguel Company Co-authored-by: Mario Domínguez López <116071334+Mario-DL@users.noreply.github.com> (cherry picked from commit cc95496dc6ee088366f00dec5c4213d4e3b2c86d) # Conflicts: # code/DDSCodeTester.cpp # code/XMLTester.xml # docs/fastdds/property_policies/security.rst # docs/fastdds/security/auth_plugin/auth_plugin.rst --- code/DDSCodeTester.cpp | 12 ++++++++++++ code/XMLTester.xml | 15 +++++++++++++++ docs/fastdds/property_policies/security.rst | 13 +++++++++++++ .../access_control_plugin.rst | 3 +++ docs/fastdds/security/auth_plugin/auth_plugin.rst | 13 +++++++++++++ 5 files changed, 56 insertions(+) diff --git a/code/DDSCodeTester.cpp b/code/DDSCodeTester.cpp index fe74f43b9..4992a6237 100644 --- a/code/DDSCodeTester.cpp +++ b/code/DDSCodeTester.cpp @@ -642,6 +642,15 @@ void dds_domain_examples() pqos.properties().properties().emplace_back( "dds.sec.auth.builtin.PKI-DH.password", "domainParticipantPassword"); +<<<<<<< HEAD +======= + pqos.properties().properties().emplace_back( + "dds.sec.auth.builtin.PKI-DH.preferred_key_agreement", + "ECDH"); + pqos.properties().properties().emplace_back( + "dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy", + "true"); +>>>>>>> cc95496 (Document new `transmit_algorithms_as_legacy` on builtin security plugins (#974)) //!-- } { @@ -677,6 +686,9 @@ void dds_domain_examples() pqos.properties().properties().emplace_back( "dds.sec.access.builtin.Access-Permissions.permissions", "file://certs/permissions.smime"); + pqos.properties().properties().emplace_back( + "dds.sec.access.builtin.Access-Permissions.transmit_algorithms_as_legacy", + "true"); //!-- } { diff --git a/code/XMLTester.xml b/code/XMLTester.xml index ea249964c..f3e581522 100644 --- a/code/XMLTester.xml +++ b/code/XMLTester.xml @@ -3050,6 +3050,17 @@ dds.sec.auth.builtin.PKI-DH.password domainParticipantPassword +<<<<<<< HEAD +======= + + dds.sec.auth.builtin.PKI-DH.preferred_key_agreement + ECDH + + + dds.sec.auth.builtin.PKI-DH.transmit_algorithms_as_legacy + true + +>>>>>>> cc95496 (Document new `transmit_algorithms_as_legacy` on builtin security plugins (#974)) @@ -3102,6 +3113,10 @@ dds.sec.access.builtin.Access-Permissions.permissions file://permissions.smime + + dds.sec.access.builtin.Access-Permissions.transmit_algorithms_as_legacy + true + diff --git a/docs/fastdds/property_policies/security.rst b/docs/fastdds/property_policies/security.rst index 7c593a978..eb041e20b 100644 --- a/docs/fastdds/property_policies/security.rst +++ b/docs/fastdds/property_policies/security.rst @@ -42,6 +42,19 @@ The following table outlines the properties used for the :ref:`DDS\:Auth\:PKI-DH If the *password* property is not present, then the value supplied in the |br| *private_key* property must contain the decrypted private key. |br| The *password* property is ignored if the *private_key* is given in PKCS#11 scheme. +<<<<<<< HEAD +======= + * - ``preferred_key_agreement`` *(optional)* + - The preferred algorithm to use for generating the session's shared secret |br| + at the end of the authentication phase. Supported values are: |br| + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + c) ``AUTO`` for selecting the key agreement based on the signature algorithm in the Identity CA's certificate. |br| + Will default to ``AUTO`` if the property is not present. + * - ``transmit_algorithms_as_legacy`` *(optional)* + - Whether to transmit algorithm identifiers in non-standard legacy format. |br| + Will default to ``false`` if the property is not present. +>>>>>>> cc95496 (Document new `transmit_algorithms_as_legacy` on builtin security plugins (#974)) .. note:: All properties listed above have the ``dds.sec.auth.builtin.PKI-DH."`` prefix. diff --git a/docs/fastdds/security/access_control_plugin/access_control_plugin.rst b/docs/fastdds/security/access_control_plugin/access_control_plugin.rst index ea094aea3..ba6abb077 100644 --- a/docs/fastdds/security/access_control_plugin/access_control_plugin.rst +++ b/docs/fastdds/security/access_control_plugin/access_control_plugin.rst @@ -55,6 +55,9 @@ The following table outlines the properties used for the DDS\:Access\:Permission * - permissions - URI to the Participant permissions document signed by the |br| Permissions CA in S/MIME format. |br| Supported URI schemes: file. + * - transmit_algorithms_as_legacy *(optional)* + - Whether to transmit algorithm identifiers in non-standard legacy format. |br| + Will default to ``false`` if the property is not present. .. note:: All listed properties have "dds.sec.access.builtin.Access-Permissions." prefix. diff --git a/docs/fastdds/security/auth_plugin/auth_plugin.rst b/docs/fastdds/security/auth_plugin/auth_plugin.rst index 3bbb6045d..20af114bd 100644 --- a/docs/fastdds/security/auth_plugin/auth_plugin.rst +++ b/docs/fastdds/security/auth_plugin/auth_plugin.rst @@ -56,6 +56,19 @@ The following table outlines the properties used for the DDS:\Auth\:PKI-DH plugi If the *password* property is not present, then the value supplied in the |br| *private_key* property must contain the decrypted private key. |br| The *password* property is ignored if the *private_key* is given in PKCS#11 scheme. +<<<<<<< HEAD +======= + * - preferred_key_agreement *(optional)* + - The preferred algorithm to use for generating the session's shared secret |br| + at the end of the authentication phase. Supported values are: |br| + a) ``DH``, ``DH+MODP-2048-256`` for Diffie-Hellman Ephemeral with 2048-bit MODP Group parameters. |br| + b) ``ECDH``, ``ECDH+prime256v1-CEUM`` for Elliptic Curve Diffie-Hellman Ephemeral with the NIST P-256 curve. |br| + c) ``AUTO`` for selecting the key agreement based on the signature algorithm in the Identity CA's certificate. |br| + Will default to ``AUTO`` if the property is not present. + * - transmit_algorithms_as_legacy *(optional)* + - Whether to transmit algorithm identifiers in non-standard legacy format. |br| + Will default to ``false`` if the property is not present. +>>>>>>> cc95496 (Document new `transmit_algorithms_as_legacy` on builtin security plugins (#974)) .. note:: All listed properties have "dds.sec.auth.builtin.PKI-DH." prefix.