apache · coheigea · Nov 15, 2024 · Aug 23, 2024
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
@@ -230,6 +230,7 @@ public void testEncryptionWithAgreementMethod(String alias, String keyElement) t
         outProperties.put(ConfigurationConstants.USER, alias);
         outProperties.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYWRAP_AES128);
         outProperties.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD, WSS4JConstants.AGREEMENT_METHOD_ECDH_ES);
+        outProperties.put(ConfigurationConstants.ENC_KEY_DERIVATION_FUNCTION, WSS4JConstants.KEYDERIVATION_CONCATKDF);
 
         Map<String, Object> inProperties = new HashMap<>();
         inProperties.put(ConfigurationConstants.ACTION, ConfigurationConstants.ENCRYPTION);

diff --git a/...ecurity/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java b/...ecurity/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutWithAttachmentsTest.java
@@ -86,14 +86,29 @@ public WSS4JInOutWithAttachmentsTest() {
      * @throws Exception if something goes wrong
      */
     @Test
-    public void testEncryptWithAgreementMethodWithXECAndEDKeys() throws Exception {
+    public void testEncryptWithAgreementConcatKDFWithXECAndEDKeys() throws Exception {
         Assume.assumeTrue(getJDKVersion() >= 16);
-        testEncryptWithAgreementMethod("ed25519", "x25519");
+        testEncryptWithAgreementMethod("ed25519", "x25519",
+                WSS4JConstants.AGREEMENT_METHOD_X25519, WSS4JConstants.KEYDERIVATION_CONCATKDF);
     }
 
     @Test
-    public void testEncryptWithAgreementMethodWithECKeys() throws Exception {
-        testEncryptWithAgreementMethod("secp256r1", "secp256r1");
+    public void testEncryptWithAgreementConcatKDFWithECKeys() throws Exception {
+        testEncryptWithAgreementMethod("secp256r1", "secp256r1",
+                WSS4JConstants.AGREEMENT_METHOD_ECDH_ES, WSS4JConstants.KEYDERIVATION_CONCATKDF);
+    }
+
+    @Test
+    public void testEncryptWithAgreementHKDFWithXECAndEDKeys() throws Exception {
+        Assume.assumeTrue(getJDKVersion() >= 16);
+        testEncryptWithAgreementMethod("ed25519", "x25519",
+                WSS4JConstants.AGREEMENT_METHOD_X25519, WSS4JConstants.KEYDERIVATION_HKDF);
+    }
+
+    @Test
+    public void testEncryptWithAgreementHKDFWithECKeys() throws Exception {
+        testEncryptWithAgreementMethod("secp256r1", "secp256r1",
+                WSS4JConstants.AGREEMENT_METHOD_ECDH_ES, WSS4JConstants.KEYDERIVATION_HKDF);
     }
 
     /**
@@ -102,9 +117,12 @@ public void testEncryptWithAgreementMethodWithECKeys() throws Exception {
      *
      * @param signAlias the alias of the signature key
      * @param encAlias the alias of the encryption key
+     * @param keyAgreementMethod the key agreement method, e.g., ECDH_ES, X25519, X448
+     * @param keyDerivationFunction the key derivation function, e.g., ConcatKDF, HKDF
      * @throws Exception if something goes wrong.
      */
-    public void testEncryptWithAgreementMethod(String signAlias, String encAlias) throws Exception {
+    public void testEncryptWithAgreementMethod(String signAlias, String encAlias, String keyAgreementMethod,
+                                               String keyDerivationFunction) throws Exception {
 
         Map<String, Object> outProperties = new HashMap<>();
         // Signature configuration (sign before encrypt)
@@ -127,6 +145,7 @@ public void testEncryptWithAgreementMethod(String signAlias, String encAlias) th
         outProperties.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
         outProperties.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYWRAP_AES128);
         outProperties.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD, WSS4JConstants.AGREEMENT_METHOD_ECDH_ES);
+        outProperties.put(ConfigurationConstants.ENC_KEY_DERIVATION_FUNCTION, keyDerivationFunction);
         outProperties.put(ConfigurationConstants.ENC_KEY_ID, "DirectReference");
         outProperties.put(ConfigurationConstants.ENCRYPTION_PARTS, "{}cid:Attachments;");
 
@@ -146,7 +165,12 @@ public void testEncryptWithAgreementMethod(String signAlias, String encAlias) th
         xpaths.add("//wsse:Security/xenc:EncryptedData");
         xpaths.add("//xenc:AgreementMethod");
         xpaths.add("//xenc11:KeyDerivationMethod");
-        xpaths.add("//xenc11:ConcatKDFParams");
+        if (WSS4JConstants.KEYDERIVATION_HKDF.equals(keyDerivationFunction)) {
+            xpaths.add("//rfc9231:HKDFParams");
+            this.testUtilities.addNamespace("rfc9231", "http://www.w3.org/2021/04/xmldsig-more#");
+        } else {
+            xpaths.add("//xenc11:ConcatKDFParams");
+        }
         xpaths.add("//wsse:Security/ds:Signature");
 
         SoapMessage inSoapMessage = makeInvocationWithAttachment(outProperties, xpaths, inProperties);