Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for exporting TLS Keying Material or master secret #3499

Closed
sanjerai opened this issue Nov 6, 2024 · 1 comment
Closed

Add support for exporting TLS Keying Material or master secret #3499

sanjerai opened this issue Nov 6, 2024 · 1 comment
Assignees
@violetagg
Labels
for/stackoverflow Questions are best asked on SO or Gitter

Comments

@sanjerai
Copy link

sanjerai commented Nov 6, 2024

Motivation

RFC5705 defines and RFC8446 updates keying material exporters for TLS:

https://www.rfc-editor.org/rfc/rfc5705.html
https://www.rfc-editor.org/rfc/rfc8446#section-7.5

Many other TLS implementations already support it:

https://pkg.go.dev/crypto/tls#ConnectionState.ExportKeyingMaterial
https://docs.openssl.org/1.1.1/man3/SSL_export_keying_material
https://downloads.bouncycastle.org/java/docs/bctls-jdk18on-javadoc/org/bouncycastle/tls/TlsContext.html#exportKeyingMaterial-java.lang.String-byte:A-int-

5G mobile specs mandate the use of TLS session at app level for JWE:
https://www.tech-invite.com/3m33/toc/tinv-3gpp-33-501_zk.html#e-13-2-4-4-1

We have a spring-boot-starter-webflux code base communicating over TLS1.3 and HTTP2 and using reactor netty as base server. We have a use case to export TLS keying material or the master secret. We need this information to further derive keys for JWE tokens ciphering.

Desired solution

Option to export master secret after TLS handshake are complete.

Considered alternatives

Additional context
@sanjerai sanjerai added status/need-triage A new issue that still need to be evaluated as a whole type/enhancement A general enhancement labels Nov 6, 2024
@violetagg violetagg added for/stackoverflow Questions are best asked on SO or Gitter and removed type/enhancement A general enhancement status/need-triage A new issue that still need to be evaluated as a whole labels Nov 10, 2024
@violetagg violetagg self-assigned this Nov 10, 2024
@violetagg
Copy link
Member

violetagg commented Nov 10, 2024
edited
Loading

@sanjerai There is already such functionality provided by Netty project https://netty.io/4.1/api/io/netty/handler/ssl/SslMasterKeyHandler.html
You can use Reactor Netty callbacks to extend your channel pipeline
https://projectreactor.io/docs/netty/release/reference/index.html#_lifecycle_callbacks_3

@violetagg violetagg closed this as not planned Won't fix, can't repro, duplicate, stale Nov 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@violetagg violetagg

Labels
for/stackoverflow Questions are best asked on SO or Gitter
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@violetagg @sanjerai