KeyName support in santuario

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

KeyName support in santuario

Hugo Trippaers
Hello,

I’m working on a project that uses KeyName to identify the key used to verify or sign the signature. I’m using the santuario library through the XmlSecIn/OutInterceptors in the CXF project. Currently the KeyName identifier is not supported for outgoing messages.

Caused by: org.apache.xml.security.exceptions.XMLSecurityException: KeyName not supported.
        at org.apache.xml.security.stax.impl.processor.output.XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(XMLSignatureEndingOutputProcessor.java:146) ~[xmlsec-2.0.7.jar!/:2.0.7]

So i’m looking to add some support for it. I’ve got a small proof of concept implementation ready but i ran into the problem that there is not clear definition of what should be in the KeyName. The project that i’m working on defined the contents of the KeyName as the SHA1 fingerprint of the certificate, but i’ve also seen and/or read about solution that use the CN or any other identifier.

So i’m thinking of extending org.apache.xml.security.stax.ext.XMLSecurityProperties with a field identifying the method to use to generate the KeyName content. And then use that info in XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature() to build a KeyName KeyInfo token with the required contents.

I’m looking for some feedback if that would be an acceptable solution.

Cheers,

Hugo


Reply | Threaded
Open this post in threaded view
|

Re: KeyName support in santuario

Colm O hEigeartaigh-2
Hi Hugo,

The JSR-105 API in Java just takes a String as parameter, so I think it would be simpler just to add a new String property in XMLSecurityProperties which is taken as the KeyName value:

https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.html#newKeyName(java.lang.String)

Colm.

On Mon, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <[hidden email]> wrote:
Hello,

I’m working on a project that uses KeyName to identify the key used to verify or sign the signature. I’m using the santuario library through the XmlSecIn/OutInterceptors in the CXF project. Currently the KeyName identifier is not supported for outgoing messages.

Caused by: org.apache.xml.security.exceptions.XMLSecurityException: KeyName not supported.
        at org.apache.xml.security.stax.impl.processor.output.XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(XMLSignatureEndingOutputProcessor.java:146) ~[xmlsec-2.0.7.jar!/:2.0.7]

So i’m looking to add some support for it. I’ve got a small proof of concept implementation ready but i ran into the problem that there is not clear definition of what should be in the KeyName. The project that i’m working on defined the contents of the KeyName as the SHA1 fingerprint of the certificate, but i’ve also seen and/or read about solution that use the CN or any other identifier.

So i’m thinking of extending org.apache.xml.security.stax.ext.XMLSecurityProperties with a field identifying the method to use to generate the KeyName content. And then use that info in XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature() to build a KeyName KeyInfo token with the required contents.

I’m looking for some feedback if that would be an acceptable solution.

Cheers,

Hugo





--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: KeyName support in santuario

Hugo Trippaers
Hi Colm,

Yeah, that sounds even easier. Thanks for the feedback, i’ll start working on the patch and submit it when finished.

Cheers,

Hugo

> On 10 Oct 2016, at 18:02, Colm O hEigeartaigh <[hidden email]> wrote:
>
> Hi Hugo,
>
> The JSR-105 API in Java just takes a String as parameter, so I think it would be simpler just to add a new String property in XMLSecurityProperties which is taken as the KeyName value:
>
> https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.html#newKeyName(java.lang.String)
>
> Colm.
>
> On Mon, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <[hidden email]> wrote:
> Hello,
>
> I’m working on a project that uses KeyName to identify the key used to verify or sign the signature. I’m using the santuario library through the XmlSecIn/OutInterceptors in the CXF project. Currently the KeyName identifier is not supported for outgoing messages.
>
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException: KeyName not supported.
>        at org.apache.xml.security.stax.impl.processor.output.XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(XMLSignatureEndingOutputProcessor.java:146) ~[xmlsec-2.0.7.jar!/:2.0.7]
>
> So i’m looking to add some support for it. I’ve got a small proof of concept implementation ready but i ran into the problem that there is not clear definition of what should be in the KeyName. The project that i’m working on defined the contents of the KeyName as the SHA1 fingerprint of the certificate, but i’ve also seen and/or read about solution that use the CN or any other identifier.
>
> So i’m thinking of extending org.apache.xml.security.stax.ext.XMLSecurityProperties with a field identifying the method to use to generate the KeyName content. And then use that info in XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature() to build a KeyName KeyInfo token with the required contents.
>
> I’m looking for some feedback if that would be an acceptable solution.
>
> Cheers,
>
> Hugo
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com