Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8971

Introduce a customerizedAlgorithmSuite and make all parameters of it configurable

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 4.0.4
    • 4.0.5
    • None
    • None
    • Unknown

    Description

      In ws-securitypolicy, currently we have a list of AlgorithmSuite by name, some are defined in ws-securitypolicy, they are

      Basic256
      Basic192
      Basic128
      TripleDes
      Basic256Rsa15
      Basic192Rsa15
      Basic128Rsa15
      TripleDesRsa15
      Basic256Sha256
      Basic192Sha256
      Basic128Sha256
      TripleDesSha256
      Basic256Sha256Rsa15
      Basic192Sha256Rsa15
      Basic128Sha256Rsa15
      TripleDesSha256Rsa15
      

      And some are from CXF itself to address CVEs, they are

      Basic128GCM
      Basic192GCM
      Basic256GCM
      

      so if users specify a AlgorithmSuite name like

                       <sp:AlgorithmSuite>
                           <wsp:Policy>
                              <sp:Basic256Sha256Rsa15 />
                           </wsp:Policy>
                        </sp:AlgorithmSuite>
      

      they will get a AlgorithmSuiteType instance of all parameters hardcoded with this AlgorithmSuite name.

      new AlgorithmSuiteType(
                      "Basic256Sha256Rsa15",
                      SPConstants.SHA256,
                      SPConstants.AES256,
                      SPConstants.KW_AES256,
                      SPConstants.KW_RSA15,
                      SPConstants.P_SHA1_L256,
                      SPConstants.P_SHA1_L192,
                      256, 192, 256,
                      MAX_SKL, MIN_AKL, MAX_AKL)
      

      However, security algorithms are evolving and some old-time algos may get cracked, or sometimes only some limited modern/strong security algorithms can be used in some scenarios, so current available AlgorithmSuiteType from both ws-securitypolicy or CXF may not meet the specific requirements.

      It would be great that we can introduce a fully configurable AlgorithmSuiteType which could be named as ,say, customerizedAlgorithmSuite which could have default values, but the parameters of AlgorithmSuiteType can be configured via endpoint(client or server) properties. This flexibility can offer us more convenience.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              ffang Freeman Yue Fang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: