Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
4.0.4
-
None
-
None
-
Unknown
Description
In ws-securitypolicy, currently we have a list of AlgorithmSuite by name, some are defined in ws-securitypolicy, they are
Basic256 Basic192 Basic128 TripleDes Basic256Rsa15 Basic192Rsa15 Basic128Rsa15 TripleDesRsa15 Basic256Sha256 Basic192Sha256 Basic128Sha256 TripleDesSha256 Basic256Sha256Rsa15 Basic192Sha256Rsa15 Basic128Sha256Rsa15 TripleDesSha256Rsa15
And some are from CXF itself to address CVEs, they are
Basic128GCM Basic192GCM Basic256GCM
so if users specify a AlgorithmSuite name like
<sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256Sha256Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite>
they will get a AlgorithmSuiteType instance of all parameters hardcoded with this AlgorithmSuite name.
new AlgorithmSuiteType( "Basic256Sha256Rsa15", SPConstants.SHA256, SPConstants.AES256, SPConstants.KW_AES256, SPConstants.KW_RSA15, SPConstants.P_SHA1_L256, SPConstants.P_SHA1_L192, 256, 192, 256, MAX_SKL, MIN_AKL, MAX_AKL)
However, security algorithms are evolving and some old-time algos may get cracked, or sometimes only some limited modern/strong security algorithms can be used in some scenarios, so current available AlgorithmSuiteType from both ws-securitypolicy or CXF may not meet the specific requirements.
It would be great that we can introduce a fully configurable AlgorithmSuiteType which could be named as ,say, customerizedAlgorithmSuite which could have default values, but the parameters of AlgorithmSuiteType can be configured via endpoint(client or server) properties. This flexibility can offer us more convenience.
Attachments
Issue Links
- links to