Fixed certificate generation + algorithms to be compliant with FIPs -…

… santuario-xmlsec,ws-trust

docs/modules/ROOT/examples/calculator-client/pom.xml

@@ -125,7 +125,7 @@
                                 import java.nio.file.Path
                                 def srcPath = project.basedir.toPath().resolve('pom.xml')
                                 def newContent = srcPath.getText('UTF-8')
-                                newContent = newContent.replace('<version>${project.version}</version>', '<version>0.0.1-SNAPSHOT</version>')
+                                newContent = newContent.replace('<version>${project.version}</version>', '<version>0.0.1-SNAPSHOT</version>')
                                 def destPath = Path.of('${maven.multiModuleProjectDirectory}/docs/modules/ROOT/examples/calculator-client/pom.xml')
                                 if (!Files.exists(destPath) || !newContent.equals(destPath.getText('UTF-8'))) {
                                     destPath.setText(newContent.toString(), 'UTF-8')

docs/modules/ROOT/examples/ws-trust/asymmetric-saml2-policy.xml

@@ -62,7 +62,7 @@
                     <sp:OnlySignEntireHeadersAndBody />
                     <sp:AlgorithmSuite>
                         <wsp:Policy>
-                            <sp:Basic256 />
+                            <sp:CustomAlgorithmSuite/>
                         </wsp:Policy>
                     </sp:AlgorithmSuite>
                 </wsp:Policy>

integration-tests/santuario-xmlsec/pom.xml

@@ -48,6 +48,207 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>keytool-maven-plugin</artifactId>
+                <configuration>
+                    <validity>3650</validity>
+                    <keyalg>RSA</keyalg>
+                    <skip>${keytool.skip}</skip>
+                </configuration>
+                <executions>
+                    <!-- CA -->
+                    <execution>
+                        <id>generate-cxfca-keypair</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>clean</goal>
+                            <goal>generateKeyPair</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <dname>CN=cxfca, OU=eng, O=apache.org</dname>
+                            <exts>
+                                <ext>bc:c=ca:true,pathlen:2147483647</ext>
+                                <ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
+                            </exts>
+                            <keypass>cxfca-password</keypass>
+                            <storepass>cxfca-password</storepass>
+                            <keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>export-cxfca-certificate</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>exportCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
+                            <rfc>true</rfc>
+                            <storepass>cxfca-password</storepass>
+                            <file>${project.build.outputDirectory}/cxfca.pem</file>
+                        </configuration>
+                    </execution>
+                    <!-- Myclient -->
+                    <execution>
+                        <id>generate-myclient-keypair</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>clean</goal>
+                            <goal>generateKeyPair</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myclient</alias>
+                            <dname>CN=myclient, OU=eng, O=apache.org</dname>
+                            <exts>
+                                <ext>bc:c=ca:true,pathlen:2147483647</ext>
+                                <ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
+                            </exts>
+                            <keypass>myclient-keystore-password</keypass>
+                            <storepass>myclient-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>generate-myclient-certificate-request</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generateCertificateRequest</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myclient</alias>
+                            <storepass>myclient-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/myclient.csr</file>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>sign-myclient-certificate</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generateCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <storepass>cxfca-password</storepass>
+                            <keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
+                            <rfc>true</rfc>
+                            <infile>${project.build.outputDirectory}/myclient.csr</infile>
+                            <outfile>${project.build.outputDirectory}/myclient.pem</outfile>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>import-cxfca-certificate-to-myclientkey-keystore</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>importCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <trustcacerts>true</trustcacerts>
+                            <noprompt>true</noprompt>
+                            <storepass>myclient-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/cxfca.pem</file>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>import-signed-myclientkey-certificate-to-myclient-keystore</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>importCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myclient</alias>
+                            <trustcacerts>true</trustcacerts>
+                            <noprompt>true</noprompt>
+                            <storepass>myclient-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/myclient.pem</file>
+                        </configuration>
+                    </execution>
+                    <!-- Myservice -->
+                    <execution>
+                        <id>generate-myservice-keypair</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>clean</goal>
+                            <goal>generateKeyPair</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myservice</alias>
+                            <dname>CN=myservice, OU=eng, O=apache.org</dname>
+                            <exts>
+                                <ext>bc:c=ca:true,pathlen:2147483647</ext>
+                                <ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
+                            </exts>
+                            <keypass>myservice-keystore-password</keypass>
+                            <storepass>myservice-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>generate-myservice-certificate-request</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generateCertificateRequest</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myservice</alias>
+                            <storepass>myservice-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/myservice.csr</file>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>sign-myservice-certificate</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>generateCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <storepass>cxfca-password</storepass>
+                            <keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
+                            <rfc>true</rfc>
+                            <infile>${project.build.outputDirectory}/myservice.csr</infile>
+                            <outfile>${project.build.outputDirectory}/myservice.pem</outfile>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>import-cxfca-certificate-to-myservice-keystore</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>importCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>cxfca</alias>
+                            <trustcacerts>true</trustcacerts>
+                            <noprompt>true</noprompt>
+                            <storepass>myservice-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/cxfca.pem</file>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>import-signed-myservice-certificate-to-myservice-keystore</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>importCertificate</goal>
+                        </goals>
+                        <configuration>
+                            <alias>myservice</alias>
+                            <trustcacerts>true</trustcacerts>
+                            <noprompt>true</noprompt>
+                            <storepass>myservice-keystore-password</storepass>
+                            <keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
+                            <file>${project.build.outputDirectory}/myservice.pem</file>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
         </plugins>
     </build>
     <profiles>

integration-tests/santuario-xmlsec/src/main/java/io/quarkiverse/xmlsec/it/XmlsecResource.java

@@ -46,8 +46,8 @@ public XmlsecResource() throws KeyStoreException, NoSuchAlgorithmException, Cert
         // Set up the Key
         keyStore = KeyStore.getInstance("jks");
         keyStore.load(
-                this.getClass().getClassLoader().getResource("servicestore.jks").openStream(),
-                "sspass".toCharArray());
+                this.getClass().getClassLoader().getResource("myservice-keystore.jks").openStream(),
+                "myservice-keystore-password".toCharArray());
     }
 
     /**
@@ -62,16 +62,16 @@ public XmlsecResource() throws KeyStoreException, NoSuchAlgorithmException, Cert
     @POST
     @Path("/{encryption}/encrypt")
     public byte[] encrypt(byte[] plaintext, @PathParam("encryption") Encryption encryption) throws Exception {
-        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myservicekey");
+        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myservice");
 
         // Set up the secret Key
         KeyGenerator keygen = KeyGenerator.getInstance("AES");
         keygen.init(128);
         SecretKey secretKey = keygen.generateKey();
 
         // Encrypt using DOM
-        return encryption.encrypt(plaintext, PAYMENT_INFO, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", secretKey,
-                "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", cert.getPublicKey(), false);
+        return encryption.encrypt(plaintext, PAYMENT_INFO, "http://www.w3.org/2009/xmlenc11#aes256-gcm", secretKey,
+                "http://www.w3.org/2001/04/xmlenc#rsa-1_5", cert.getPublicKey(), false);
     }
 
     /**
@@ -86,8 +86,8 @@ public byte[] encrypt(byte[] plaintext, @PathParam("encryption") Encryption encr
     @POST
     @Path("/{encryption}/decrypt")
     public byte[] decrypt(byte[] encrypted, @PathParam("encryption") Encryption encryption) throws Exception {
-        Key privateKey = keyStore.getKey("myservicekey", "skpass".toCharArray());
-        return encryption.decrypt(encrypted, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", privateKey);
+        Key privateKey = keyStore.getKey("myservice", "myservice-keystore-password".toCharArray());
+        return encryption.decrypt(encrypted, "http://www.w3.org/2009/xmlenc11#aes256-gcm", privateKey);
     }
 
     /**
@@ -106,10 +106,10 @@ public byte[] signEnveloped(byte[] plaintext, @PathParam("signature") Signing si
         // Set up the Key
         KeyStore keyStore = KeyStore.getInstance("jks");
         keyStore.load(
-                this.getClass().getClassLoader().getResource("clientstore.jks").openStream(),
-                "cspass".toCharArray());
-        Key key = keyStore.getKey("myclientkey", "ckpass".toCharArray());
-        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
+                this.getClass().getClassLoader().getResource("myclient-keystore.jks").openStream(),
+                "myclient-keystore-password".toCharArray());
+        Key key = keyStore.getKey("myclient", "myclient-keystore-password".toCharArray());
+        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclient");
         return signature.sign(plaintext, key, cert, PAYMENT_INFO);
     }
 
@@ -129,9 +129,9 @@ public void verifyEnveloped(byte[] plaintext, @PathParam("signature") Signing si
         // Set up the Key
         KeyStore keyStore = KeyStore.getInstance("jks");
         keyStore.load(
-                this.getClass().getClassLoader().getResource("clientstore.jks").openStream(),
-                "cspass".toCharArray());
-        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
+                this.getClass().getClassLoader().getResource("myclient-keystore.jks").openStream(),
+                "myclient-keystore-password".toCharArray());
+        X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclient");
         signature.verify(plaintext, cert);
     }
 

integration-tests/santuario-xmlsec/src/main/resources/application.properties

@@ -1 +1 @@
-quarkus.native.resources.includes=servicestore.jks,clientstore.jks
+quarkus.native.resources.includes=myclient-keystore.jks,myservice-keystore.jks

integration-tests/ws-trust/src/main/resources/asymmetric-saml2-policy.xml

@@ -62,7 +62,7 @@
                     <sp:OnlySignEntireHeadersAndBody />
                     <sp:AlgorithmSuite>
                         <wsp:Policy>
-                            <sp:Basic256 />
+                            <sp:CustomAlgorithmSuite/>
                         </wsp:Policy>
                     </sp:AlgorithmSuite>
                 </wsp:Policy>

integration-tests/ws-trust/src/main/resources/ws-trust-1.4-service.wsdl

@@ -181,7 +181,7 @@
                   </sp:ProtectionToken>
                   <sp:AlgorithmSuite>
                      <wsp:Policy>
-                        <sp:Basic256 />
+                         <sp:CustomAlgorithmSuite/>
                      </wsp:Policy>
                   </sp:AlgorithmSuite>
                   <sp:Layout>