Skip to content

Commit

Permalink
Fixed certificate generation + algorithms to be compliant with FIPs -…
Browse files Browse the repository at this point in the history
… santuario-xmlsec,ws-trust
  • Loading branch information
JiriOndrusek committed May 7, 2024
1 parent 48864a6 commit f24407e
Show file tree
Hide file tree
Showing 8 changed files with 219 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
<sp:CustomAlgorithmSuite/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
Expand Down
201 changes: 201 additions & 0 deletions integration-tests/santuario-xmlsec/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,207 @@
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>keytool-maven-plugin</artifactId>
<configuration>
<validity>3650</validity>
<keyalg>RSA</keyalg>
<skip>${keytool.skip}</skip>
</configuration>
<executions>
<!-- CA -->
<execution>
<id>generate-cxfca-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<dname>CN=cxfca, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keypass>cxfca-password</keypass>
<storepass>cxfca-password</storepass>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
</configuration>
</execution>
<execution>
<id>export-cxfca-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>exportCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<storepass>cxfca-password</storepass>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<!-- Myclient -->
<execution>
<id>generate-myclient-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>myclient</alias>
<dname>CN=myclient, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keypass>myclient-keystore-password</keypass>
<storepass>myclient-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-myclient-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>myclient</alias>
<storepass>myclient-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
<file>${project.build.outputDirectory}/myclient.csr</file>
</configuration>
</execution>
<execution>
<id>sign-myclient-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<storepass>cxfca-password</storepass>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/myclient.csr</infile>
<outfile>${project.build.outputDirectory}/myclient.pem</outfile>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-myclientkey-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<storepass>myclient-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-signed-myclientkey-certificate-to-myclient-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>myclient</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<storepass>myclient-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myclient-keystore.jks</keystore>
<file>${project.build.outputDirectory}/myclient.pem</file>
</configuration>
</execution>
<!-- Myservice -->
<execution>
<id>generate-myservice-keypair</id>
<phase>generate-sources</phase>
<goals>
<goal>clean</goal>
<goal>generateKeyPair</goal>
</goals>
<configuration>
<alias>myservice</alias>
<dname>CN=myservice, OU=eng, O=apache.org</dname>
<exts>
<ext>bc:c=ca:true,pathlen:2147483647</ext>
<ext>IssuerAlternativeName=DNS:NOT-FOR-PRODUCTION-USE</ext>
</exts>
<keypass>myservice-keystore-password</keypass>
<storepass>myservice-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
</configuration>
</execution>
<execution>
<id>generate-myservice-certificate-request</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificateRequest</goal>
</goals>
<configuration>
<alias>myservice</alias>
<storepass>myservice-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
<file>${project.build.outputDirectory}/myservice.csr</file>
</configuration>
</execution>
<execution>
<id>sign-myservice-certificate</id>
<phase>generate-sources</phase>
<goals>
<goal>generateCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<storepass>cxfca-password</storepass>
<keystore>${project.build.outputDirectory}/cxfca.jks</keystore>
<rfc>true</rfc>
<infile>${project.build.outputDirectory}/myservice.csr</infile>
<outfile>${project.build.outputDirectory}/myservice.pem</outfile>
</configuration>
</execution>
<execution>
<id>import-cxfca-certificate-to-myservice-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>cxfca</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<storepass>myservice-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
<file>${project.build.outputDirectory}/cxfca.pem</file>
</configuration>
</execution>
<execution>
<id>import-signed-myservice-certificate-to-myservice-keystore</id>
<phase>generate-sources</phase>
<goals>
<goal>importCertificate</goal>
</goals>
<configuration>
<alias>myservice</alias>
<trustcacerts>true</trustcacerts>
<noprompt>true</noprompt>
<storepass>myservice-keystore-password</storepass>
<keystore>${project.build.outputDirectory}/myservice-keystore.jks</keystore>
<file>${project.build.outputDirectory}/myservice.pem</file>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
<profiles>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ public XmlsecResource() throws KeyStoreException, NoSuchAlgorithmException, Cert
// Set up the Key
keyStore = KeyStore.getInstance("jks");
keyStore.load(
this.getClass().getClassLoader().getResource("servicestore.jks").openStream(),
"sspass".toCharArray());
this.getClass().getClassLoader().getResource("myservice-keystore.jks").openStream(),
"myservice-keystore-password".toCharArray());
}

/**
Expand All @@ -62,16 +62,16 @@ public XmlsecResource() throws KeyStoreException, NoSuchAlgorithmException, Cert
@POST
@Path("/{encryption}/encrypt")
public byte[] encrypt(byte[] plaintext, @PathParam("encryption") Encryption encryption) throws Exception {
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myservicekey");
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myservice");

// Set up the secret Key
KeyGenerator keygen = KeyGenerator.getInstance("AES");
keygen.init(128);
SecretKey secretKey = keygen.generateKey();

// Encrypt using DOM
return encryption.encrypt(plaintext, PAYMENT_INFO, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", secretKey,
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p", cert.getPublicKey(), false);
return encryption.encrypt(plaintext, PAYMENT_INFO, "http://www.w3.org/2009/xmlenc11#aes256-gcm", secretKey,
"http://www.w3.org/2001/04/xmlenc#rsa-1_5", cert.getPublicKey(), false);
}

/**
Expand All @@ -86,8 +86,8 @@ public byte[] encrypt(byte[] plaintext, @PathParam("encryption") Encryption encr
@POST
@Path("/{encryption}/decrypt")
public byte[] decrypt(byte[] encrypted, @PathParam("encryption") Encryption encryption) throws Exception {
Key privateKey = keyStore.getKey("myservicekey", "skpass".toCharArray());
return encryption.decrypt(encrypted, "http://www.w3.org/2001/04/xmlenc#aes128-cbc", privateKey);
Key privateKey = keyStore.getKey("myservice", "myservice-keystore-password".toCharArray());
return encryption.decrypt(encrypted, "http://www.w3.org/2009/xmlenc11#aes256-gcm", privateKey);
}

/**
Expand All @@ -106,10 +106,10 @@ public byte[] signEnveloped(byte[] plaintext, @PathParam("signature") Signing si
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(
this.getClass().getClassLoader().getResource("clientstore.jks").openStream(),
"cspass".toCharArray());
Key key = keyStore.getKey("myclientkey", "ckpass".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
this.getClass().getClassLoader().getResource("myclient-keystore.jks").openStream(),
"myclient-keystore-password".toCharArray());
Key key = keyStore.getKey("myclient", "myclient-keystore-password".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclient");
return signature.sign(plaintext, key, cert, PAYMENT_INFO);
}

Expand All @@ -129,9 +129,9 @@ public void verifyEnveloped(byte[] plaintext, @PathParam("signature") Signing si
// Set up the Key
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(
this.getClass().getClassLoader().getResource("clientstore.jks").openStream(),
"cspass".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclientkey");
this.getClass().getClassLoader().getResource("myclient-keystore.jks").openStream(),
"myclient-keystore-password".toCharArray());
X509Certificate cert = (X509Certificate) keyStore.getCertificate("myclient");
signature.verify(plaintext, cert);
}

Expand Down
Original file line number Diff line number Diff line change
@@ -1 +1 @@
quarkus.native.resources.includes=servicestore.jks,clientstore.jks
quarkus.native.resources.includes=myclient-keystore.jks,myservice-keystore.jks
Binary file not shown.
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
<sp:CustomAlgorithmSuite/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
<sp:CustomAlgorithmSuite/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
Expand Down

0 comments on commit f24407e

Please sign in to comment.