[jira] [Updated] (CXF-8971) Make all parameters of ws-securitypolicy AlgorithmSuite configurable

Thu, 18 Jan 2024 13:50:04 -0800 


     [ 
https://issues.apache.org/jira/browse/CXF-8971?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Freeman Yue Fang updated CXF-8971:
----------------------------------
    Summary: Make all parameters of ws-securitypolicy AlgorithmSuite 
configurable  (was: Introduce a Make all parameters of ws-securitypolicy 
AlgorithmSuite configurable)

> Make all parameters of ws-securitypolicy AlgorithmSuite configurable
> --------------------------------------------------------------------
>
>                 Key: CXF-8971
>                 URL: https://issues.apache.org/jira/browse/CXF-8971
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Freeman Yue Fang
>            Priority: Major
>
> In ws-securitypolicy, currently we have a list of AlgorithmSuite by name, 
> some are defined in ws-securitypolicy, they are
> {code}
> Basic256
> Basic192
> Basic128
> TripleDes
> Basic256Rsa15
> Basic192Rsa15
> Basic128Rsa15
> TripleDesRsa15
> Basic256Sha256
> Basic192Sha256
> Basic128Sha256
> TripleDesSha256
> Basic256Sha256Rsa15
> Basic192Sha256Rsa15
> Basic128Sha256Rsa15
> TripleDesSha256Rsa15
> {code}
> And some are from CXF itself to address CVEs, they are
> {code}
> Basic128GCM
> Basic192GCM
> Basic256GCM
> {code}
> so if users specify a AlgorithmSuite name like 
> {code}
>                  <sp:AlgorithmSuite>
>                      <wsp:Policy>
>                         <sp:Basic256Sha256Rsa15 />
>                      </wsp:Policy>
>                   </sp:AlgorithmSuite>
> {code}
> they will get a AlgorithmSuiteType instance of all parameters hardcoded with 
> this AlgorithmSuite name.
> {code}
> new AlgorithmSuiteType(
>                 "Basic256Sha256Rsa15",
>                 SPConstants.SHA256,
>                 SPConstants.AES256,
>                 SPConstants.KW_AES256,
>                 SPConstants.KW_RSA15,
>                 SPConstants.P_SHA1_L256,
>                 SPConstants.P_SHA1_L192,
>                 256, 192, 256,
>                 MAX_SKL, MIN_AKL, MAX_AKL)
> {code}
> However, security algorithms are evolving and some old-time algos may get 
> cracked, or sometimes only some limited modern/strong security algorithms can 
> be used in some scenarios, so current available AlgorithmSuiteType from both 
> ws-securitypolicy or CXF may not meet the specific requirements. 
> It would be great that we can introduce a fully configurable 
> AlgorithmSuiteType which could be named as ,say, customerizedAlgorithmSuite 
> which could have default values, but the parameters of AlgorithmSuiteType can 
> be configured via endpoint(client or server) properties. This flexibility can 
> offer us more convenience.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to