[
https://issues.apache.org/jira/browse/CXF-8971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17808768#comment-17808768
]
Peter Palaga commented on CXF-8971:
-----------------------------------
bq. It would be great that we can introduce a fully configurable
AlgorithmSuiteType which could be named as ,say, customerizedAlgorithmSuite
which could have default values, but the parameters of AlgorithmSuiteType can
be configured via endpoint(client or server) properties. This flexibility can
offer us more convenience.
Yes, it would be very beneficial, that this new customized AlgorithmSuite would
allow for taking the algorithms and key lengths that are on par with the
current security standards. I'd like to note that the primary motivation of
myself, [~ffang] and [~jondruse] for this is to be able to run CXF in FIPS
enabled environments.
However, I wonder, how useful the configuration through endpoint (client or
server) properties would be? Currently it is the policy definition that is used
to exchange the information about the algorithms (through the predefined
algorithm suites).
If we really want to introduce another non-standard Suite, why don't we
introduce it along with the sub-elements for the algorithms and key lengths?
Something like
{code}
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:AlgorithmSuiteDefinition>
<sp:DigestAlgorithm>http://www.w3.org/2001/04/xmlenc#sha256</sp:DigestAlgorithm>
<sp:EncryptionAlgorithm>http://www.w3.org/2009/xmlenc11#aes256-gcm</sp:EncryptionAlgorithm>
<sp:SymmetricKeyEncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#kw-aes256</sp:SymmetricKeyEncryptionAlgorithm>
<sp:AsymmetricKeyEncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#rsa-1_5</sp:AsymmetricKeyEncryptionAlgorithm>
<sp:EncryptionKeyDerivation>http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1</sp:EncryptionKeyDerivation>
<sp:SignatureKeyDerivation>http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1</sp:SignatureKeyDerivation>
<sp:EncryptionDerivedKeyLength>256</sp:EncryptionDerivedKeyLength>
<sp:SignatureDerivedKeyLength>192</sp:SignatureDerivedKeyLength>
<sp:MinimumSymmetricKeyLength>256</sp:MinimumSymmetricKeyLength>
<sp:MaximumSymmetricKeyLength>256</sp:MaximumSymmetricKeyLength>
<sp:MinimumAsymmetricKeyLength>1024</sp:MinimumAsymmetricKeyLength>
<sp:MaximumAsymmetricKeyLength>4096</sp:MaximumAsymmetricKeyLength>
</sp:AlgorithmSuiteDefinition>
</wsp:Policy>
</sp:AlgorithmSuite>
{code}
In that way, the information would stay transparent for the clients and servers
and would also work flawlessly at least for CXF clients and servers.
> Introduce a customerizedAlgorithmSuite and make all parameters of it
> configurable
> ---------------------------------------------------------------------------------
>
> Key: CXF-8971
> URL: https://issues.apache.org/jira/browse/CXF-8971
> Project: CXF
> Issue Type: Improvement
> Reporter: Freeman Yue Fang
> Priority: Major
>
> In ws-securitypolicy, currently we have a list of AlgorithmSuite by name,
> some are defined in ws-securitypolicy, they are
> {code}
> Basic256
> Basic192
> Basic128
> TripleDes
> Basic256Rsa15
> Basic192Rsa15
> Basic128Rsa15
> TripleDesRsa15
> Basic256Sha256
> Basic192Sha256
> Basic128Sha256
> TripleDesSha256
> Basic256Sha256Rsa15
> Basic192Sha256Rsa15
> Basic128Sha256Rsa15
> TripleDesSha256Rsa15
> {code}
> And some are from CXF itself to address CVEs, they are
> {code}
> Basic128GCM
> Basic192GCM
> Basic256GCM
> {code}
> so if users specify a AlgorithmSuite name like
> {code}
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256Sha256Rsa15 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> {code}
> they will get a AlgorithmSuiteType instance of all parameters hardcoded with
> this AlgorithmSuite name.
> {code}
> new AlgorithmSuiteType(
> "Basic256Sha256Rsa15",
> SPConstants.SHA256,
> SPConstants.AES256,
> SPConstants.KW_AES256,
> SPConstants.KW_RSA15,
> SPConstants.P_SHA1_L256,
> SPConstants.P_SHA1_L192,
> 256, 192, 256,
> MAX_SKL, MIN_AKL, MAX_AKL)
> {code}
> However, security algorithms are evolving and some old-time algos may get
> cracked, or sometimes only some limited modern/strong security algorithms can
> be used in some scenarios, so current available AlgorithmSuiteType from both
> ws-securitypolicy or CXF may not meet the specific requirements.
> It would be great that we can introduce a fully configurable
> AlgorithmSuiteType which could be named as ,say, customerizedAlgorithmSuite
> which could have default values, but the parameters of AlgorithmSuiteType can
> be configured via endpoint(client or server) properties. This flexibility can
> offer us more convenience.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
