cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r860720 - in /websites/production/cxf/content: cache/docs.pageCache docs/xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg docs/xml-key-management-service-xkms.html
Date Fri, 03 May 2013 15:48:35 GMT
Author: buildbot
Date: Fri May  3 15:48:35 2013
New Revision: 860720

Log:
Production update by buildbot for cxf

Added:
    websites/production/cxf/content/docs/xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg
  (with props)
Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/xml-key-management-service-xkms.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Added: websites/production/cxf/content/docs/xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg
==============================================================================
Binary file - no diff available.

Propchange: websites/production/cxf/content/docs/xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg
------------------------------------------------------------------------------
    svn:mime-type = image/jpeg

Modified: websites/production/cxf/content/docs/xml-key-management-service-xkms.html
==============================================================================
--- websites/production/cxf/content/docs/xml-key-management-service-xkms.html (original)
+++ websites/production/cxf/content/docs/xml-key-management-service-xkms.html Fri May  3 15:48:35
2013
@@ -143,8 +143,13 @@ The sender uses this certificate for mes
 
 <h2><a shape="rect" name="XMLKeyManagementService%28XKMS%29-XKMSSpecification"></a>XKMS
Specification</h2>
 
-<p>W3C specifies standard protocol to distribute and register public keys, certificates
and CAs that can be used for XML-based cryptography, including signature and encryption: <a
shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XML
Key Management Specification</a> (XKMS 2.0). XKMS can be used as standardized frontend
to Public Key Infrastructure (PKI).<br clear="none">
-The XKMS Specification comprises two parts &#8211; the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates. XKMS Service implements both parts of specification.</p>
+<p>W3C specifies protocol to distribute and register public keys, certificates and
CAs that can be used for XML-based cryptography, including signature and encryption: <a
shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XML
Key Management Specification</a> (XKMS 2.0). <br clear="none">
+The XKMS Specification comprises two parts &#8211; the XML Key Information Service Specification
(XKISS) describing the runtime aspects of key lookup and certificate validation and the XML
Key Registration Service Specification (XKRSS) describing the administrative aspects of registering,
renewing, revoking and recovering certificates. <br clear="none">
+XKMS Service implements both parts of specification.</p>
+
+<p>XKMS SOAP interface can be used as standard frontend to access Public Key Infrastructure
(PKI). Using XKMS message encryption scenario  message encryption picture will change in following
way:</p>
+
+<p><span class="image-wrap" style=""><img src="xml-key-management-service-xkms.data/classic-message-encryption-PKI-XKMS.jpg"
style="border: 0px solid black"></span></p>
 
 <h3><a shape="rect" name="XMLKeyManagementService%28XKMS%29-XKMSDesign"></a>XKMS
Design</h3>
 
@@ -152,13 +157,55 @@ The XKMS Specification comprises two par
 
 <p><span class="image-wrap" style=""><img src="xml-key-management-service-xkms.data/XKMS-cxf.jpg"
style="border: 0px solid black"></span></p>
 
-<p>XKMS Service exposes standardized XKISS and XKRSS SOAP interfaces. <br clear="none">
-Input and output parameters as well as samples of SOAP messages are described in the specification
<a shape="rect" class="external-link" href="http://www.w3.org/TR/xkms2/" rel="nofollow">XKMS
2.0</a>. <br clear="none">
-XKMS implementation supports chain of responsibility design pattern <a shape="rect" class="external-link"
href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern" rel="nofollow">chain-of-responsibility
</a>. <br clear="none">
+<p>XKMS Service exposes SOAP interface specified in <a shape="rect" class="external-link"
href="http://www.w3.org/TR/xkms2/" rel="nofollow">XKMS 2.0</a>. <br clear="none">
+XKMS implementation realizes chain of <a shape="rect" class="external-link" href="http://en.wikipedia.org/wiki/Chain-of-responsibility_pattern"
rel="nofollow">responsibility design pattern </a>.<br clear="none">
 Each XKMS operation defines handler interface and provides one or more implementations of
this interface. Handler implementations are connected into chain. <br clear="none">
 Operation implementation invokes handlers one after another from pre-configured chain until
either all handlers will be processed or critical error will occur. <br clear="none">
-This design decision makes XKMS internal implementation quite flexible: it is easy to add/remove
handlers, change their order, introduce handlers supporting new backends, etc. <br clear="none">
-For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked in remote PKI using appropriate lookup
handler. Logic validation operation is organized in chain is well: first validation handler
checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>
+This design makes XKMS internal implementation quite flexible: it is easy to add/remove handlers,
change their order, introduce handlers supporting new backends, etc. <br clear="none">
+For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler
and, if it is not found there, additionally looked in remote PKI using appropriate lookup
handler. Validation operation logic is organized in chain is well: first validation handler
checks format and expire date of X509 certificate, next one checks certificate trust chain.</p>
+
+<p>Currently XKMS Service supports simple file based and LDAP backends.<br clear="none">
+Sample spring configuration of XKMS handlers for file backend looks like:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+   <span class="code-tag">&lt;bean id=<span class="code-quote">"dateValidator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.validator.DateValidator"</span>
/&gt;</span>
+
+   <span class="code-tag">&lt;bean id=<span class="code-quote">"x509FileLocator"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.locator.FileLocator"</span>&gt;</span>
+      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
+   <span class="code-tag">&lt;/bean&gt;</span>
+
+   <span class="code-tag">&lt;bean id=<span class="code-quote">"fileRegisterHandler"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.x509.handlers.FileRegisterHandler"</span>&gt;</span>
+      <span class="code-tag">&lt;constructor-arg value=<span class="code-quote">"../conf/certs"</span>
/&gt;</span>
+   <span class="code-tag">&lt;/bean&gt;</span>
+
+   <span class="code-tag">&lt;bean id=<span class="code-quote">"xkmsProviderBean"</span>
class=<span class="code-quote">"org.apache.cxf.xkms.service.XKMSService"</span>&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"validators"</span>&gt;</span>
+         <span class="code-tag">&lt;list&gt;</span>
+            <span class="code-tag">&lt;ref bean=<span class="code-quote">"dateValidator"</span>
/&gt;</span>
+         <span class="code-tag">&lt;/list&gt;</span>
+      <span class="code-tag">&lt;/property&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"locators"</span>&gt;</span>
+         <span class="code-tag">&lt;list&gt;</span>
+            <span class="code-tag">&lt;ref bean=<span class="code-quote">"x509FileLocator"</span>
/&gt;</span>
+         <span class="code-tag">&lt;/list&gt;</span>
+      <span class="code-tag">&lt;/property&gt;</span>
+      <span class="code-tag">&lt;property name=<span class="code-quote">"keyRegisterHandlers"</span>&gt;</span>
+         <span class="code-tag">&lt;list&gt;</span>
+            <span class="code-tag">&lt;ref bean=<span class="code-quote">"fileRegisterHandler"</span>
/&gt;</span>
+         <span class="code-tag">&lt;/list&gt;</span>
+      <span class="code-tag">&lt;/property&gt;</span>
+   <span class="code-tag">&lt;/bean&gt;</span>
+
+   &lt;jaxws:endpoint id=<span class="code-quote">"XKMSService"</span> <span
class="code-keyword">xmlns:serviceNamespace</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>
+      serviceName=<span class="code-quote">"serviceNamespace:XKMSService"</span>
endpointName=<span class="code-quote">"serviceNamespace:XKMSPort"</span>
+      implementor=<span class="code-quote">"#xkmsProviderBean"</span> address=<span
class="code-quote">"/XKMS"</span>&gt;
+   <span class="code-tag">&lt;/jaxws:endpoint&gt;</span>
+</pre>
+</div></div>
+
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-IntegrationXKMSclientintoCXFsecurity."></a>Integration
XKMS client into CXF security.</h4>
+
+<p>XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation.
In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate.
Details are described in this <a shape="rect" class="external-link" href="http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html"
rel="nofollow">blog</a>.</p>
 
 <h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-DataFormats"></a>Data
Formats</h4>
 
@@ -170,7 +217,6 @@ Restrictions of formats for request and 
 </div>
 
 
-
 <h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-ErrorHandling"></a>Error
Handling</h4>
 
 <p>Success and Fault Response formats are specified in <span class="error">[XKMS
2.0]</span>. Error conditions in XKMS service are reported using ResultMajor and ResultMinor
attributes in root response element.<br clear="none">
@@ -189,7 +235,79 @@ XKMS Service uses following values for r
 </div>
 
 
-</div>
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-Deployment"></a>Deployment</h4>
+
+<p>XKMS Service can be deployed into web and OSGi containers. Service implementation
was tested with Tomcat and Karaf.</p>
+
+<h4><a shape="rect" name="XMLKeyManagementService%28XKMS%29-SampleRequestsandResponses"></a>Sample
Requests and Responses</h4>
+<p>Sample request for Locate operation:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
+    <span class="code-tag">&lt;soap:Body&gt;</span>
+        &lt;ns2:LocateRequest xmlns=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
+            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>

+            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>
+            Id=<span class="code-quote">"1noOYHt5Lx7xUuizWZLOMw=="</span> Service=<span
class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>&gt;
+            <span class="code-tag">&lt;ns2:QueryKeyBinding&gt;</span>
+                &lt;ns2:UseKeyWith Application=<span class="code-quote">"urn:ietf:rfc:2459"</span>
+                    Identifier=<span class="code-quote">"EMAILADDRESS=client@client.com,
CN=www.client.com, OU=IT Department, O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls,
ST=New York, C=US"</span> /&gt;
+            <span class="code-tag">&lt;/ns2:QueryKeyBinding&gt;</span>
+        <span class="code-tag">&lt;/ns2:LocateRequest&gt;</span>
+    <span class="code-tag">&lt;/soap:Body&gt;</span>
+<span class="code-tag">&lt;/soap:Envelope&gt;</span>
+</pre>
+</div></div>
+
+<p>Sample response for Locate operation:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
+    <span class="code-tag">&lt;soap:Body&gt;</span>
+        &lt;ns2:LocateResult ResultMajor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Success"</span>
+            RequestId=<span class="code-quote">"1noOYHt5Lx7xUuizWZLOMw=="</span>
Id=<span class="code-quote">"04725751-3d19-4566-87e6-b4f4a2a72606"</span>
+            Service=<span class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>

+            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>
+            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>

+            <span class="code-keyword">xmlns:ns4</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
+            <span class="code-keyword">xmlns:ns5</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>&gt;
+            <span class="code-tag">&lt;ns2:UnverifiedKeyBinding&gt;</span>
+                <span class="code-tag">&lt;ns4:KeyInfo&gt;</span>
+                    <span class="code-tag">&lt;ns4:X509Data&gt;</span>
+                        <span class="code-tag">&lt;ns4:X509Certificate&gt;</span>&#8230;
<span class="code-tag">&lt;/ns4:X509Certificate&gt;</span>
+                    <span class="code-tag">&lt;/ns4:X509Data&gt;</span>
+                <span class="code-tag">&lt;/ns4:KeyInfo&gt;</span>
+            <span class="code-tag">&lt;/ns2:UnverifiedKeyBinding&gt;</span>
+        <span class="code-tag">&lt;/ns2:LocateResult&gt;</span>
+    <span class="code-tag">&lt;/soap:Body&gt;</span>
+<span class="code-tag">&lt;/soap:Envelope&gt;</span>
+</pre>
+</div></div>
+
+<p>Sample error message:</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+<span class="code-tag">&lt;soap:Envelope <span class="code-keyword">xmlns:soap</span>=<span
class="code-quote">"http://schemas.xmlsoap.org/soap/envelope/"</span>&gt;</span>
+    <span class="code-tag">&lt;soap:Body&gt;</span>
+        &lt;ns2:LocateResult ResultMajor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Receiver"</span>
+            ResultMinor=<span class="code-quote">"http://www.w3.org/2002/03/xkms#Failure"</span>
+            RequestId=<span class="code-quote">"1noOYHt5Lx7xUuizWZLOMw=="</span>
Id=<span class="code-quote">"da4f4faf-b2d6-414a-a4cf-b40f464b59a4"</span>
+            Service=<span class="code-quote">"http://cxf.apache.org/services/XKMS/"</span>

+            <span class="code-keyword">xmlns:ns2</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#"</span>
+            <span class="code-keyword">xmlns:ns3</span>=<span class="code-quote">"http://www.w3.org/2001/04/xmlenc#"</span>

+            <span class="code-keyword">xmlns:ns4</span>=<span class="code-quote">"http://www.w3.org/2000/09/xmldsig#"</span>
+            <span class="code-keyword">xmlns:ns5</span>=<span class="code-quote">"http://www.w3.org/2002/03/xkms#wsdl"</span>&gt;
+
+            &lt;ns2:MessageExtension xsi:type=<span class="code-quote">"ns5:resultDetails"</span>
+                <span class="code-keyword">xmlns:xsi</span>=<span class="code-quote">"http://www.w3.org/2001/XMLSchema-instance"</span>&gt;
+                <span class="code-tag">&lt;Details&gt;</span>Search certificates
failure: Application
+                    identifier not supported<span class="code-tag">&lt;/Details&gt;</span>
+            <span class="code-tag">&lt;/ns2:MessageExtension&gt;</span>
+        <span class="code-tag">&lt;/ns2:LocateResult&gt;</span>
+    <span class="code-tag">&lt;/soap:Body&gt;</span>
+<span class="code-tag">&lt;/soap:Envelope&gt;</span>
+</pre>
+</div></div></div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message