santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hugo Trippaers <trip...@gmail.com>
Subject Re: KeyName support in santuario
Date Mon, 10 Oct 2016 19:20:47 GMT
Hi Colm,

Yeah, that sounds even easier. Thanks for the feedback, i’ll start working on the patch
and submit it when finished.

Cheers,

Hugo

> On 10 Oct 2016, at 18:02, Colm O hEigeartaigh <coheigea@apache.org> wrote:
> 
> Hi Hugo,
> 
> The JSR-105 API in Java just takes a String as parameter, so I think it would be simpler
just to add a new String property in XMLSecurityProperties which is taken as the KeyName value:
> 
> https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.html#newKeyName(java.lang.String)
> 
> Colm.
> 
> On Mon, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <trippie@gmail.com> wrote:
> Hello,
> 
> I’m working on a project that uses KeyName to identify the key used to verify or sign
the signature. I’m using the santuario library through the XmlSecIn/OutInterceptors in the
CXF project. Currently the KeyName identifier is not supported for outgoing messages.
> 
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException: KeyName not supported.
>        at org.apache.xml.security.stax.impl.processor.output.XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(XMLSignatureEndingOutputProcessor.java:146)
~[xmlsec-2.0.7.jar!/:2.0.7]
> 
> So i’m looking to add some support for it. I’ve got a small proof of concept implementation
ready but i ran into the problem that there is not clear definition of what should be in the
KeyName. The project that i’m working on defined the contents of the KeyName as the SHA1
fingerprint of the certificate, but i’ve also seen and/or read about solution that use the
CN or any other identifier.
> 
> So i’m thinking of extending org.apache.xml.security.stax.ext.XMLSecurityProperties
with a field identifying the method to use to generate the KeyName content. And then use that
info in XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature() to build a
KeyName KeyInfo token with the required contents.
> 
> I’m looking for some feedback if that would be an acceptable solution.
> 
> Cheers,
> 
> Hugo
> 
> 
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> Talend Community Coder
> http://coders.talend.com


Mime
View raw message