Return-Path: <dev-return-8540-archive-asf-public=cust-asf.ponee.io@santuario.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id ADA89200B9C
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 10 Oct 2016 18:02:54 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id AC372160AE1; Mon, 10 Oct 2016 16:02:54 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id F084D160AD1
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 10 Oct 2016 18:02:53 +0200 (CEST)
Received: (qmail 15848 invoked by uid 500); 10 Oct 2016 16:02:53 -0000
Mailing-List: contact dev-help@santuario.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@santuario.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@santuario.apache.org>
List-Post: <mailto:dev@santuario.apache.org>
List-Id: <dev.santuario.apache.org>
Reply-To: dev@santuario.apache.org
Delivered-To: mailing list dev@santuario.apache.org
Received: (qmail 15838 invoked by uid 99); 10 Oct 2016 16:02:53 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Oct 2016 16:02:53 +0000
Received: from mail-qt0-f175.google.com (mail-qt0-f175.google.com [209.85.216.175])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id C8F3E1A0251
	for <dev@santuario.apache.org>; Mon, 10 Oct 2016 16:02:52 +0000 (UTC)
Received: by mail-qt0-f175.google.com with SMTP id s49so58372019qta.0
        for <dev@santuario.apache.org>; Mon, 10 Oct 2016 09:02:52 -0700 (PDT)
X-Gm-Message-State: AA6/9RnzjerXm4m9yIBiVQzXApq7JBC1I9hLwaxfKLoK11f93L852JXDULdW6NNLX2ToLrxi0pG+zqe/sS/YQQ==
X-Received: by 10.194.153.66 with SMTP id ve2mr18593504wjb.82.1476115360835;
 Mon, 10 Oct 2016 09:02:40 -0700 (PDT)
MIME-Version: 1.0
Reply-To: coheigea@apache.org
Received: by 10.28.57.86 with HTTP; Mon, 10 Oct 2016 09:02:40 -0700 (PDT)
In-Reply-To: <DA55EB30-65BB-4610-B02A-5EAD69BFB310@gmail.com>
References: <DA55EB30-65BB-4610-B02A-5EAD69BFB310@gmail.com>
From: Colm O hEigeartaigh <coheigea@apache.org>
Date: Mon, 10 Oct 2016 17:02:40 +0100
X-Gmail-Original-Message-ID: <CAB8XdGDwpbZhDuvK6G_kKM9T4iDcfRSbqmxsyTfJ_KfEPo-niw@mail.gmail.com>
Message-ID: <CAB8XdGDwpbZhDuvK6G_kKM9T4iDcfRSbqmxsyTfJ_KfEPo-niw@mail.gmail.com>
Subject: Re: KeyName support in santuario
To: "dev@santuario.apache.org" <dev@santuario.apache.org>
Content-Type: multipart/alternative; boundary=089e01161dfabb0518053e84e37f
archived-at: Mon, 10 Oct 2016 16:02:54 -0000

--089e01161dfabb0518053e84e37f
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Hugo,

The JSR-105 API in Java just takes a String as parameter, so I think it
would be simpler just to add a new String property in XMLSecurityProperties
which is taken as the KeyName value:

https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo/Key=
InfoFactory.html#newKeyName(java.lang.String)

Colm.

On Mon, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <trippie@gmail.com> wrote:

> Hello,
>
> I=E2=80=99m working on a project that uses KeyName to identify the key us=
ed to
> verify or sign the signature. I=E2=80=99m using the santuario library thr=
ough the
> XmlSecIn/OutInterceptors in the CXF project. Currently the KeyName
> identifier is not supported for outgoing messages.
>
> Caused by: org.apache.xml.security.exceptions.XMLSecurityException:
> KeyName not supported.
>         at org.apache.xml.security.stax.impl.processor.output.
> XMLSignatureEndingOutputProcessor.createKeyInfoStructureForSignature(
> XMLSignatureEndingOutputProcessor.java:146) ~[xmlsec-2.0.7.jar!/:2.0.7]
>
> So i=E2=80=99m looking to add some support for it. I=E2=80=99ve got a sma=
ll proof of
> concept implementation ready but i ran into the problem that there is not
> clear definition of what should be in the KeyName. The project that i=E2=
=80=99m
> working on defined the contents of the KeyName as the SHA1 fingerprint of
> the certificate, but i=E2=80=99ve also seen and/or read about solution th=
at use the
> CN or any other identifier.
>
> So i=E2=80=99m thinking of extending org.apache.xml.security.stax.ext.XML=
SecurityProperties
> with a field identifying the method to use to generate the KeyName conten=
t.
> And then use that info in XMLSignatureEndingOutputProcessor.
> createKeyInfoStructureForSignature() to build a KeyName KeyInfo token
> with the required contents.
>
> I=E2=80=99m looking for some feedback if that would be an acceptable solu=
tion.
>
> Cheers,
>
> Hugo
>
>
>


--=20
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

--089e01161dfabb0518053e84e37f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>Hi Hugo,<br><br></div><div>The JSR-105 API in Ja=
va just takes a String as parameter, so I think it would be simpler just to=
 add a new String property in XMLSecurityProperties which is taken as the K=
eyName value:<br><br><a href=3D"https://docs.oracle.com/javase/7/docs/api/j=
avax/xml/crypto/dsig/keyinfo/KeyInfoFactory.html#newKeyName(java.lang.Strin=
g)">https://docs.oracle.com/javase/7/docs/api/javax/xml/crypto/dsig/keyinfo=
/KeyInfoFactory.html#newKeyName(java.lang.String)</a><br></div><br></div>Co=
lm.<br></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On M=
on, Oct 10, 2016 at 3:24 PM, Hugo Trippaers <span dir=3D"ltr">&lt;<a href=
=3D"mailto:trippie@gmail.com" target=3D"_blank">trippie@gmail.com</a>&gt;</=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8e=
x;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I=E2=80=99m working on a project that uses KeyName to identify the key used=
 to verify or sign the signature. I=E2=80=99m using the santuario library t=
hrough the XmlSecIn/OutInterceptors in the CXF project. Currently the KeyNa=
me identifier is not supported for outgoing messages.<br>
<br>
Caused by: org.apache.xml.security.<wbr>exceptions.<wbr>XMLSecurityExceptio=
n: KeyName not supported.<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 at org.apache.xml.security.stax.<wbr>impl.proce=
ssor.output.<wbr>XMLSignatureEndingOutputProces<wbr>sor.<wbr>createKeyInfoS=
tructureForSigna<wbr>ture(<wbr>XMLSignatureEndingOutputProces<wbr>sor.java:=
146) ~[xmlsec-2.0.7.jar!/:2.0.7]<br>
<br>
So i=E2=80=99m looking to add some support for it. I=E2=80=99ve got a small=
 proof of concept implementation ready but i ran into the problem that ther=
e is not clear definition of what should be in the KeyName. The project tha=
t i=E2=80=99m working on defined the contents of the KeyName as the SHA1 fi=
ngerprint of the certificate, but i=E2=80=99ve also seen and/or read about =
solution that use the CN or any other identifier.<br>
<br>
So i=E2=80=99m thinking of extending org.apache.xml.security.stax.<wbr>ext.=
XMLSecurityProperties with a field identifying the method to use to generat=
e the KeyName content. And then use that info in XMLSignatureEndingOutputPr=
oces<wbr>sor.<wbr>createKeyInfoStructureForSigna<wbr>ture() to build a KeyN=
ame KeyInfo token with the required contents.<br>
<br>
I=E2=80=99m looking for some feedback if that would be an acceptable soluti=
on.<br>
<br>
Cheers,<br>
<br>
Hugo<br>
<br>
<br>
</blockquote></div><br></div><br clear=3D"all"><br>-- <br><div class=3D"gma=
il_signature" data-smartmail=3D"gmail_signature">Colm O hEigeartaigh<br><br=
>Talend Community Coder<br><a href=3D"http://coders.talend.com" target=3D"_=
blank">http://coders.talend.com</a><br></div>

--089e01161dfabb0518053e84e37f--