Freeman Yue Fang created CXF-8971:
-------------------------------------
Summary: Make all parameters of ws-securitypolicy AlgorithmSuite
configurable
Key: CXF-8971
URL: https://issues.apache.org/jira/browse/CXF-8971
Project: CXF
Issue Type: Improvement
Reporter: Freeman Yue Fang
In ws-securitypolicy, currently we have a list of AlgorithmSuite by name, some
are defined in ws-securitypolicy, they are
{code}
Basic256
Basic192
Basic128
TripleDes
Basic256Rsa15
Basic192Rsa15
Basic128Rsa15
TripleDesRsa15
Basic256Sha256
Basic192Sha256
Basic128Sha256
TripleDesSha256
Basic256Sha256Rsa15
Basic192Sha256Rsa15
Basic128Sha256Rsa15
TripleDesSha256Rsa15
{code}
And some are from CXF itself to address CVEs, they are
{code}
Basic128GCM
Basic192GCM
Basic256GCM
{code}
so if users specify a AlgorithmSuite name like
{code}
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256Sha256Rsa15 />
</wsp:Policy>
</sp:AlgorithmSuite>
{code}
they will get a AlgorithmSuiteType instance of all parameters hardcoded with
this AlgorithmSuite name.
{code}
new AlgorithmSuiteType(
"Basic256Sha256Rsa15",
SPConstants.SHA256,
SPConstants.AES256,
SPConstants.KW_AES256,
SPConstants.KW_RSA15,
SPConstants.P_SHA1_L256,
SPConstants.P_SHA1_L192,
256, 192, 256,
MAX_SKL, MIN_AKL, MAX_AKL)
{code}
However, security algorithms are evolving and some old-time algos may get
cracked, or sometimes only some limited modern/strong security algorithms can
be used in some scenarios, so current available AlgorithmSuiteType from both
ws-securitypolicy or CXF may not meet the specific requirements.
It would be great that we can introduce a fully configurable AlgorithmSuiteType
which could be named as ,say, customerizedAlgorithmSuite which could have
default values, but the parameters of AlgorithmSuiteType can be configured via
endpoint(client or server) properties. This flexibility can offer us more
convenience.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
