THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
XKMS Specification
W3C specifies standard protocol to distribute and register public keys, certificates and CAs that can be used for XML-based cryptography, including signature and encryption: XML Key Management Specification (XKMS 2.0). XKMS can be used as standardized frontend to Public Key Infrastructure (PKI).
The XKMS Specification comprises two parts – the XML Key Information Service Specification (XKISS) describing the runtime aspects of key lookup and certificate validation and the XML Key Registration Service Specification (XKRSS) describing the administrative aspects of registering, renewing, revoking and recovering certificates.
XKMS Service implements both parts of specification.
XKMS SOAP interface can be used as standard frontend to access Public Key Infrastructure (PKI). Using XKMS message encryption scenario message encryption picture will change in following way:
XKMS Design
Internal structure of XKMS service is represented on the following figure:
XKMS Service exposes standardized XKISS and XKRSS SOAP interfaces.
Input and output parameters as well as samples of SOAP messages are described in the specification SOAP interface specified in XKMS 2.0.
XKMS implementation supports realizes chain of responsibility design pattern chain-of-responsibility .
Each XKMS operation defines handler interface and provides one or more implementations of this interface. Handler implementations are connected into chain.
Operation implementation invokes handlers one after another from pre-configured chain until either all handlers will be processed or critical error will occur.
This design decision makes XKMS internal implementation quite flexible: it is easy to add/remove handlers, change their order, introduce handlers supporting new backends, etc.
For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally looked in remote PKI using appropriate lookup handler. Logic validation operation is organized in chain is well: first validation handler checks format and expire date of X509 certificate, next one checks certificate trust chain.
Currently XKMS Service supports simple file based and LDAP backends.
Sample spring configuration of XKMS handlers for file backend looks like:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />
<bean id="x509FileLocator" class="org.apache.cxf.xkms.x509.locator.FileLocator">
<constructor-arg value="../conf/certs" />
</bean>
<bean id="fileRegisterHandler" class="org.apache.cxf.xkms.x509.handlers.FileRegisterHandler">
<constructor-arg value="../conf/certs" />
</bean>
<bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService">
<property name="validators">
<list>
<ref bean="dateValidator" />
</list>
</property>
<property name="locators">
<list>
<ref bean="x509FileLocator" />
</list>
</property>
<property name="keyRegisterHandlers">
<list>
<ref bean="fileRegisterHandler" />
</list>
</property>
</bean>
<jaxws:endpoint id="XKMSService" xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"
serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort"
implementor="#xkmsProviderBean" address="/XKMS">
</jaxws:endpoint>
|
Integration XKMS client into CXF security.
XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation. In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate. Details are described in blog.
Data Formats
Input and output data formats are specified in XML Key Management Service Specification Version 2.0 (see XKMS 2.0). Anyway XKMS service supports only subset of specified requests and responses.
Restrictions of formats for request and responses are described in following table:
...
Value | Description |
|---|---|
Failure | The service attempted to perform the request but the operation failed. |
NoMatch | No match was found for the search prototype provided. |
TooManyResponses | The request resulted in the number of responses that exceeded limit determined by the service. |
TimeInstantNotSupported | The receiver has refused the operation because it does not support the TimeInstant element. |
Deployment
XKMS Service can be deployed into web and OSGi containers. It was tested with Tomcat and Karaf.