...
The XKMS SOAP interface can be used as a standard frontend to access the Public Key Infrastructure (PKI). Using XKMS message encryption scenario, the message encryption picture will change in the following way:
Receiver X509 certificate is not saved into sender's local keystore anymore. Instead, certificate is stored into central PKI and can be located, validated and administrated using standard XKMS interface. This essentially improves the control on certificates in large services landscape.
Administrator can update, renew and revoke certificates, manage certification authorities and revocation lists.
XKMS Design
Internal structure of XKMS service is represented in the following figure:
...
Currently the XKMS Service supports simple file based and LDAP backends.
Sample spring configuration of XKMS handlers looks like:
Code Block | ||||
---|---|---|---|---|
| ||||
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="
http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.0.xsd">
<bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />
<bean id="trustedAuthorityValidator"
class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
<constructor-arg ref="certificateRepo" />
</bean>
<bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
<constructor-arg ref="certificateRepo" />
</bean>
<bean id="x509Register"
class="org.apache.cxf.xkms.x509.handlers.x509Register">
<constructor-arg ref="certificateRepo" />
</bean>
<!-- LDAP based implementation -->
<bean id="certificateRepo"
class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo">
<constructor-arg ref="ldapSearch" />
<constructor-arg ref="ldapSchemaConfig" />
<constructor-arg value="dc=example,dc=com" />
</bean>
<bean id="ldapSearch" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSearch">
<constructor-arg value="ldap://localhost:2389" />
<constructor-arg value="cn=Directory Manager,dc=example,dc=com" />
<constructor-arg value="test" />
<constructor-arg value="2" />
</bean>
<bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig">
<property name="certObjectClass" value="inetOrgPerson" />
<property name="attrUID" value="uid" />
<property name="attrIssuerID" value="manager" />
<property name="attrSerialNumber" value="employeeNumber" />
<property name="attrCrtBinary" value="userCertificate;binary" />
<property name="constAttrNamesCSV" value="sn" />
<property name="constAttrValuesCSV" value="X509 certificate" />
<property name="serviceCertRDNTemplate" value="cn=%s,ou=services" />
<property name="serviceCertUIDTemplate" value="cn=%s" />
<property name="trustedAuthorityFilter" value="(&(objectClass=inetOrgPerson)(ou:dn:=CAs))" />
<property name="intermediateFilter" value="(objectClass=inetOrgPerson)" />
</bean>
<!-- File based implementation -->
<!-- bean id="certificateRepo"
class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo">
<constructor-arg value="../conf/certs" />
</bean-->
</beans>
|
...
Property | Sample Value | Description |
---|---|---|
ldapServerConfig arguments |
| URL, baseDN and credentials of LDAP Server |
certObjectClass | inetOrgPerson | LDAP object class used to store certificates |
attrUID | uid | Attribute containing X509 subject DN |
attrIssuerID | manager | LDAP attribute containing X509 issuer DN |
attrSerialNumber | employeeNumber | LDAP attribute containing X509 serial number |
attrEndpoint | labeledURI | LDAP attribute containing service endpoint (used in case of endpoint based lookup) |
attrCrtBinary | userCertificate | LDAP attribute containing X509 certificate content |
constAttrNamesCSV | sn | Comma separated list of mandatory LDAP attributes |
constAttrValuesCSV | X509 certificate | Comma separated list of mandatory LDAP attributes values |
serviceCertRDNTemplate | cn=%s,ou=services | Relative distinguished name for service certificates |
serviceCertUIDTemplate | cn=%s | Template to transform service QName to DN for storing into attrUID |
trustedAuthorityFilter | (&(objectClass=inetOrgPerson)(ou:dn:=CAs)) | Filter to determine trusted CAs for trusted chain validation |
intermediateFilter | (objectClass=inetOrgPerson) | Filter to determine intermediate certificates for trusted chain validation |
...
XKMS service endpoint is configured in the following way:
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService">
<property name="validators">
<list>
<ref bean="dateValidator" />
<ref bean="trustedAuthorityValidator" />
</list>
</property>
<property name="locators">
<list>
<ref bean="x509Locator" />
</list>
</property>
<property name="keyRegisterHandlers">
<list>
<ref bean="x509Register" />
</list>
</property>
</bean>
<jaxws:endpoint id="XKMSService"
xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"
serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort"
implementor="#xkmsProviderBean" address="/XKMS">
</jaxws:endpoint>
|
...
The XKMS client can be integrated into CXF and WSS4J in pretty elegant way using a custom Crypto provider implementation. In this case, the XKMS service will be automatically invoked when WSS4J requires asks for the certificates or validates a certificatethem. Details are described in this blog. A sample basic XKMS based implementation of WSS4J Crypto interface is contributed into the available in XKMS Client component (XKMSCryptoProvider and XKMSCryptoProviderFactory). Implementation uses Ehcache to cache certificates received from XKMS service.
Data Formats
Input and output data formats are specified in XML Key Management Service Specification Version 2.0 (see XKMS 2.0). The XKMS service supports only a subset of the specified requests and responses.
Restrictions of formats for request and responses are described in the following table:
Element XPath | Supporting values | Description |
---|---|---|
RootElement/QueryKeyBinding/UseKeyWith@Application
| urn:ietf:rfc:2459 | Application specifies X509 SubjectDN in Identifier attribute. Used for normal users certificates |
RootElement/QueryKeyBinding/UseKeyWith@Application | urn:apache:cxf:service:soap name | Application specifies Service Id service name in Identifier attribute as {SERVICE_ NAMESPACE}SERVICE_NAME. Used for service certificates |
urn:apache:cxf:service:endpoint | Application specifies service endpoint in Identifier attribute | |
RootElement/QueryKeyBinding/UseKeyWith@Identifier |
| Depending on Application attribute public key is identified as X509 Subject DN or Service nameservice certificates |
RootElement/UnverifiedKeyBinding/KeyInfo | X509Data/X509Certificate | Only X509Data with X509Certificate is supported |
...
Sample request for Locate operation:
Code Block | ||||
---|---|---|---|---|
| ||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:LocateRequest xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
Id="I047257513d19456687e6b4f4a2a72606" Service="http://cxf.apache.org/services/XKMS/">
<ns2:QueryKeyBinding>
<ns2:UseKeyWith Application="urn:ietf:rfc:2459"
Identifier="EMAILADDRESS=client@client.com, CN=www.client.com, OU=IT Department, O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls, ST=New York, C=US" />
</ns2:QueryKeyBinding>
</ns2:LocateRequest>
</soap:Body>
</soap:Envelope>
|
Sample response for Locate operation:
Code Block | ||||
---|---|---|---|---|
| ||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Success"
RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
Service="http://cxf.apache.org/services/XKMS/"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl">
<ns2:UnverifiedKeyBinding>
<ns4:KeyInfo>
<ns4:X509Data>
<ns4:X509Certificate>… </ns4:X509Certificate>
</ns4:X509Data>
</ns4:KeyInfo>
</ns2:UnverifiedKeyBinding>
</ns2:LocateResult>
</soap:Body>
</soap:Envelope>
|
Sample error message:
Code Block | ||||
---|---|---|---|---|
| ||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Receiver"
ResultMinor="http://www.w3.org/2002/03/xkms#Failure"
RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
Service="http://cxf.apache.org/services/XKMS/"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl">
<ns2:MessageExtension xsi:type="ns5:resultDetails"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Details>Search certificates failure: Application
identifier not supported</Details>
</ns2:MessageExtension>
</ns2:LocateResult>
</soap:Body>
</soap:Envelope>
|
...
- only X509 certificates are supported as keys;
- only LDAP and File based backends are supported;revocation lists are not implemented;
- more integration tests are required