XML Key Management Service (XKMS)
Available since CXF 32.07.07.
Use case
CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession, etc.
Normally the public keys (in the form of X509 certificates) are stored in java keystores.
...
Administrator can update, renew and revoke certificates, manage certification authorities and revocation lists.
XKMS Design
Internal structure of XKMS service is represented in the following figure:
Integrating the XKMS client into the CXF runtime
The XKMS client can be integrated into CXF and WSS4J in pretty elegant way using a custom Crypto provider implementation. In this case, the XKMS service will be automatically invoked when WSS4J asks for the certificates or validates them. Details are described in this blog. A basic XKMS implementation of WSS4J Crypto interface is available in XKMS Client component (XKMSCryptoProvider and XKMSCryptoProviderFactory). Implementation uses Ehcache to cache certificates received from XKMS service.
XKMS Service Design
Internal structure of XKMS service is represented in the following figure:
The XKMS Service exposes a SOAP interface specified in XKMS 2.0.
The XKMS implementation realizes chain of responsibility design pattern .
Each XKMS operation defines a handler interface and provides one or more implementations of this interface. Handler implementations are connected into a chain.
Operation implementation invokes handlers one after another from the pre-configured chain until either all handlers will be processed or a critical error will occur.
This design makes the XKMS internal implementation quite flexible: The XKMS Service exposes a SOAP interface specified in XKMS 2.0.
The XKMS implementation realizes chain of responsibility design pattern .
Each XKMS operation defines a handler interface and provides one or more implementations of this interface. Handler implementations are connected into a chain.
Operation implementation invokes handlers one after another from the pre-configured chain until either all handlers will be processed or a critical error will occur.
This design makes the XKMS internal implementation quite flexible: it is easy to add/remove handlers, change their order, introduce handlers supporting new backends, etc.
For example, a certificate can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally looked for in a remote PKI using an appropriate lookup handler. Validation operation logic is organized in a chain is well: first validation handler checks format and expiry date of the X509 certificate, next one checks the certificate trust chain.
...
Code Block | ||||
---|---|---|---|---|
| ||||
<bean id="xkmsProviderBean" class="org.apache.cxf.xkms.service.XKMSService">
<property name="validators">
<list>
<ref bean="dateValidator" />
<ref bean="trustedAuthorityValidator" />
</list>
</property>
<property name="locators">
<list>
<ref bean="x509Locator" />
</list>
</property>
<property name="keyRegisterHandlers">
<list>
<ref bean="x509Register" />
</list>
</property>
</bean>
<jaxws:endpoint id="XKMSService"
xmlns:serviceNamespace="http://www.w3.org/2002/03/xkms#wsdl"
serviceName="serviceNamespace:XKMSService" endpointName="serviceNamespace:XKMSPort"
implementor="#xkmsProviderBean" address="/XKMS">
</jaxws:endpoint>
|
Integrating the XKMS client into the CXF runtime.
...
endpointName="serviceNamespace:XKMSPort"
implementor="#xkmsProviderBean" address="/XKMS">
</jaxws:endpoint>
|
Data Formats
Input and output data formats are specified in XML Key Management Service Specification Version 2.0 (see XKMS 2.0). The XKMS service supports only a subset of the specified requests and responses.
Restrictions of formats for request and responses are described in the following table:
...
Code Block | ||||
---|---|---|---|---|
| ||||
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ns2:LocateRequest xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns2="http://www.w3.org/2002/03/xkms#"
xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
Id="I047257513d19456687e6b4f4a2a72606" Service="http://cxf.apache.org/services/XKMS/">
<ns2:QueryKeyBinding>
<ns2:UseKeyWith Application="urn:ietf:rfc:2459"
Identifier="EMAILADDRESS=client@client.com, CN=www.client.com, OU=IT Department,
O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls, ST=New York, C=US" />
</ns2:QueryKeyBinding>
</ns2:LocateRequest>
</soap:Body>
</soap:Envelope>
|
...