Introduction of CustomerizedAlgorithmSuite (CXF-8971)

parent/pom.xml

@@ -235,7 +235,7 @@
         <cxf.woodstox.core.version>6.6.0</cxf.woodstox.core.version>
         <cxf.woodstox.stax2-api.version>4.2.1</cxf.woodstox.stax2-api.version>
         <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
-        <cxf.jakarta.wss4j.version>3.0.2</cxf.jakarta.wss4j.version>
+        <cxf.jakarta.wss4j.version>3.0.3-SNAPSHOT</cxf.jakarta.wss4j.version>
         <cxf.xmlschema.version>2.3.1</cxf.xmlschema.version>
         <cxf.xnio.version>3.8.12.Final</cxf.xnio.version>
         <cxf.zest.version>2.1</cxf.zest.version>

rt/ws/security/pom.xml

@@ -114,6 +114,7 @@
         <dependency>
             <groupId>org.apache.wss4j</groupId>
             <artifactId>wss4j-policy</artifactId>
+            <version>3.0.3-SNAPSHOT</version>
             <exclusions>
                  <exclusion>
                      <groupId>org.codehaus.woodstox</groupId>

rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java

@@ -202,7 +202,7 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
      * default instance that is used is the EHCacheReplayCache.
      */
     public static final String NONCE_CACHE_INSTANCE =
-        "ws-security.nonce.cache.instance";
+            "ws-security.nonce.cache.instance";
 
     /**
      * This holds a reference to a ReplayCache instance used to cache Timestamp Created Strings. The
@@ -406,6 +406,95 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
      */
     public static final String KERBEROS_CLIENT = "ws-security.kerberos.client";
 
+    /**
+     * http://www.w3.org/2001/04/xmlenc#kw-aes256
+     */
+    public static final String CUSTOM_ALG_SUITE_PREFIX = "ws-security.custom.alg.suite.";
+
+    /**
+    /**
+     * http://www.w3.org/2001/04/xmlenc#sha256
+     */
+    public static final String CUSTOM_ALG_SUITE_DIGEST_ALGORITHM = "ws-security.custom.alg.suite.digest.algorithm";
+
+    /**
+     * http://www.w3.org/2009/xmlenc11#aes256-gcm
+     */
+    public static final String CUSTOM_ALG_SUITE_ENCRYPTION_ALGORITHM =
+        "ws-security.custom.alg.suite.encryption.algorithm";
+
+    /**
+     * http://www.w3.org/2001/04/xmlenc#kw-aes256
+     */
+    public static final String CUSTOM_ALG_SUITE_SYMMETRIC_KEY_ENCRYPTION_ALGORITHM =
+        "ws-security.custom.alg.suite.symmetric.key.encryption.algorithm";
+
+    /**
+     * http://www.w3.org/2001/04/xmlenc#rsa-1_5
+     */
+    public static final String CUSTOM_ALG_SUITE_ASYMMETRIC_KEY_ENCRYPTION_ALGORITHM =
+            "ws-security.custom.alg.suite.asymmetric.key.encryption.algorithm";
+
+    /**
+     * http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
+     */
+    public static final String CUSTOM_ALG_SUITE_ENCRYPTION_KEY_DERIVATION =
+        "ws-security.custom.alg.suite.encryption.key.derivation";
+
+    /**
+     * hhttp://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
+     */
+    public static final String CUSTOM_ALG_SUITE_SIGNATURE_KEY_DERIVATION =
+        "ws-security.custom.alg.suite.signature.key.derivation";
+
+    /**
+     * http://www.w3.org/2000/09/xmldsig#hmac-sha1"
+     */
+    public static final String CUSTOM_ALG_SUITE_SYMMETRIC_SIGNATURE =
+        "ws-security.custom.alg.suite.symmetric.signature";
+
+    /**
+     * http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+     */
+    public static final String CUSTOM_ALG_SUITE_ASYMMETRIC_SIGNATURE =
+        "ws-security.custom.alg.suite.asymmetric.signature";
+
+    /**
+     * 256
+     */
+    public static final String CUSTOM_ALG_SUITE_ENCRYPTION_DERIVED_KEY_LENGTH =
+        "ws-security.custom.alg.suite.encryption.derived.key.length";
+
+    /**
+     * 192
+     */
+    public static final String CUSTOM_ALG_SUITE_SIGNATURE_DERIVED_KEY_LENGTH =
+        "ws-security.custom.alg.suite.signature.derived.key.length";
+
+    /**
+     * 256
+     */
+    public static final String CUSTOM_ALG_SUITE_MINIMUM_SYMMETRIC_KEY_LENGTH =
+        "ws-security.custom.alg.suite.minimum.symmetric.key.length";
+
+    /**
+     * 256
+     */
+    public static final String CUSTOM_ALG_SUITE_MAXIMUM_SYMMETRIC_KEY_LENGTH =
+        "ws-security.custom.alg.suite.maximum.symmetric.key.length";
+
+    /**
+     * 1024
+     */
+    public static final String CUSTOM_ALG_SUITE_MINIMUM_ASYMMETRIC_KEY_LENGTH =
+        "ws-security.custom.alg.suite.minimum.asymmetric.key.length";
+
+    /**
+     * 4096
+     */
+    public static final String CUSTOM_ALG_SUITE_MAXIMUM_ASYMMETRIC_KEY_LENGTH =
+        "ws-security.custom.alg.suite.maximum.asymmetric.key.length";
+
     //
     // Internal tags
     //
@@ -432,7 +521,18 @@ public final class SecurityConstants extends org.apache.cxf.rt.security.Security
             KERBEROS_IS_USERNAME_IN_SERVICENAME_FORM, KERBEROS_REQUEST_CREDENTIAL_DELEGATION,
             POLICY_VALIDATOR_MAP, STORE_BYTES_IN_ATTACHMENT, USE_ATTACHMENT_ENCRYPTION_CONTENT_ONLY_TRANSFORM,
             SYMMETRIC_SIGNATURE_ALGORITHM, SECURITY_CONTEXT_CREATOR, SECURITY_TOKEN_LIFETIME,
-            DISABLE_REQ_CLIENT_CERT_CHECK, EXPAND_XOP_INCLUDE
+            DISABLE_REQ_CLIENT_CERT_CHECK, EXPAND_XOP_INCLUDE,
+            CUSTOM_ALG_SUITE_MAXIMUM_ASYMMETRIC_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_MINIMUM_ASYMMETRIC_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_MAXIMUM_SYMMETRIC_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_MINIMUM_SYMMETRIC_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_SIGNATURE_DERIVED_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_ENCRYPTION_DERIVED_KEY_LENGTH,
+            CUSTOM_ALG_SUITE_SIGNATURE_KEY_DERIVATION,
+            CUSTOM_ALG_SUITE_ENCRYPTION_KEY_DERIVATION,
+            CUSTOM_ALG_SUITE_ASYMMETRIC_KEY_ENCRYPTION_ALGORITHM,
+            CUSTOM_ALG_SUITE_SYMMETRIC_KEY_ENCRYPTION_ALGORITHM,
+            CUSTOM_ALG_SUITE_ENCRYPTION_ALGORITHM, CUSTOM_ALG_SUITE_DIGEST_ALGORITHM
         }));
         for (String commonProperty : COMMON_PROPERTIES) {
             s.add(commonProperty);

rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/custom/DefaultAlgorithmSuiteLoader.java

@@ -20,15 +20,21 @@
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.function.Consumer;
+import java.util.function.Function;
+import java.util.function.Supplier;
+import java.util.stream.Collectors;
 
 import javax.xml.namespace.QName;
 
 import org.w3c.dom.Element;
 
 import org.apache.cxf.Bus;
+import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionBuilderRegistry;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion;
 import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertionBuilder;
+import org.apache.cxf.ws.security.SecurityConstants;
 import org.apache.neethi.Assertion;
 import org.apache.neethi.AssertionBuilderFactory;
 import org.apache.neethi.Policy;
@@ -53,6 +59,8 @@ public AlgorithmSuite getAlgorithmSuite(Bus bus, SPConstants.SPVersion version,
             assertions.put(qName, new PrimitiveAssertion(qName));
             qName = new QName(ns, "Basic256GCM");
             assertions.put(qName, new PrimitiveAssertion(qName));
+            qName = new QName(ns, "CustomizedAlgorithmSuite");
+            assertions.put(qName, new PrimitiveAssertion(qName));
 
             reg.registerBuilder(new PrimitiveAssertionBuilder(assertions.keySet()) {
                 public Assertion build(Element element, AssertionBuilderFactory fact) {
@@ -68,6 +76,7 @@ public Assertion build(Element element, AssertionBuilderFactory fact) {
         return new GCMAlgorithmSuite(version, nestedPolicy);
     }
 
+
     public static class GCMAlgorithmSuite extends AlgorithmSuite {
 
         static {
@@ -112,6 +121,21 @@ public static class GCMAlgorithmSuite extends AlgorithmSuite {
                     256, 192, 256, 256, 1024, 4096
                 )
             );
+
+
+            ALGORITHM_SUITE_TYPES.put(
+                    "CustomizedAlgorithmSuite",
+                    new AlgorithmSuiteType(
+                            "CustomizedAlgorithmSuite",
+                            SPConstants.SHA256,
+                            "http://www.w3.org/2009/xmlenc11#aes256-gcm",
+                            SPConstants.KW_AES256,
+                            SPConstants.KW_RSA15,
+                            SPConstants.P_SHA1_L256,
+                            SPConstants.P_SHA1_L192,
+                            256, 192, 256, 256, 1024, 4096
+                    )
+            );
         }
 
         GCMAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
@@ -140,9 +164,116 @@ protected void parseCustomAssertion(Assertion assertion) {
             } else if ("Basic256GCM".equals(assertionName)) {
                 setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCM"));
                 getAlgorithmSuiteType().setNamespace(assertionNamespace);
+            } else if ("CustomizedAlgorithmSuite".equals(assertionName)) {
+                setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("CustomizedAlgorithmSuite"));
+                getAlgorithmSuiteType().setNamespace(assertionNamespace);
             }
         }
     }
 
 
+    public static AlgorithmSuite.AlgorithmSuiteType customize(AlgorithmSuite.AlgorithmSuiteType suiteType,
+                                                              Message message) {
+
+        Map<String, Object> values = message.getContextualPropertyKeys()
+                .stream()
+                .filter(k -> k.startsWith(SecurityConstants.CUSTOM_ALG_SUITE_PREFIX))
+                .collect(Collectors.toMap(Function.identity(), k -> message.getContextualProperty(k)));
+
+        return customize(suiteType, values);
+
+    }
+
+    public static AlgorithmSuite.AlgorithmSuiteType customize(AlgorithmSuite.AlgorithmSuiteType suiteType,
+                                                              Map<String, Object> values) {
+
+        //customization happens only for CustomizedAlgorithmSuite
+        if (suiteType != null && !"CustomizedAlgorithmSuite".equals(suiteType.getName())) {
+            return suiteType;
+        }
+
+
+        AlgorithmSuite.AlgorithmSuiteType retVal = suiteType != null ? suiteType
+                : new AlgorithmSuite.AlgorithmSuiteType(null, null, null, null,
+                null, null, null,
+                Integer.MIN_VALUE, Integer.MIN_VALUE, Integer.MIN_VALUE, Integer.MIN_VALUE,
+                Integer.MIN_VALUE, Integer.MIN_VALUE);
+
+        //if there is no customized values, return without customization
+        if (values == null || values.isEmpty()) {
+            return retVal;
+        }
+        //apply customization
+        customizeAlgSuiteType(retVal, suiteType, values);
+
+        return retVal;
+    }
+
+    private static void customizeAlgSuiteType(AlgorithmSuite.AlgorithmSuiteType suiteType,
+                                              AlgorithmSuite.AlgorithmSuiteType defValue,
+                                              Map<String, Object> values) {
+
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_DIGEST_ALGORITHM, values,
+                suiteType::setDigest,
+                defValue != null ? defValue::getDigest : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_ENCRYPTION_ALGORITHM, values,
+                suiteType::setEncryption,
+                defValue != null ? defValue::getEncryption : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_SYMMETRIC_KEY_ENCRYPTION_ALGORITHM, values,
+                suiteType::setSymmetricKeyWrap,
+                defValue != null ? defValue::getSymmetricKeyWrap : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_ASYMMETRIC_KEY_ENCRYPTION_ALGORITHM, values,
+                suiteType::setAsymmetricKeyWrap,
+                defValue != null ? defValue::getAsymmetricKeyWrap : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_ENCRYPTION_KEY_DERIVATION, values,
+                suiteType::setEncryptionKeyDerivation,
+                defValue != null ? defValue::getEncryptionKeyDerivation : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_SIGNATURE_KEY_DERIVATION, values,
+                suiteType::setSignatureKeyDerivation,
+                defValue != null ? defValue::getSignatureKeyDerivation : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_SYMMETRIC_SIGNATURE, values,
+                suiteType::setSymmetricSignature,
+                defValue != null ? defValue::getSymmetricSignature : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_ASYMMETRIC_SIGNATURE, values,
+                suiteType::setAsymmetricSignature,
+                defValue != null ? defValue::getAsymmetricSignature : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_ENCRYPTION_DERIVED_KEY_LENGTH, values,
+                suiteType::getEncryptionDerivedKeyLength,
+                defValue != null ? defValue::getEncryptionDerivedKeyLength : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_SIGNATURE_DERIVED_KEY_LENGTH, values,
+                suiteType::setSignatureDerivedKeyLength,
+                defValue != null ? defValue::getSignatureDerivedKeyLength : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_MINIMUM_SYMMETRIC_KEY_LENGTH, values,
+                suiteType::setMinimumSymmetricKeyLength,
+                defValue != null ? defValue::getMinimumSymmetricKeyLength : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_MAXIMUM_SYMMETRIC_KEY_LENGTH, values,
+                suiteType::setMaximumSymmetricKeyLength,
+                defValue != null ? defValue::getMaximumSymmetricKeyLength : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_MINIMUM_ASYMMETRIC_KEY_LENGTH, values,
+                suiteType::setMinimumAsymmetricKeyLength,
+                defValue != null ? defValue::getMinimumAsymmetricKeyLength : null);
+        setValue(SecurityConstants.CUSTOM_ALG_SUITE_MAXIMUM_ASYMMETRIC_KEY_LENGTH, values,
+                suiteType::setMaximumAsymmetricKeyLength,
+                defValue != null ? defValue::getMaximumAsymmetricKeyLength : null);
+    }
+
+    private static <T> void setValue(String key, Map<String, Object> values,
+                                     Consumer<T> customizedValueSetter,
+                                     Supplier<T> defaultValueGetter) {
+
+        //get customized value
+        T value = (T)values.get(key);
+        //use default value if null
+        if (value == null && defaultValueGetter != null) {
+            value = defaultValueGetter.get();
+        }
+        //set value
+        if (value != null) {
+            customizedValueSetter.accept(value);
+        }
+    }
+
+
+
+
 }