Page edited by Andrei Shakirin

Changes (19)

Full Content

XML Key Management Service (XKMS)

Use case

CXF uses asymmetric algorithms for different purposes: encryption of symmetric keys and payloads, signing security tokens and messages, proof of possession.
Normally the public keys (in form of X509 certificates) are stored in java keystores.

For example, if sender encrypts the message payload sending to the receiver, he should have access to receiver certificate saved in local keystore.
The sender uses this certificate for message encryption and receiver decrypts request with corresponded own private key:

Seems to be OK? Imagine now that you have production environment with 100 different clients of this service and service certificate is expired. You should reissue and replace certificate in ALL client keystores! Even more, if keystores are packaged into war files or OSGi bundles – they should be unpackaged and updated. Not really acceptable for enterprise environments.

Therefore large service landscapes support central certificates management. It means that X509 certificates are not stored locally in keystores, but are provided and administrated centrally.

Normally it is a responsibility of Public Key Infrastructure (PKI) established in organization. PKI is responsible to create, manage, store, distribute, synchronize and revoke public certificates and certification authorities (CAs).

XKMS Specification

W3C specifies protocol to distribute and register public keys, certificates and CAs that can be used for XML-based cryptography, including signature and encryption: XML Key Management Specification (XKMS 2.0).
The XKMS Specification comprises two parts – the XML Key Information Service Specification (XKISS) describing the runtime aspects of key lookup and certificate validation and the XML Key Registration Service Specification (XKRSS) describing the administrative aspects of registering, renewing, revoking and recovering certificates.
XKMS Service implements both parts of specification.

XKMS SOAP interface can be used as standard frontend to access Public Key Infrastructure (PKI). Using XKMS message encryption scenario message encryption picture will change in following way:

XKMS Design

Internal structure of XKMS service is represented on the following figure:

XKMS Service exposes SOAP interface specified in XKMS 2.0.
XKMS implementation realizes chain of responsibility design pattern .
Each XKMS operation defines handler interface and provides one or more implementations of this interface. Handler implementations are connected into chain.
Operation implementation invokes handlers one after another from pre-configured chain until either all handlers will be processed or critical error will occur.
This design makes XKMS internal implementation quite flexible: it is easy to add/remove handlers, change their order, introduce handlers supporting new backends, etc.
For example certificate can be searched firstly in the LDAP repository by LDAP lookup handler and, if it is not found there, additionally looked in remote PKI using appropriate lookup handler. Validation operation logic is organized in chain is well: first validation handler checks format and expire date of X509 certificate, next one checks certificate trust chain.

Currently XKMS Service supports simple file based and LDAP backends.
Sample spring configuration of XKMS handlers looks like:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:cxf="http://cxf.apache.org/core" xmlns:jaxws="http://cxf.apache.org/jaxws"
    xmlns:test="http://apache.org/hello_world_soap_http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="
        http://cxf.apache.org/core
        http://cxf.apache.org/schemas/core.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
        http://cxf.apache.org/jaxws                                     
        http://cxf.apache.org/schemas/jaxws.xsd
        http://www.springframework.org/schema/util
        http://www.springframework.org/schema/util/spring-util-2.0.xsd">



    <bean id="dateValidator" class="org.apache.cxf.xkms.x509.validator.DateValidator" />

    <bean id="trustedAuthorityValidator"
        class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
        <constructor-arg ref="certificateRepo" />
    </bean>

    <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
        <constructor-arg ref="certificateRepo" />
    </bean>

    <bean id="x509Register"
        class="org.apache.cxf.xkms.x509.handlers.x509Register">
        <constructor-arg ref="certificateRepo" />
    </bean>


    <!-- LDAP based implementation -->

    <bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.ldap.LdapCertificateRepo">
        <constructor-arg ref="ldapServer" />
        <constructor-arg ref="ldapSchemaConfig" />
        <constructor-arg value="dc=example,dc=com" />
    </bean>

    <bean id="ldapServer" class="org.apache.cxf.xkms.x509.repo.ldap.LdapServer">
        <constructor-arg value="ldap://localhost:2389" />
        <constructor-arg value="cn=Directory Manager,dc=example,dc=com" />
        <constructor-arg value="test" />
        <constructor-arg value="2" />
    </bean>

    <bean id="ldapSchemaConfig" class="org.apache.cxf.xkms.x509.repo.ldap.LdapSchemaConfig">
        <property name="certObjectClass" value="inetOrgPerson" />
        <property name="attrUID" value="uid" />
        <property name="attrIssuerID" value="manager" />
        <property name="attrSerialNumber" value="employeeNumber" />
        <property name="attrCrtBinary" value="userCertificate;binary" />
        <property name="constAttrNamesCSV" value="sn" />
        <property name="constAttrValuesCSV" value="X509 certificate" />
        <property name="serviceCertRDNTemplate" value="cn=%s,ou=services" />
        <property name="serviceCertUIDTemplate" value="cn=%s" />
	<property name="trustedAuthorityFilter" value="(&#038;(objectClass=inetOrgPerson)(ou:dn:=CAs))" />
	<property name="intermediateFilter" value="(objectClass=inetOrgPerson)" />
    </bean>


    <!-- File based implementation -->

    <!-- bean id="certificateRepo"
        class="org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo">
        <constructor-arg value="../conf/certs" />
    </bean-->

</beans>

dateValidator and trustedAuthorityValidator beans are implementations of Validator interface for validity date and trusted chain validation. x509Locator and x509Register are implementations of Locator and Register interfaces for X509 certificates.

Integration XKMS client into CXF security.

XKMS client can be integrated into CXF and WSS4J using custom Crypto provider implementation. In this case XKMS service will be automatically invoked when WSS4J requires or validates certificate. Details are described in this blog.

Data Formats

Input and output data formats are specified in XML Key Management Service Specification Version 2.0 (see XKMS 2.0). Anyway XKMS service supports only subset of specified requests and responses.
Restrictions of formats for request and responses are described in following table:

Element XPath	Supporting values	Description
RootElement/QueryKeyBinding/UseKeyWith@Application	urn:ietf:rfc:2459	Application specifies X509 SubjectDN in Identifier attribute. Used for normal users certificates
RootElement/QueryKeyBinding/UseKeyWith@Application	urn:apache:cxf:service:soap	Application specifies Service Id in Identifier attribute as {SERVICE_ NAMESPACE}SERVICE_NAME. Used for service certificates
RootElement/QueryKeyBinding/UseKeyWith@Identifier	X509 Subject DN or Service name as {SERVICE_ NAMESPACE}SERVICE_NAME	Depending on Application attribute public key is identified as X509 Subject DN or Service nameservice certificates
RootElement/UnverifiedKeyBinding/KeyInfo	X509Data/X509Certificate	Only X509Data with X509Certificate is supported

Error Handling

Success and Fault Response formats are specified in XKMS 2.0. Error conditions in XKMS service are reported using ResultMajor and ResultMinor attributes in root response element.
XKMS Service uses following values for response codes:

ResultMajor

Value	Description
Success	The operation succeeded.
Receiver	An error occurred at the receiver.
Sender	An error occurred that was due to the message sent by the sender.

ResultMinor

Value	Description
Failure	The service attempted to perform the request but the operation failed.
NoMatch	No match was found for the search prototype provided.
TooManyResponses	The request resulted in the number of responses that exceeded limit determined by the service.
TimeInstantNotSupported	The receiver has refused the operation because it does not support the TimeInstant element.

Deployment

XKMS Service can be deployed into web and OSGi containers. Service implementation was tested with Tomcat and Karaf.

Sample Requests and Responses

Sample request for Locate operation:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <ns2:LocateRequest xmlns="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns2="http://www.w3.org/2002/03/xkms#" 
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#"
            Id="I047257513d19456687e6b4f4a2a72606" Service="http://cxf.apache.org/services/XKMS/">
            <ns2:QueryKeyBinding>
                <ns2:UseKeyWith Application="urn:ietf:rfc:2459"
                    Identifier="[email protected], CN=www.client.com, OU=IT Department, O=Sample Client -- NOT FOR PRODUCTION, L=Niagara Falls, ST=New York, C=US" />
            </ns2:QueryKeyBinding>
        </ns2:LocateRequest>
    </soap:Body>
</soap:Envelope>

Sample response for Locate operation:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Success"
            RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
            Service="http://cxf.apache.org/services/XKMS/" 
            xmlns:ns2="http://www.w3.org/2002/03/xkms#"
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" 
            xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl">
            <ns2:UnverifiedKeyBinding>
                <ns4:KeyInfo>
                    <ns4:X509Data>
                        <ns4:X509Certificate>… </ns4:X509Certificate>
                    </ns4:X509Data>
                </ns4:KeyInfo>
            </ns2:UnverifiedKeyBinding>
        </ns2:LocateResult>
    </soap:Body>
</soap:Envelope>

Sample error message:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <ns2:LocateResult ResultMajor="http://www.w3.org/2002/03/xkms#Receiver"
            ResultMinor="http://www.w3.org/2002/03/xkms#Failure"
            RequestId="I047257513d19456687e6b4f4a2a72606" Id="I0758390284847918129574923948"
            Service="http://cxf.apache.org/services/XKMS/" 
            xmlns:ns2="http://www.w3.org/2002/03/xkms#"
            xmlns:ns3="http://www.w3.org/2001/04/xmlenc#" 
            xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
            xmlns:ns5="http://www.w3.org/2002/03/xkms#wsdl">

            <ns2:MessageExtension xsi:type="ns5:resultDetails"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <Details>Search certificates failure: Application
                    identifier not supported</Details>
            </ns2:MessageExtension>
        </ns2:LocateResult>
    </soap:Body>
</soap:Envelope>

Current restrictions and ToDos

only X509 certificates are supported as keys;
only LDAP and File based backends are supported;
validate operations checks expiration date, but doesn't validate trusted chain;
revocation lists are not implemented;
more integration tests are required

Change Notification Preferences

View Online | View Changes | Add Comment

[CONF] Apache CXF Documentation > XML Key Management Service (XKMS)