This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
commit c460b971eca289a3458d5599a84a08d272c5e426
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Fri Nov 8 10:16:14 2019 +0000
CAMEL-14157 - Upgrade default signature algorithm for XML Signature to
RSA-SHA256
---
.../src/main/docs/xmlsecurity-component.adoc | 4 ++--
.../processor/XmlSignerConfiguration.java | 24 +++++++++++-----------
.../ROOT/pages/camel-3-migration-guide.adoc | 5 +++++
.../XmlSignatureComponentConfiguration.java | 2 +-
4 files changed, 20 insertions(+), 15 deletions(-)
diff --git
a/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
b/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
index a49eb44..64eec65 100644
--- a/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
+++ b/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
@@ -297,7 +297,7 @@ with the following path and query parameters:
| *plainTextEncoding* (sign) | Encoding of the plain text. Only relevant if
the message body is plain text (see parameter plainText. Default value is
UTF-8. | UTF-8 | String
| *prefixForXmlSignature Namespace* (sign) | Namespace prefix for the XML
signature namespace \http://www.w3.org/2000/09/xmldsig#. Default value is ds.
If null or an empty value is set then no prefix is used for the XML signature
namespace. See best practice
\http://www.w3.org/TR/xmldsig-bestpractices/#signing-xml- without-namespaces |
ds | String
| *properties* (sign) | For adding additional References and Objects to the
XML signature which contain additional properties, you can provide a bean which
implements the XmlSignatureProperties interface. | | XmlSignatureProperties
-| *signatureAlgorithm* (sign) | Signature algorithm. Default value is
\http://www.w3.org/2000/09/xmldsig#rsa-sha1. |
http://www.w3.org/2000/09/xmldsig#rsa-sha1 | String
+| *signatureAlgorithm* (sign) | Signature algorithm. Default value is
\http://www.w3.org/2000/09/xmldsig#rsa-sha1. |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | String
| *signatureId* (sign) | Sets the signature Id. If this parameter is not set
(null value) then a unique ID is generated for the signature ID (default). If
this parameter is set to (empty string) then no Id attribute is created in the
signature element. | | String
| *transformMethods* (sign) | Transforms which are executed on the message
body before the digest is calculated. By default, C14n is added and in the case
of enveloped signature (see option parentLocalName) also
\http://www.w3.org/2000/09/xmldsig#enveloped-signature is added at position 0
of the list. Use methods in XmlSignatureHelper to create the transform methods.
| | List
| *xpathsToIdAttributes* (sign) | Define the elements which are signed in the
detached case via XPATH expressions to ID attributes (attributes of type ID).
For each element found via the XPATH expression a detached signature is created
whose reference URI contains the corresponding attribute value (preceded by
'#'). The signature becomes the last sibling of the signed element. Elements
with deeper hierarchy level are signed first. You can also set the XPATH list
dynamically via the heade [...]
@@ -360,7 +360,7 @@ The component supports 63 options, which are listed below.
| *camel.component.xmlsecurity.signer-configuration.properties* | For adding
additional References and Objects to the XML signature which contain additional
properties, you can provide a bean which implements the XmlSignatureProperties
interface. | | XmlSignatureProperties
| *camel.component.xmlsecurity.signer-configuration.properties-name* | Sets
the reference name for a XmlSignatureProperties that can be found in the
registry. | | String
| *camel.component.xmlsecurity.signer-configuration.schema-resource-uri* |
Classpath to the XML Schema. Must be specified in the detached XML Signature
case for determining the ID attributes, might be set in the enveloped and
enveloping case. If set, then the XML document is validated with the specified
XML schema. The schema resource URI can be overwritten by the header {@link
XmlSignatureConstants#HEADER_SCHEMA_RESOURCE_URI}. | | String
-| *camel.component.xmlsecurity.signer-configuration.signature-algorithm* |
Signature algorithm. Default value is
"\http://www.w3.org/2000/09/xmldsig#rsa-sha1";. |
http://www.w3.org/2000/09/xmldsig#rsa-sha1 | String
+| *camel.component.xmlsecurity.signer-configuration.signature-algorithm* |
Signature algorithm. Default value is
"\http://www.w3.org/2000/09/xmldsig#rsa-sha1";. |
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | String
| *camel.component.xmlsecurity.signer-configuration.signature-id* | Sets the
signature Id. If this parameter is not set (null value) then a unique ID is
generated for the signature ID (default). If this parameter is set to "" (empty
string) then no Id attribute is created in the signature element. | | String
| *camel.component.xmlsecurity.signer-configuration.transform-methods* |
Transforms which are executed on the message body before the digest is
calculated. By default, C14n is added and in the case of enveloped signature
(see option parentLocalName) also
\http://www.w3.org/2000/09/xmldsig#enveloped-signature is added at position 0
of the list. Use methods in XmlSignatureHelper to create the transform methods.
| | List
| *camel.component.xmlsecurity.signer-configuration.transform-methods-name* |
Sets the reference name for a XmlSignatureProperties that can be found in the
registry. | | String
diff --git
a/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
b/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
index 22f22b1..c8949ed 100644
---
a/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
+++
b/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
@@ -52,8 +52,8 @@ public class XmlSignerConfiguration extends
XmlSignatureConfiguration {
@UriParam(label = "sign", defaultValue =
"http://www.w3.org/TR/2001/REC-xml-c14n-20010315";)
private AlgorithmMethod canonicalizationMethod = new
XmlSignatureTransform(CanonicalizationMethod.INCLUSIVE);
private String canonicalizationMethodName;
- @UriParam(label = "sign", defaultValue =
"http://www.w3.org/2000/09/xmldsig#rsa-sha1";)
- private String signatureAlgorithm =
"http://www.w3.org/2000/09/xmldsig#rsa-sha1";;
+ @UriParam(label = "sign", defaultValue =
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";)
+ private String signatureAlgorithm =
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";;
@UriParam(label = "sign")
private String digestAlgorithm;
@UriParam(label = "sign", defaultValue = "true")
@@ -235,14 +235,14 @@ public class XmlSignerConfiguration extends
XmlSignatureConfiguration {
/**
* Namespace prefix for the XML signature namespace
* "http://www.w3.org/2000/09/xmldsig#";. Default value is "ds".
- *
+ *
* If <code>null</code> or an empty value is set then no prefix is used for
* the XML signature namespace.
* <p>
* See best practice
* http://www.w3.org/TR/xmldsig-bestpractices/#signing-xml-
* without-namespaces
- *
+ *
* @param prefixForXmlSignatureNamespace
* prefix
*/
@@ -256,20 +256,20 @@ public class XmlSignerConfiguration extends
XmlSignatureConfiguration {
/**
* Local name of the parent element to which the XML signature element will
- * be added. Only relevant for enveloped XML signature. Alternatively you
can
+ * be added. Only relevant for enveloped XML signature. Alternatively you
can
* also use {@link #setParentXpath(XPathFilterParameterSpec)}.
- *
+ *
* <p> Default value is
* <code>null</code>. The value must be <code>null</code> for enveloping
and
* detached XML signature.
* <p>
* This parameter or the parameter {@link
#setParentXpath(XPathFilterParameterSpec)}
- * for enveloped signature and the parameter {@link
#setXpathsToIdAttributes(List)}
+ * for enveloped signature and the parameter {@link
#setXpathsToIdAttributes(List)}
* for detached signature must not be set in the same configuration.
* <p>
* If the parameters <tt>parentXpath</tt> and <tt>parentLocalName</tt> are
specified
* in the same configuration then an exception is thrown.
- *
+ *
* @param parentLocalName
* local name
*/
@@ -467,19 +467,19 @@ public class XmlSignerConfiguration extends
XmlSignatureConfiguration {
/**
* Sets the XPath to find the parent node in the enveloped case.
- * Either you specify the parent node via this method or the local name
and namespace of the parent
- * with the methods {@link #setParentLocalName(String)} and {@link
#setParentNamespace(String)}.
+ * Either you specify the parent node via this method or the local name
and namespace of the parent
+ * with the methods {@link #setParentLocalName(String)} and {@link
#setParentNamespace(String)}.
* <p>
* Default value is <code>null</code>. The value must be <code>null</code>
for enveloping and
* detached XML signature.
* <p>
* If the parameters <tt>parentXpath</tt> and <tt>parentLocalName</tt> are
specified
* in the same configuration then an exception is thrown.
- *
+ *
* @param parentXpath xpath to the parent node, if the xpath returns
several values then the first Element node is used
*/
public void setParentXpath(XPathFilterParameterSpec parentXpath) {
this.parentXpath = parentXpath;
}
-
+
}
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
index 0d1f820..c51416c 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
@@ -327,6 +327,11 @@ also been deprecated in Camel 2.x. In Camel 3 we have
removed the remaining code
The default JSon library with the JSon dataformat has changed from `XStream`
to `Jackson`.
+=== XML Security Component
+
+The default signature algorithm has changed for the XML Security Component - it
+is now RSA-SHA256 (before it was RSA-SHA1).
+
=== XML Security DataFormat
The default encryption key for the XML Security DataFormat has been removed,
diff --git
a/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
b/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
index f2062a9..e86f1a5 100644
---
a/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
+++
b/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
@@ -121,7 +121,7 @@ public class XmlSignatureComponentConfiguration
* Signature algorithm. Default value is
* "http://www.w3.org/2000/09/xmldsig#rsa-sha1";.
*/
- private String signatureAlgorithm =
"http://www.w3.org/2000/09/xmldsig#rsa-sha1";;
+ private String signatureAlgorithm =
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";;
/**
* Digest algorithm URI. Optional parameter. This digest algorithm is
* used for calculating the digest of the input message. If this digest
