Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0-milestone1
    • Fix Version/s: 3.0.0-milestone1
    • Component/s: Services
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Talend is happy to donate the initial XKMS 2.0 implementation to Apache CXF as part of this Jira.

      XKMS will be contributed as a service (like STS and WS-Discovery) providing standardized access to central public key infrastructure (PKI) including lookup, validation, registration, reissuing and revocation of public keys.
      XKMS will help users to manage their certificates centrally instead storing them into local keystores, that IMO best practice for middle/large service landscapes.

      I tried to describe the use case, architecture and design of XKMS Service in CXF wiki:
      https://cwiki.apache.org/confluence/display/CXF20DOC/XML+Key+Management+Service+%28XKMS%29
      and in the blog: http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certificates-from.html .

      Attached is the initial draft of XKMS service implementation supporting X509 public keys, simple File and LDAP storages and providing Web and OSGi deployment. Suggested target CXF release for XKMS service will be 3.0. Code was designed and implemented by me together with Christian Schneider (cschneider), reviewed and refactored by Jan Bernhard (jbernhard) and donated by Talend company.

      Any feedback for this code is welcome. The next tasks will be support revocation lists, complete validate operation for trusted chains, extend system tests, support new key storages.

      Regards,
      Andrei.

      1. xkms.patch
        538 kB
        Andrei Shakirin

        Activity

        Hide
        ashakirin Andrei Shakirin added a comment -

        XKMS contribution

        Show
        ashakirin Andrei Shakirin added a comment - XKMS contribution
        Hide
        chris@die-schneider.net Christian Schneider added a comment -

        The new patch looks good to me. The build works fine now.

        Show
        chris@die-schneider.net Christian Schneider added a comment - The new patch looks good to me. The build works fine now.
        Hide
        coheigea Colm O hEigeartaigh added a comment -

        Hi Andrei,

        The patch looks good to me. I would say that adding system tests + adding support for chain trust should be top priorities.

        One bug I noticed in reviewing the wiki is that the "RequestId" attribute in some of the messages is not schema compliant:

        <attribute name="RequestId" type="NCName" use="optional"/>

        This means it can't start with a number, see here for a similar bug:

        https://issues.apache.org/jira/browse/WSS-317

        Colm.

        Show
        coheigea Colm O hEigeartaigh added a comment - Hi Andrei, The patch looks good to me. I would say that adding system tests + adding support for chain trust should be top priorities. One bug I noticed in reviewing the wiki is that the "RequestId" attribute in some of the messages is not schema compliant: <attribute name="RequestId" type="NCName" use="optional"/> This means it can't start with a number, see here for a similar bug: https://issues.apache.org/jira/browse/WSS-317 Colm.
        Hide
        ashakirin Andrei Shakirin added a comment -

        Hi Colm,
        Thanks for the feedback and first bug report!

        RequestId and Id are fixed in Wiki.
        Id in responses should be also fixed in implementation. Will do it immediately after XKMS contribution.

        Andrei.

        Show
        ashakirin Andrei Shakirin added a comment - Hi Colm, Thanks for the feedback and first bug report! RequestId and Id are fixed in Wiki. Id in responses should be also fixed in implementation. Will do it immediately after XKMS contribution. Andrei.
        Hide
        gmazza Glen Mazza added a comment -
        Show
        gmazza Glen Mazza added a comment - Andrei, your code needs to be fixed: http://cxf.547215.n5.nabble.com/Uh-oh-Re-svn-commit-r1484133-1-6-td5727964.html
        Hide
        ashakirin Andrei Shakirin added a comment -

        Thanks for pointing, I will care.

        Regards,
        Andrei.

        Show
        ashakirin Andrei Shakirin added a comment - Thanks for pointing, I will care. Regards, Andrei.
        Hide
        gmazza Glen Mazza added a comment -

        Closing as the formatting issue seems to have been all fixed. Thanks to Andrei for getting it done so quickly.

        Show
        gmazza Glen Mazza added a comment - Closing as the formatting issue seems to have been all fixed. Thanks to Andrei for getting it done so quickly.

          People

          • Assignee:
            ashakirin Andrei Shakirin
            Reporter:
            ashakirin Andrei Shakirin
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development