You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by co...@apache.org on 2019/11/08 11:42:23 UTC
[camel] 01/02: CAMEL-14157 - Upgrade default signature algorithm
for XML Signature to RSA-SHA256
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git
commit c460b971eca289a3458d5599a84a08d272c5e426
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Nov 8 10:16:14 2019 +0000
CAMEL-14157 - Upgrade default signature algorithm for XML Signature to RSA-SHA256
---
.../src/main/docs/xmlsecurity-component.adoc | 4 ++--
.../processor/XmlSignerConfiguration.java | 24 +++++++++++-----------
.../ROOT/pages/camel-3-migration-guide.adoc | 5 +++++
.../XmlSignatureComponentConfiguration.java | 2 +-
4 files changed, 20 insertions(+), 15 deletions(-)
diff --git a/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc b/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
index a49eb44..64eec65 100644
--- a/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
+++ b/components/camel-xmlsecurity/src/main/docs/xmlsecurity-component.adoc
@@ -297,7 +297,7 @@ with the following path and query parameters:
| *plainTextEncoding* (sign) | Encoding of the plain text. Only relevant if the message body is plain text (see parameter plainText. Default value is UTF-8. | UTF-8 | String
| *prefixForXmlSignature Namespace* (sign) | Namespace prefix for the XML signature namespace \http://www.w3.org/2000/09/xmldsig#. Default value is ds. If null or an empty value is set then no prefix is used for the XML signature namespace. See best practice \http://www.w3.org/TR/xmldsig-bestpractices/#signing-xml- without-namespaces | ds | String
| *properties* (sign) | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface. | | XmlSignatureProperties
-| *signatureAlgorithm* (sign) | Signature algorithm. Default value is \http://www.w3.org/2000/09/xmldsig#rsa-sha1. | http://www.w3.org/2000/09/xmldsig#rsa-sha1 | String
+| *signatureAlgorithm* (sign) | Signature algorithm. Default value is \http://www.w3.org/2000/09/xmldsig#rsa-sha1. | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | String
| *signatureId* (sign) | Sets the signature Id. If this parameter is not set (null value) then a unique ID is generated for the signature ID (default). If this parameter is set to (empty string) then no Id attribute is created in the signature element. | | String
| *transformMethods* (sign) | Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option parentLocalName) also \http://www.w3.org/2000/09/xmldsig#enveloped-signature is added at position 0 of the list. Use methods in XmlSignatureHelper to create the transform methods. | | List
| *xpathsToIdAttributes* (sign) | Define the elements which are signed in the detached case via XPATH expressions to ID attributes (attributes of type ID). For each element found via the XPATH expression a detached signature is created whose reference URI contains the corresponding attribute value (preceded by '#'). The signature becomes the last sibling of the signed element. Elements with deeper hierarchy level are signed first. You can also set the XPATH list dynamically via the heade [...]
@@ -360,7 +360,7 @@ The component supports 63 options, which are listed below.
| *camel.component.xmlsecurity.signer-configuration.properties* | For adding additional References and Objects to the XML signature which contain additional properties, you can provide a bean which implements the XmlSignatureProperties interface. | | XmlSignatureProperties
| *camel.component.xmlsecurity.signer-configuration.properties-name* | Sets the reference name for a XmlSignatureProperties that can be found in the registry. | | String
| *camel.component.xmlsecurity.signer-configuration.schema-resource-uri* | Classpath to the XML Schema. Must be specified in the detached XML Signature case for determining the ID attributes, might be set in the enveloped and enveloping case. If set, then the XML document is validated with the specified XML schema. The schema resource URI can be overwritten by the header {@link XmlSignatureConstants#HEADER_SCHEMA_RESOURCE_URI}. | | String
-| *camel.component.xmlsecurity.signer-configuration.signature-algorithm* | Signature algorithm. Default value is "\http://www.w3.org/2000/09/xmldsig#rsa-sha1". | http://www.w3.org/2000/09/xmldsig#rsa-sha1 | String
+| *camel.component.xmlsecurity.signer-configuration.signature-algorithm* | Signature algorithm. Default value is "\http://www.w3.org/2000/09/xmldsig#rsa-sha1". | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | String
| *camel.component.xmlsecurity.signer-configuration.signature-id* | Sets the signature Id. If this parameter is not set (null value) then a unique ID is generated for the signature ID (default). If this parameter is set to "" (empty string) then no Id attribute is created in the signature element. | | String
| *camel.component.xmlsecurity.signer-configuration.transform-methods* | Transforms which are executed on the message body before the digest is calculated. By default, C14n is added and in the case of enveloped signature (see option parentLocalName) also \http://www.w3.org/2000/09/xmldsig#enveloped-signature is added at position 0 of the list. Use methods in XmlSignatureHelper to create the transform methods. | | List
| *camel.component.xmlsecurity.signer-configuration.transform-methods-name* | Sets the reference name for a XmlSignatureProperties that can be found in the registry. | | String
diff --git a/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java b/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
index 22f22b1..c8949ed 100644
--- a/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
+++ b/components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/processor/XmlSignerConfiguration.java
@@ -52,8 +52,8 @@ public class XmlSignerConfiguration extends XmlSignatureConfiguration {
@UriParam(label = "sign", defaultValue = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315")
private AlgorithmMethod canonicalizationMethod = new XmlSignatureTransform(CanonicalizationMethod.INCLUSIVE);
private String canonicalizationMethodName;
- @UriParam(label = "sign", defaultValue = "http://www.w3.org/2000/09/xmldsig#rsa-sha1")
- private String signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+ @UriParam(label = "sign", defaultValue = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")
+ private String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
@UriParam(label = "sign")
private String digestAlgorithm;
@UriParam(label = "sign", defaultValue = "true")
@@ -235,14 +235,14 @@ public class XmlSignerConfiguration extends XmlSignatureConfiguration {
/**
* Namespace prefix for the XML signature namespace
* "http://www.w3.org/2000/09/xmldsig#". Default value is "ds".
- *
+ *
* If <code>null</code> or an empty value is set then no prefix is used for
* the XML signature namespace.
* <p>
* See best practice
* http://www.w3.org/TR/xmldsig-bestpractices/#signing-xml-
* without-namespaces
- *
+ *
* @param prefixForXmlSignatureNamespace
* prefix
*/
@@ -256,20 +256,20 @@ public class XmlSignerConfiguration extends XmlSignatureConfiguration {
/**
* Local name of the parent element to which the XML signature element will
- * be added. Only relevant for enveloped XML signature. Alternatively you can
+ * be added. Only relevant for enveloped XML signature. Alternatively you can
* also use {@link #setParentXpath(XPathFilterParameterSpec)}.
- *
+ *
* <p> Default value is
* <code>null</code>. The value must be <code>null</code> for enveloping and
* detached XML signature.
* <p>
* This parameter or the parameter {@link #setParentXpath(XPathFilterParameterSpec)}
- * for enveloped signature and the parameter {@link #setXpathsToIdAttributes(List)}
+ * for enveloped signature and the parameter {@link #setXpathsToIdAttributes(List)}
* for detached signature must not be set in the same configuration.
* <p>
* If the parameters <tt>parentXpath</tt> and <tt>parentLocalName</tt> are specified
* in the same configuration then an exception is thrown.
- *
+ *
* @param parentLocalName
* local name
*/
@@ -467,19 +467,19 @@ public class XmlSignerConfiguration extends XmlSignatureConfiguration {
/**
* Sets the XPath to find the parent node in the enveloped case.
- * Either you specify the parent node via this method or the local name and namespace of the parent
- * with the methods {@link #setParentLocalName(String)} and {@link #setParentNamespace(String)}.
+ * Either you specify the parent node via this method or the local name and namespace of the parent
+ * with the methods {@link #setParentLocalName(String)} and {@link #setParentNamespace(String)}.
* <p>
* Default value is <code>null</code>. The value must be <code>null</code> for enveloping and
* detached XML signature.
* <p>
* If the parameters <tt>parentXpath</tt> and <tt>parentLocalName</tt> are specified
* in the same configuration then an exception is thrown.
- *
+ *
* @param parentXpath xpath to the parent node, if the xpath returns several values then the first Element node is used
*/
public void setParentXpath(XPathFilterParameterSpec parentXpath) {
this.parentXpath = parentXpath;
}
-
+
}
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
index 0d1f820..c51416c 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3-migration-guide.adoc
@@ -327,6 +327,11 @@ also been deprecated in Camel 2.x. In Camel 3 we have removed the remaining code
The default JSon library with the JSon dataformat has changed from `XStream` to `Jackson`.
+=== XML Security Component
+
+The default signature algorithm has changed for the XML Security Component - it
+is now RSA-SHA256 (before it was RSA-SHA1).
+
=== XML Security DataFormat
The default encryption key for the XML Security DataFormat has been removed,
diff --git a/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java b/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
index f2062a9..e86f1a5 100644
--- a/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
+++ b/platforms/spring-boot/components-starter/camel-xmlsecurity-starter/src/main/java/org/apache/camel/component/xmlsecurity/springboot/XmlSignatureComponentConfiguration.java
@@ -121,7 +121,7 @@ public class XmlSignatureComponentConfiguration
* Signature algorithm. Default value is
* "http://www.w3.org/2000/09/xmldsig#rsa-sha1".
*/
- private String signatureAlgorithm = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+ private String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
/**
* Digest algorithm URI. Optional parameter. This digest algorithm is
* used for calculating the digest of the input message. If this digest