Ec

spring-boot/spring-boot-rest/pom.xml

@@ -94,7 +94,7 @@
                             <sourceRoot>target/generated-sources/cxf</sourceRoot>
                             <wsdlOptions>
                                 <wsdlOption>
-                                    <wsdl>${basedir}/src/main/resources/NAWebServiceSoapHttpPort.wsdl</wsdl>
+                                    <wsdl>${project.basedir}/src/main/resources/NAWebServiceSoapHttpPort.wsdl</wsdl>
                                 </wsdlOption>
                             </wsdlOptions>
                         </configuration>
@@ -109,7 +109,7 @@
                             <sourceRoot>target/generated-sources/cxf</sourceRoot>
                             <wsdlOptions>
                                 <wsdlOption>
-                                    <wsdl>${basedir}/src/main/resources/UtlevererWebServiceSoapHttpPort.wsdl</wsdl>
+                                    <wsdl>${project.basedir}/src/main/resources/UtlevererWebServiceSoapHttpPort.wsdl</wsdl>
                                 </wsdlOption>
                             </wsdlOptions>
                         </configuration>
@@ -124,7 +124,7 @@
                             <sourceRoot>target/generated-sources/cxf</sourceRoot>
                             <wsdlOptions>
                                 <wsdlOption>
-                                    <wsdl>${basedir}/src/main/resources/RekvirentWebServiceSoapHttpPort.wsdl</wsdl>
+                                    <wsdl>${project.basedir}/src/main/resources/RekvirentWebServiceSoapHttpPort.wsdl</wsdl>
                                 </wsdlOption>
                             </wsdlOptions>
                         </configuration>

spring-boot/spring-boot-soap/pom.xml

@@ -13,6 +13,41 @@
     <artifactId>spring-boot-soap</artifactId>
     <version>1.0.1-SNAPSHOT</version>
 
+    <properties>
+        <cxf.jakarta.wss4j.version>3.0.3</cxf.jakarta.wss4j.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.apache.wss4j</groupId>
+                <artifactId>wss4j-ws-security-dom</artifactId>
+                <version>${cxf.jakarta.wss4j.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.ehcache</groupId>
+                        <artifactId>ehcache</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.wss4j</groupId>
+                <artifactId>wss4j-policy</artifactId>
+                <version>${cxf.jakarta.wss4j.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.wss4j</groupId>
+                <artifactId>wss4j-ws-security-stax</artifactId>
+                <version>${cxf.jakarta.wss4j.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.wss4j</groupId>
+                <artifactId>wss4j-ws-security-policy-stax</artifactId>
+                <version>${cxf.jakarta.wss4j.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>

spring-boot/spring-boot-soap/src/main/java/io/github/mjhaugsdal/soap/configuration/SoapConfiguration.java

@@ -43,6 +43,9 @@ public class SoapConfiguration {
     @Value("${na.encrypt}")
     boolean naEncrypt;
 
+    @Value("${ecdh:false}")
+    boolean ecdh;
+
     @Value("${na.address}")
     String naAddress;
 
@@ -61,7 +64,7 @@ public NAWeb naWeb() throws WSSecurityException {
         bean.setServiceClass(NAWeb.class);
         bean.setAddress(naAddress + "/NA"); //TODO portkonfig
         bean.setFeatures(featureList);
-        WSUtils.setupWSSEClient(bean, naEncrypt, naSign);
+        WSUtils.setupWSSEClient(bean, naEncrypt, naSign, ecdh);
         return (NAWeb) bean.create();
     }
 
@@ -71,7 +74,7 @@ public RekvirentWeb rekvirentWeb() throws WSSecurityException {
         bean.setServiceClass(RekvirentWeb.class);
         bean.setAddress(rekvirentAddress + "/Rekvirent"); //TODO portkonfig
         bean.setFeatures(featureList);
-        WSUtils.setupWSSEClient(bean, rekvirentEncrypt, utlevererSign);
+        WSUtils.setupWSSEClient(bean, rekvirentEncrypt, utlevererSign, ecdh);
         return (RekvirentWeb) bean.create();
     }
 
@@ -81,7 +84,7 @@ public UtlevererWeb utlevererWeb() throws WSSecurityException {
         bean.setServiceClass(UtlevererWeb.class);
         bean.setAddress(utlevererAddress + "/Utleverer"); //TODO portkonfig
         bean.setFeatures(featureList);
-        WSUtils.setupWSSEClient(bean, utlevererEncrypt, utlevererSign);
+        WSUtils.setupWSSEClient(bean, utlevererEncrypt, utlevererSign, ecdh);
         return (UtlevererWeb) bean.create();
     }
 

spring-boot/spring-boot-soap/src/main/java/io/github/mjhaugsdal/soap/util/PasswordCallback.java

@@ -14,6 +14,8 @@ public class PasswordCallback implements CallbackHandler {
     public PasswordCallback() {
         passwords.put("client", "password");
         passwords.put("server", "password");
+        passwords.put("client-ecdh", "");
+        passwords.put("server-ecdh", "");
     }
 
     @Override

spring-boot/spring-boot-soap/src/main/java/io/github/mjhaugsdal/soap/util/WSUtils.java

@@ -12,41 +12,60 @@
 
 public class WSUtils {
 
-    public static void setupWSSEClient(JaxWsProxyFactoryBean bean, boolean encryption, boolean signature) throws WSSecurityException {
+    public static void setupWSSEClient(JaxWsProxyFactoryBean bean, boolean encryption, boolean signature, boolean ecdh) throws WSSecurityException {
         String actions = " ";
         if (encryption) {
             actions = ConfigurationConstants.ENCRYPTION + " ";
         }
         if (signature) {
             actions += ConfigurationConstants.SIGNATURE;
         }
+        String encryptionMethod = "";
+        if (ecdh) {
+            encryptionMethod = "ecdh";
+        }
+
         Map<String, Object> inProps = new HashMap<>();
-        inProps.put(ConfigurationConstants.SIG_PROP_FILE, "client/client-sign-in.properties");
-        inProps.put(ConfigurationConstants.DEC_PROP_FILE, "client/client-enc-in.properties");
+        inProps.put(ConfigurationConstants.SIG_PROP_FILE, "client/" + encryptionMethod + "/client-sign-in.properties");
+        inProps.put(ConfigurationConstants.DEC_PROP_FILE, "client/" + encryptionMethod + "/client-enc-in.properties");
         inProps.put(ConfigurationConstants.ACTION, actions);
-        inProps.put(ConfigurationConstants.SIGNATURE_USER, "server"); //alias of signing certificate (public key)
-        inProps.put(ConfigurationConstants.ENCRYPTION_USER, "client"); //alias of decryption certificate (private key)
         inProps.put(ConfigurationConstants.PW_CALLBACK_CLASS, PasswordCallback.class.getName());
 
         var wssIn = new WSS4JInInterceptor(inProps);
 
         Map<String, Object> outProps = new HashMap<>();
-        outProps.put(ConfigurationConstants.SIG_PROP_FILE, "client/client-sign-out.properties");
-        outProps.put(ConfigurationConstants.ENC_PROP_FILE, "client/client-enc-out.properties");
+        outProps.put(ConfigurationConstants.SIG_PROP_FILE, "client/" + encryptionMethod + "/client-sign-out.properties");
+        outProps.put(ConfigurationConstants.ENC_PROP_FILE, "client/" + encryptionMethod + "/client-enc-out.properties");
         outProps.put(ConfigurationConstants.ACTION, actions);
-        outProps.put(ConfigurationConstants.SIGNATURE_USER, "client"); //alias of client certificate (private key)
-        outProps.put(ConfigurationConstants.ENCRYPTION_USER, "server"); //alias of server certificate (public key)
         outProps.put(ConfigurationConstants.PW_CALLBACK_CLASS, PasswordCallback.class.getName());
         outProps.put(ConfigurationConstants.ENC_KEY_ID, "DirectReference");
         outProps.put(ConfigurationConstants.SIG_KEY_ID, "SKIKeyIdentifier");
         outProps.put(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, "true");
 
-        outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11);
-        outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
-        outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.RSA_SHA512);
-        outProps.put(ConfigurationConstants.SIG_DIGEST_ALGO, WSS4JConstants.SHA512);
-        outProps.put(ConfigurationConstants.ENC_MGF_ALGO, WSS4JConstants.MGF_SHA512);
-        outProps.put(ConfigurationConstants.ENC_DIGEST_ALGO, WSS4JConstants.SHA512);
+        if (!ecdh) {
+            inProps.put(ConfigurationConstants.SIGNATURE_USER, "server"); //alias of signing certificate (public key)
+            inProps.put(ConfigurationConstants.ENCRYPTION_USER, "client"); //alias of decryption certificate (private key)
+            outProps.put(ConfigurationConstants.SIGNATURE_USER, "client"); //alias of server certificate (private key)
+            outProps.put(ConfigurationConstants.ENCRYPTION_USER, "server"); //alias of server certificate (public key)
+
+            outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11);
+            outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
+            outProps.put(ConfigurationConstants.ENC_MGF_ALGO, WSS4JConstants.MGF_SHA512);
+            outProps.put(ConfigurationConstants.ENC_DIGEST_ALGO, WSS4JConstants.SHA512);
+            outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.RSA_SHA512);
+            outProps.put(ConfigurationConstants.SIG_DIGEST_ALGO, WSS4JConstants.SHA512);
+
+        } else {
+            inProps.put(ConfigurationConstants.SIGNATURE_USER, "server-ecdh"); //alias of signing certificate (public key)
+            inProps.put(ConfigurationConstants.ENCRYPTION_USER, "client-ecdh"); //alias of decryption certificate (private key)
+            outProps.put(ConfigurationConstants.SIGNATURE_USER, "client-ecdh"); //alias of server certificate (private key)
+            outProps.put(ConfigurationConstants.ENCRYPTION_USER, "server-ecdh"); //alias of server certificate (public key)
+
+            outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
+            outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYWRAP_AES256);
+            outProps.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD, WSS4JConstants.AGREEMENT_METHOD_ECDH_ES);
+            outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.ECDSA_SHA512);
+        }
 
         var wssOut = new WSS4JOutInterceptor(outProps);
         bean.getOutInterceptors().add(wssOut);

spring-boot/spring-boot-soap/src/main/resources/application.yml

@@ -18,4 +18,6 @@ rest:
     address: http://localhost:8884/
 
 server:
-  port: 8081
+  port: 8081
+
+ecdh: true

spring-boot/spring-boot-soap/src/main/resources/client/client-ecdh.pem

@@ -0,0 +1,18 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIH8pd4rrJ8cVy8EwCRtG6Fma78dlJTomtFpO8CpXzzHkoAoGCCqGSM49
+AwEHoUQDQgAEcJFR4vrjQ7SynPBuYE6AaYFViyeRsNN4W2xtvnvdg3rUY46W1Kff
+J2B3I1VwE7zEqtltLII7mY4reXM/MbiFwA==
+-----END EC PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAYWgAwIBAgIUVhe7IMZgcMZJpSBvBDkVvTjwLZYwCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMDQwNjUwNDdaFw0yNTAyMjcw
+NjUwNDdaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAARwkVHi+uNDtLKc8G5gToBpgVWLJ5Gw03hbbG2+e92DetRjjpbUp98n
+YHcjVXATvMSq2W0sgjuZjit5cz8xuIXAo1MwUTAdBgNVHQ4EFgQUc6IhCsooPFvp
+GccBn1Xvj+/XN5swHwYDVR0jBBgwFoAUc6IhCsooPFvpGccBn1Xvj+/XN5swDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEA+jkSbV4pRkVTz5CC6ILd
+/0YXgh88Pm7u7CUsvo8twVwCIQDYHIL7abeMQn1hfh55W2RqNW+MgXcL9H8NJ7th
+Mcv4sw==
+-----END CERTIFICATE-----

spring-boot/spring-boot-soap/src/main/resources/client/ecdh/client-enc-in.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=client-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=client/client.keystore

spring-boot/spring-boot-soap/src/main/resources/client/ecdh/client-enc-out.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=server-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=client/client.keystore

spring-boot/spring-boot-soap/src/main/resources/client/ecdh/client-sign-in.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=server-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=client/client.keystore

spring-boot/spring-boot-soap/src/main/resources/client/ecdh/client-sign-out.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=client-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=client/client.keystore

spring-boot/spring-boot-soap/src/main/resources/server/ecdh/server-enc-in.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=server-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=server/server.keystore

spring-boot/spring-boot-soap/src/main/resources/server/ecdh/server-sign-in.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+#org.apache.wss4j.crypto.merlin.keystore.alias=client-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=server/server.keystore

spring-boot/spring-boot-soap/src/main/resources/server/ecdh/server-sign-out.properties

@@ -0,0 +1,5 @@
+org.apache.wss4j.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.wss4j.crypto.merlin.keystore.type=jks
+org.apache.wss4j.crypto.merlin.keystore.password=password
+org.apache.wss4j.crypto.merlin.keystore.alias=server-ecdh
+org.apache.wss4j.crypto.merlin.keystore.file=server/server.keystore

spring-boot/spring-boot-soap/src/test/java/io/github/mjhaugsdal/soap/WSTestUtils.java

@@ -14,7 +14,7 @@
 
 public class WSTestUtils {
 
-    public static void setupWSSEServer(JaxWsServerFactoryBean bean, boolean encryption, boolean signature) {
+    public static void setupWSSEServer(JaxWsServerFactoryBean bean, boolean encryption, boolean signature, boolean ecdh) {
 
         String actions = " ";
         if (encryption) {
@@ -24,32 +24,52 @@ public static void setupWSSEServer(JaxWsServerFactoryBean bean, boolean encrypti
             actions += ConfigurationConstants.SIGNATURE;
         }
 
+        String encryptionMethod = "";
+        if (ecdh) {
+            encryptionMethod = "ecdh";
+        }
+
         Map<String, Object> inProps = new HashMap<>();
-        inProps.put(ConfigurationConstants.SIG_PROP_FILE, "server/server-sign-in.properties");
-        inProps.put(ConfigurationConstants.DEC_PROP_FILE, "server/server-enc-in.properties");
+        inProps.put(ConfigurationConstants.SIG_PROP_FILE, "server/" + encryptionMethod + "/server-sign-in.properties");
+        inProps.put(ConfigurationConstants.DEC_PROP_FILE, "server/" + encryptionMethod + "/server-enc-in.properties");
         inProps.put(ConfigurationConstants.ACTION, actions);
-        inProps.put(ConfigurationConstants.SIGNATURE_USER, "client"); //alias of signing certificate (public key)
-        inProps.put(ConfigurationConstants.ENCRYPTION_USER, "server"); //alias of decryption certificate (private key)
+
         inProps.put(ConfigurationConstants.PW_CALLBACK_CLASS, PasswordCallback.class.getName());
 
         WSS4JInInterceptor wssIn = new WSS4JInInterceptor(inProps);
 
         Map<String, Object> outProps = new HashMap<>();
-        outProps.put(ConfigurationConstants.SIG_PROP_FILE, "server/server-sign-out.properties");
+        outProps.put(ConfigurationConstants.SIG_PROP_FILE, "server/" + encryptionMethod + "/server-sign-out.properties");
         outProps.put(ConfigurationConstants.ACTION, actions);
-        outProps.put(ConfigurationConstants.SIGNATURE_USER, "server"); //alias of server certificate (private key)
         outProps.put(ConfigurationConstants.ENCRYPTION_USER, USE_REQ_SIG_CERT); //alias of client certificate (public key)
         outProps.put(ConfigurationConstants.ENC_KEY_ID, "DirectReference");
         outProps.put(ConfigurationConstants.SIG_KEY_ID, "SKIKeyIdentifier");
         outProps.put(ConfigurationConstants.INCLUDE_SIGNATURE_TOKEN, "true");
         outProps.put(ConfigurationConstants.PW_CALLBACK_CLASS, PasswordCallback.class.getName());
 
-        outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11);
-        outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
-        outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.RSA_SHA512);
-        outProps.put(ConfigurationConstants.SIG_DIGEST_ALGO, WSS4JConstants.SHA512);
-        outProps.put(ConfigurationConstants.ENC_MGF_ALGO, WSS4JConstants.MGF_SHA512);
-        outProps.put(ConfigurationConstants.ENC_DIGEST_ALGO, WSS4JConstants.SHA512);
+        if (!ecdh) {
+            inProps.put(ConfigurationConstants.SIGNATURE_USER, "client"); //alias of signing certificate (public key)
+            inProps.put(ConfigurationConstants.ENCRYPTION_USER, "server"); //alias of decryption certificate (private key)
+            outProps.put(ConfigurationConstants.SIGNATURE_USER, "server"); //alias of server certificate (private key)
+
+            outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYTRANSPORT_RSAOAEP_XENC11);
+            outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
+            outProps.put(ConfigurationConstants.ENC_MGF_ALGO, WSS4JConstants.MGF_SHA512);
+            outProps.put(ConfigurationConstants.ENC_DIGEST_ALGO, WSS4JConstants.SHA512);
+            outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.RSA_SHA512);
+            outProps.put(ConfigurationConstants.SIG_DIGEST_ALGO, WSS4JConstants.SHA512);
+
+        } else {
+            inProps.put(ConfigurationConstants.SIGNATURE_USER, "client-ecdh"); //alias of signing certificate (public key)
+            inProps.put(ConfigurationConstants.ENCRYPTION_USER, "server-ecdh"); //alias of decryption certificate (private key)
+            outProps.put(ConfigurationConstants.SIGNATURE_USER, "server-ecdh"); //alias of server certificate (private key)
+
+            outProps.put(ConfigurationConstants.ENC_SYM_ALGO, WSS4JConstants.AES_256_GCM);
+            outProps.put(ConfigurationConstants.ENC_KEY_TRANSPORT, WSS4JConstants.KEYWRAP_AES256);
+            outProps.put(ConfigurationConstants.ENC_KEY_AGREEMENT_METHOD, WSS4JConstants.AGREEMENT_METHOD_ECDH_ES);
+            outProps.put(ConfigurationConstants.SIG_ALGO, WSS4JConstants.ECDSA_SHA512);
+//            outProps.put(ConfigurationConstants.SIG_DIGEST_ALGO, WSS4JConstants.SHA512);
+        }
 
         WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
         bean.getOutInterceptors().add(wssOut);