Quarkus CXF 3.8.1 (LTS) release notes

Important dependency upgrades:

New and noteworthy in Quarkus CXF

Mutual TLS (mTLS)

Mutual TLS (mTLS) is now documented, tested and and can be configured for clients via quarkus.cxf.client."client-name".key* family of options.

Keystores and truststores now looked up in the file system

The keystores and truststores are now really looked up in the file system unless they are available in the classpath as documented in quarkus.cxf.client."client-name".trust-store and quarkus.cxf.client."client-name".key-store.

Running on systems with FIPS assertions enabled

Changes in CXF 4.0.4 and Quarkus CXF 3.8.1 make it possible to run applications using WS-Security on systems with FIPS assertions enabled.

Those changes are twofold:

  1. Bouncy Castle security provider is not present in the class path anymore.

    If your project depends directly or transitively on org.bouncycastle:bcprov-jdk18on and you want to keep using it, then Quarkus CXF will suggest you at build time to exclude io.quarkiverse.cxf:quarkus-cxf-bc-stub from io.quarkiverse.cxf:quarkus-cxf-rt-ws-security. io.quarkiverse.cxf:quarkus-cxf-bc-stub contains some empty methods to allow native compilation with GraalVM when Bouncy Castle is not present in class path.

  2. Before CXF 4.0.4 and Quarkus CXF 3.8.1 there was no way to select encryption algorithms compatible with FIPS. Now there is a way to do so via security policy and Quarkus configuration.

    In the policy file, the AlgorithmSuite has to be set to CustomAlgorithmSuite:

    <wsp:Policy wsu:Id="SecurityServiceEncryptThenSignPolicy"
      xmlns:wsp="http://www.w3.org/ns/ws-policy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
      <wsp:ExactlyOne>
        <wsp:All>
          <sp:AsymmetricBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
            <wsp:Policy>
              ...
              <sp:AlgorithmSuite>
                <wsp:Policy>
                  <sp:CustomAlgorithmSuite/>
                </wsp:Policy>
              </sp:AlgorithmSuite>
              ...
            </wsp:Policy>
          </sp:AsymmetricBinding>
          ...
        </wsp:All>
      </wsp:ExactlyOne>
    </wsp:Policy>

    FIPS complaint algorithms can then be set in application.properties. Here, we list the default values that are FIPS complaint already:

    quarkus.cxf.client."client-name".security.custom.digest.algorithm = http://www.w3.org/2001/04/xmlenc#sha256
    quarkus.cxf.client."client-name".security.custom.encryption.algorithm = http://www.w3.org/2009/xmlenc11#aes256-gcm
    quarkus.cxf.client."client-name".security.custom.symmetric.key.encryption.algorithm = http://www.w3.org/2001/04/xmlenc#kw-aes256
    quarkus.cxf.client."client-name".security.custom.asymmetric.key.encryption.algorithm = http://www.w3.org/2001/04/xmlenc#rsa-1_5
    quarkus.cxf.client."client-name".security.custom.encryption.key.derivation = http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
    quarkus.cxf.client."client-name".security.custom.signature.key.derivation = http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
    quarkus.cxf.client."client-name".security.custom.encryption.derived.key.length = 256
    quarkus.cxf.client."client-name".security.custom.signature.derived.key.length = 192
    quarkus.cxf.client."client-name".security.custom.minimum.symmetric.key.length = 256
    quarkus.cxf.client."client-name".security.custom.maximum.symmetric.key.length = 256
    quarkus.cxf.client."client-name".security.custom.minimum.asymmetric.key.length = 1024
    quarkus.cxf.client."client-name".security.custom.maximum.asymmetric.key.length = 4096