Mailing-List: contact abdera-commits-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: abdera-dev@incubator.apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r440857 - in /incubator/abdera/java/trunk/security/src:
 main/java/org/apache/abdera/security/
 main/java/org/apache/abdera/security/util/
 main/java/org/apache/abdera/security/xmlsec/
 test/java/org/apache/abdera/test/security/
Date: Wed, 06 Sep 2006 20:27:23 -0000
To: abdera-commits@incubator.apache.org
From: jmsnell@apache.org
Message-Id: <20060906202723.90FF21A981A@eris.apache.org>

Author: jmsnell
Date: Wed Sep  6 13:27:22 2006
New Revision: 440857

URL: http://svn.apache.org/viewvc?view=rev&rev=440857
Log:
API improvements for the Signature interface

* Eliminate the separate sign(entry...) and sign(feed...) variations in favor of a
  single (T extends Element)sign(T...) generic approach

* Introduce a new API for extracting X509Certificates from valid signatures contained
  by a feed or entry (necessary if we want to determine if the signature is trustworthy)

* Update the digsig test case to make sure the X509 cert is extracted properly

Modified:
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/Signature.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/SignatureBase.java
    incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
    incubator/abdera/java/trunk/security/src/test/java/org/apache/abdera/test/security/DigitalSignatureTest.java

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/Signature.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/Signature.java?view=diff&rev=440857&r1=440856&r2=440857
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/Signature.java (original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/Signature.java Wed Sep  6 13:27:22 2006
@@ -17,22 +17,19 @@
 */
 package org.apache.abdera.security;
 
-import org.apache.abdera.model.Entry;
-import org.apache.abdera.model.Feed;
+import java.security.cert.X509Certificate;
+
+import org.apache.abdera.model.Element;
 
 public interface Signature {
 
-  boolean isSigned(Entry entry) throws SecurityException;
-  
-  boolean isSigned(Feed feed) throws SecurityException;
-  
-  Entry sign(Entry entry, SignatureOptions options) throws SecurityException;
+  <T extends Element>boolean isSigned(T element) throws SecurityException;
   
-  Feed sign(Feed feed, SignatureOptions options) throws SecurityException;
+  <T extends Element>T sign(T element, SignatureOptions options) throws SecurityException;
   
-  boolean verify(Entry entry, SignatureOptions options) throws SecurityException;
+  <T extends Element>boolean verify(T element, SignatureOptions options) throws SecurityException;
   
-  boolean verify(Feed feed, SignatureOptions options) throws SecurityException;
+  <T extends Element>X509Certificate[] getValidSignatureCertificates(T element, SignatureOptions options) throws SecurityException;
   
   SignatureOptions getDefaultSignatureOptions() throws SecurityException;
   

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/SignatureBase.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/SignatureBase.java?view=diff&rev=440857&r1=440856&r2=440857
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/SignatureBase.java (original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/util/SignatureBase.java Wed Sep  6 13:27:22 2006
@@ -18,9 +18,8 @@
 package org.apache.abdera.security.util;
 
 import org.apache.abdera.Abdera;
-import org.apache.abdera.model.Entry;
+import org.apache.abdera.model.Element;
 import org.apache.abdera.model.ExtensibleElement;
-import org.apache.abdera.model.Feed;
 import org.apache.abdera.security.SecurityException;
 import org.apache.abdera.security.Signature;
 
@@ -33,18 +32,15 @@
     super(abdera);
   }
 
-  public boolean isSigned(
-    Entry entry)  throws SecurityException {
+  public <T extends Element>boolean isSigned(
+    T entry)  throws SecurityException {
       return _isSigned(entry);
   }
 
-  public boolean isSigned(
-    Feed feed)  throws SecurityException {
-      return _isSigned(feed);
-  }
-  
-  private boolean _isSigned(ExtensibleElement element) {
-    return element.getExtension(Constants.SIGNATURE) != null;
+  private <T extends Element>boolean _isSigned(T element) {
+    if (element instanceof ExtensibleElement)
+      return ((ExtensibleElement)element).getExtension(Constants.SIGNATURE) != null;
+    else return false;
   }
 
 }

Modified: incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java?view=diff&rev=440857&r1=440856&r2=440857
==============================================================================
--- incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java (original)
+++ incubator/abdera/java/trunk/security/src/main/java/org/apache/abdera/security/xmlsec/XmlSignature.java Wed Sep  6 13:27:22 2006
@@ -22,11 +22,11 @@
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
 
 import org.apache.abdera.Abdera;
 import org.apache.abdera.model.Element;
-import org.apache.abdera.model.Entry;
-import org.apache.abdera.model.Feed;
 import org.apache.abdera.security.SecurityException;
 import org.apache.abdera.security.SignatureOptions;
 import org.apache.abdera.security.util.Constants;
@@ -56,8 +56,9 @@
     super(abdera);
   }
   
-  private Element _sign(
-    Element element, 
+  @SuppressWarnings("unchecked")
+  private <T extends Element>T _sign(
+    T element, 
     SignatureOptions options) 
       throws XMLSecurityException, 
              URISyntaxException {    
@@ -79,29 +80,83 @@
     sig.addKeyInfo(cert);
     sig.addKeyInfo(cert.getPublicKey());
     sig.sign(signingKey);    
-    return (Element)domToFom(dom, options);
+    return (T)domToFom(dom, options);
   }
   
-  public Entry sign(
-    Entry entry, 
+  public <T extends Element>T sign(
+    T entry, 
     SignatureOptions options) 
       throws SecurityException {
     try {
-      return (Entry) _sign(entry, options);
+      return (T) _sign(entry, options);
     } catch (Exception e) {
       throw new SecurityException(e);
     }
   }
-
-  public Feed sign(
-    Feed feed, 
+  
+  private boolean is_valid_signature(
+    XMLSignature sig) 
+      throws XMLSignatureException, 
+             XMLSecurityException, 
+             URISyntaxException {
+    boolean answer = false;
+    KeyInfo ki = sig.getKeyInfo();
+    if (ki != null) {
+      X509Certificate cert = ki.getX509Certificate();
+      if (cert != null) {
+        answer = sig.checkSignatureValue(cert);
+      } else {
+        PublicKey key = ki.getPublicKey();
+        if (key != null) {
+          answer = sig.checkSignatureValue(key);
+        }
+      }
+    }
+    return answer;
+  }
+  
+  private <T extends Element>X509Certificate[] _getcerts(
+    T element, 
     SignatureOptions options)
+      throws XMLSignatureException, 
+             XMLSecurityException, 
+             URISyntaxException {
+    List<X509Certificate> certs = new ArrayList<X509Certificate>();
+    org.w3c.dom.Element dom = fomToDom((Element)element, options);
+    NodeList children = dom.getChildNodes();
+    for (int n = 0; n < children.getLength(); n++) {
+      try {
+        Node node = children.item(n);
+        if (node.getNodeType() == Node.ELEMENT_NODE) {
+          org.w3c.dom.Element el = (org.w3c.dom.Element) node;
+          if (Constants.DSIG_NS.equals(el.getNamespaceURI()) &&
+              Constants.LN_SIGNATURE.equals(el.getLocalName())) {
+            URI baseUri = element.getResolvedBaseUri();
+            XMLSignature sig = 
+              new XMLSignature(
+                el, (baseUri != null) ? baseUri.toString() : "");
+            if (is_valid_signature(sig)) {
+              KeyInfo ki = sig.getKeyInfo();
+              if (ki != null) {
+                X509Certificate cert = ki.getX509Certificate();
+                if (cert != null) certs.add(cert);
+              }
+            }
+          }
+        }
+      } catch (Exception e) {}
+    }
+    return certs.toArray(new X509Certificate[certs.size()]);
+  }
+  
+  public <T extends Element>X509Certificate[] getValidSignatureCertificates(
+    T element, 
+    SignatureOptions options) 
       throws SecurityException {
     try {
-      return (Feed) _sign(feed, options);
-    } catch (Exception e) {
-      throw new SecurityException(e);
-    }
+      return _getcerts(element, options);
+    } catch (Exception e) {}
+    return null;
   }
   
   private boolean _verify(
@@ -123,18 +178,7 @@
           XMLSignature sig = 
             new XMLSignature(
               el, (baseUri != null) ? baseUri.toString() : "");
-          KeyInfo ki = sig.getKeyInfo();
-          if (ki != null) {
-            X509Certificate cert = ki.getX509Certificate();
-            if (cert != null) {
-              answer = sig.checkSignatureValue(cert);
-            } else {
-              PublicKey key = ki.getPublicKey();
-              if (key != null) {
-                answer = sig.checkSignatureValue(key);
-              }
-            }
-          }
+          answer = is_valid_signature(sig);
         }
       }
     }
@@ -142,23 +186,12 @@
     return answer;
   }
   
-  public boolean verify(
-    Entry entry, 
+  public <T extends Element>boolean verify(
+    T entry, 
     SignatureOptions options) throws SecurityException {
       if (!isSigned(entry)) return false;
       try {
         return _verify(entry,options);
-      } catch (Exception e) {
-        throw new SecurityException(e);
-      }
-  }
-
-  public boolean verify(
-    Feed feed, 
-    SignatureOptions options) throws SecurityException {
-      if (!isSigned(feed)) return false;
-      try {
-        return _verify(feed,options);
       } catch (Exception e) {
         throw new SecurityException(e);
       }

Modified: incubator/abdera/java/trunk/security/src/test/java/org/apache/abdera/test/security/DigitalSignatureTest.java
URL: http://svn.apache.org/viewvc/incubator/abdera/java/trunk/security/src/test/java/org/apache/abdera/test/security/DigitalSignatureTest.java?view=diff&rev=440857&r1=440856&r2=440857
==============================================================================
--- incubator/abdera/java/trunk/security/src/test/java/org/apache/abdera/test/security/DigitalSignatureTest.java (original)
+++ incubator/abdera/java/trunk/security/src/test/java/org/apache/abdera/test/security/DigitalSignatureTest.java Wed Sep  6 13:27:22 2006
@@ -92,6 +92,11 @@
           "http://www.w3.org/2000/09/xmldsig#", 
           "Signature")));
       
+    X509Certificate[] certs = sig.getValidSignatureCertificates(entry, options);
+    assertNotNull(certs);
+    assertEquals(certs.length, 1);
+    assertEquals(certs[0].getSubjectDN().getName(), "CN=James M Snell, OU=WebAhead, O=IBM, L=Hanford, ST=California, C=US");
+    
     // Check the round trip
     ByteArrayOutputStream out = new ByteArrayOutputStream();
     entry.writeTo(out); // do not use the pretty writer, it will break the signature