cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1040388 - in /cxf/trunk/rt/ws/security: ./ src/main/java/org/apache/cxf/ws/security/wss4j/ src/test/java/META-INF/cxf/ src/test/java/org/apache/cxf/ws/security/wss4j/
Date Tue, 30 Nov 2010 02:34:39 GMT
Author: dkulp
Date: Tue Nov 30 02:34:39 2010
New Revision: 1040388

URL: http://svn.apache.org/viewvc?rev=1040388&view=rev
Log:
[CXF-3152] Update to wss4j 1.5.10
Add support for PKI cert chain
Patch from Colm O hEigeartaigh applied but test disabled until the certs
are available.

Added:
    cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties   (with props)
    cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties   (with props)
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
  (with props)
Modified:
    cxf/trunk/rt/ws/security/pom.xml
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java

Modified: cxf/trunk/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Tue Nov 30 02:34:39 2010
@@ -91,7 +91,7 @@
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
-            <version>1.5.9</version>
+            <version>1.5.10</version>
             <exclusions>
                 <exclusion>
                     <groupId>axis</groupId>

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Tue Nov 30 02:34:39 2010
@@ -315,10 +315,20 @@ public class WSS4JInInterceptor extends 
                 WSSecurityEngineResult result = 
                     (WSSecurityEngineResult) signatureResults.get(i);
                 
+                //
+                // Verify the certificate chain associated with signature verification if
+                // it exists. If it does not, then try to verify the (single) certificate
+                // used for signature verification
+                //
                 X509Certificate returnCert = (X509Certificate)result
                     .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
-                if (returnCert != null && !verifyTrust(returnCert, reqData)) {
+                X509Certificate[] returnCertChain = (X509Certificate[])result
+                .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                
+                if (returnCertChain != null && !verifyTrust(returnCertChain, reqData))
{
+                    LOG.warning("The certificate chain used for the signature is not trusted");
+                    throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+                } else if (returnCert != null && !verifyTrust(returnCert, reqData))
{
                     LOG.warning("The certificate used for the signature is not trusted");
                     throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
                 }

Added: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties?rev=1040388&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties (added)
+++ cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties Tue Nov 30 02:34:39
2010
@@ -0,0 +1,21 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=alice
+org.apache.ws.security.crypto.merlin.file=META-INF/cxf/alice.jks
\ No newline at end of file

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties?rev=1040388&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties (added)
+++ cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties Tue Nov 30 02:34:39
2010
@@ -0,0 +1,21 @@
+#    Licensed to the Apache Software Foundation (ASF) under one
+#    or more contributor license agreements. See the NOTICE file
+#    distributed with this work for additional information
+#    regarding copyright ownership. The ASF licenses this file
+#    to you under the Apache License, Version 2.0 (the
+#    "License"); you may not use this file except in compliance
+#    with the License. You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing,
+#    software distributed under the License is distributed on an
+#    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+#    KIND, either express or implied. See the License for the
+#    specific language governing permissions and limitations
+#    under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=cxfca
+org.apache.ws.security.crypto.merlin.file=META-INF/cxf/cxfca.jks

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java?rev=1040388&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
(added)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
Tue Nov 30 02:34:39 2010
@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.ws.security.WSPasswordCallback;
+
+/**
+ */
+
+public class KeystorePasswordCallback implements CallbackHandler {
+    
+    private Map<String, String> passwords = 
+        new HashMap<String, String>();
+    
+    public KeystorePasswordCallback() {
+        passwords.put("Alice", "abcd!1234");
+        passwords.put("alice", "password");
+        passwords.put("Bob", "abcd!1234");
+        passwords.put("bob", "password");
+        passwords.put("abcd", "dcba");
+    }
+
+    /**
+     * It attempts to get the password from the private 
+     * alias/passwords map.
+     */
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+        for (int i = 0; i < callbacks.length; i++) {
+            WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+
+            String pass = passwords.get(pc.getIdentifier());
+            if (pass != null) {
+                pc.setPassword(pass);
+                return;
+            }
+        }
+    }
+    
+    /**
+     * Add an alias/password pair to the callback mechanism.
+     */
+    public void setAliasPassword(String alias, String password) {
+        passwords.put(alias, password);
+    }
+}

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Modified: cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
(original)
+++ cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Tue Nov 30 02:34:39 2010
@@ -541,6 +541,75 @@ public class WSS4JInOutTest extends Abst
         assertEquals(obj.getClass().getName(), CustomProcessor.class.getName());
     }
     
+    @Test
+    @org.junit.Ignore
+    public void testPKIPath() throws Exception {
+        Document doc = readDocument("wsse-request-clean.xml");
+
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+        PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();
+
+        SoapMessage msg = new SoapMessage(new MessageImpl());
+        Exchange ex = new ExchangeImpl();
+        ex.setInMessage(msg);
+        
+        SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+        SOAPPart part = saajMsg.getSOAPPart();
+        part.setContent(new DOMSource(doc));
+        saajMsg.saveChanges();
+
+        msg.setContent(SOAPMessage.class, saajMsg);
+
+        msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+        msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/alice.properties");
+        msg.put(WSHandlerConstants.USER, "alice");
+        msg.put(WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName());
+        msg.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        msg.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
+
+        handler.handleMessage(msg);
+
+        doc = part;
+        
+        assertValid("//wsse:Security", doc);
+        assertValid("//wsse:Security/ds:Signature", doc);
+
+        byte[] docbytes = getMessageBytes(doc);
+
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes));
+
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+        dbf.setValidating(false);
+        dbf.setIgnoringComments(false);
+        dbf.setIgnoringElementContentWhitespace(true);
+        dbf.setNamespaceAware(true);
+
+        DocumentBuilder db = dbf.newDocumentBuilder();
+        db.setEntityResolver(new NullResolver());
+        doc = StaxUtils.read(db, reader, false);
+
+        WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+
+        SoapMessage inmsg = new SoapMessage(new MessageImpl());
+        ex.setInMessage(inmsg);
+        inmsg.setContent(SOAPMessage.class, saajMsg);
+
+        inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+        inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/cxfca.properties");
+
+        inHandler.handleMessage(inmsg);
+        
+        WSSecurityEngineResult result = 
+            (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+        assertNotNull(result);
+        X509Certificate[] certificates = (X509Certificate[])result
+            .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+        assertNotNull(certificates);
+        assertEquals(certificates.length, 2);
+    }
+    
+    
     private byte[] getMessageBytes(Document doc) throws Exception {
         ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
         XMLStreamWriter byteArrayWriter = StaxUtils.createXMLStreamWriter(outputStream);



Mime
View raw message