cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1040395 - in /cxf/branches/2.2.x-fixes: ./ rt/ws/security/ rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/ rt/ws/security/src/test/java/META-INF/cxf/ rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Date Tue, 30 Nov 2010 03:05:14 GMT
Author: dkulp
Date: Tue Nov 30 03:05:13 2010
New Revision: 1040395

URL: http://svn.apache.org/viewvc?rev=1040395&view=rev
Log:
Merged revisions 1040394 via svnmerge from 
https://svn.apache.org/repos/asf/cxf/branches/2.3.x-fixes

................
  r1040394 | dkulp | 2010-11-29 21:54:09 -0500 (Mon, 29 Nov 2010) | 12 lines
  
  Merged revisions 1040388 via svnmerge from 
  https://svn.apache.org/repos/asf/cxf/trunk
  
  ........
    r1040388 | dkulp | 2010-11-29 21:34:39 -0500 (Mon, 29 Nov 2010) | 4 lines
    
    [CXF-3152] Update to wss4j 1.5.10
    Add support for PKI cert chain
    Patch from Colm O hEigeartaigh applied but test disabled until the certs
    are available.
  ........
................

Added:
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
      - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
      - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
      - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
Modified:
    cxf/branches/2.2.x-fixes/   (props changed)
    cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
    cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
    cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java

Propchange: cxf/branches/2.2.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml?rev=1040395&r1=1040394&r2=1040395&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml Tue Nov 30 03:05:13 2010
@@ -94,7 +94,7 @@
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
-            <version>1.5.9</version>
+            <version>1.5.10</version>
             <exclusions>
                 <exclusion>
                     <groupId>axis</groupId>

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1040395&r1=1040394&r2=1040395&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Tue Nov 30 03:05:13 2010
@@ -308,10 +308,20 @@ public class WSS4JInInterceptor extends 
                 WSSecurityEngineResult result = 
                     (WSSecurityEngineResult) signatureResults.get(i);
                 
+                //
+                // Verify the certificate chain associated with signature verification if
+                // it exists. If it does not, then try to verify the (single) certificate
+                // used for signature verification
+                //
                 X509Certificate returnCert = (X509Certificate)result
                     .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
-                if (returnCert != null && !verifyTrust(returnCert, reqData)) {
+                X509Certificate[] returnCertChain = (X509Certificate[])result
+                .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+                
+                if (returnCertChain != null && !verifyTrust(returnCertChain, reqData))
{
+                    LOG.warning("The certificate chain used for the signature is not trusted");
+                    throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+                } else if (returnCert != null && !verifyTrust(returnCert, reqData))
{
                     LOG.warning("The certificate used for the signature is not trusted");
                     throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
                 }

Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1040395&r1=1040394&r2=1040395&view=diff
==============================================================================
--- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
(original)
+++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Tue Nov 30 03:05:13 2010
@@ -540,6 +540,75 @@ public class WSS4JInOutTest extends Abst
         assertEquals(obj.getClass().getName(), CustomProcessor.class.getName());
     }
     
+    @Test
+    @org.junit.Ignore
+    public void testPKIPath() throws Exception {
+        Document doc = readDocument("wsse-request-clean.xml");
+
+        WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+        PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();
+
+        SoapMessage msg = new SoapMessage(new MessageImpl());
+        Exchange ex = new ExchangeImpl();
+        ex.setInMessage(msg);
+        
+        SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+        SOAPPart part = saajMsg.getSOAPPart();
+        part.setContent(new DOMSource(doc));
+        saajMsg.saveChanges();
+
+        msg.setContent(SOAPMessage.class, saajMsg);
+
+        msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+        msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/alice.properties");
+        msg.put(WSHandlerConstants.USER, "alice");
+        msg.put(WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName());
+        msg.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+        msg.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
+
+        handler.handleMessage(msg);
+
+        doc = part;
+        
+        assertValid("//wsse:Security", doc);
+        assertValid("//wsse:Security/ds:Signature", doc);
+
+        byte[] docbytes = getMessageBytes(doc);
+
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes));
+
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+        dbf.setValidating(false);
+        dbf.setIgnoringComments(false);
+        dbf.setIgnoringElementContentWhitespace(true);
+        dbf.setNamespaceAware(true);
+
+        DocumentBuilder db = dbf.newDocumentBuilder();
+        db.setEntityResolver(new NullResolver());
+        doc = StaxUtils.read(db, reader, false);
+
+        WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+
+        SoapMessage inmsg = new SoapMessage(new MessageImpl());
+        ex.setInMessage(inmsg);
+        inmsg.setContent(SOAPMessage.class, saajMsg);
+
+        inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+        inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/cxfca.properties");
+
+        inHandler.handleMessage(inmsg);
+        
+        WSSecurityEngineResult result = 
+            (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+        assertNotNull(result);
+        X509Certificate[] certificates = (X509Certificate[])result
+            .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+        assertNotNull(certificates);
+        assertEquals(certificates.length, 2);
+    }
+    
+    
     private byte[] getMessageBytes(Document doc) throws Exception {
         ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
         XMLStreamWriter byteArrayWriter = StaxUtils.createXMLStreamWriter(outputStream);



Mime
View raw message