cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject svn commit: r1088726 [1/5] - in /cxf/trunk: distribution/src/main/release/samples/ distribution/src/main/release/samples/sts_issue_operation/ distribution/src/main/release/samples/sts_issue_operation/src/ distribution/src/main/release/samples/sts_issue...
Date Mon, 04 Apr 2011 18:59:53 GMT
Author: dkulp
Date: Mon Apr  4 18:59:51 2011
New Revision: 1088726

URL: http://svn.apache.org/viewvc?rev=1088726&view=rev
Log:
Squashed commit of the following:

commit 4699706a51f6e75641be257089636aa0dbe7980d
Author: Daniel Kulp <dkulp@apache.org>
Date:   Mon Apr 4 14:16:07 2011 -0400

    Use a wsdl for the sample sts so ?wsdl provides a useful contract.
    Also will provice a place to put the WS-SecPol requirements

commit 3a44f27efb80bb0211115df7284b84860a1e3de2
Author: Zsolt Beothy-Elo <zbeothy-elo@talend.com>
Date:   Sat Apr 2 11:13:17 2011 +0200

    Include sts sample in build.

commit e522cd0f5a5d8c99aa8b903d24a38e7b13ad65ea
Author: Zsolt Beothy-Elo <zbeothy-elo@talend.com>
Date:   Sat Apr 2 09:34:07 2011 +0200

    Move sts sample sources to demo.sts...

commit b33ad2b58458a4154fdffad808b32aa089081896
Author: Zsolt Beothy-Elo <zbeothy-elo@talend.com>
Date:   Sat Apr 2 08:27:04 2011 +0200

    Add spring configuration and enhance pom for sts sample

commit 1ffc68a7cc3bd4d092e55cd7e4a8896c618510e5
Author: Zsolt Beothy-Elo <zbeothy-elo@talend.com>
Date:   Fri Apr 1 19:27:18 2011 +0200

    Move remaining sample specific classes from the cxf security module to the sts_issue_operation sample module

commit 4a5df71944b8e2fc76a8bf45cb2cf19efe6dc8af
Author: Vladimir Romaniuk <vromaniuk@talend.com>
Date:   Fri Apr 1 12:53:56 2011 +0300

    added keystore and test modified according changes in keystore

commit f3265f4df54e1acd6ce5bd9f894015b8ee35b376
Author: Vladimir Romaniuk <vromaniuk@talend.com>
Date:   Fri Apr 1 12:22:55 2011 +0300

    Sample issue operation implementation

commit 5526ec67bfbd7946d6b8d0732c60c5864f36d1f8
Author: Daniel Kulp <dkulp@apache.org>
Date:   Fri Mar 25 14:29:30 2011 -0400

    First pass at STS from Anubhav Sharma

Added:
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/Saml1TokenProvider.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/Saml2TokenProvider.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SamlUtils.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/TokenException.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/TokenProvider.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/resources/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/resources/stsstore.jks
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/beans.xml   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/web.xml   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/oasis-200401-wss-wssecurity-secext-1.0.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/oasis-200401-wss-wssecurity-utility-1.0.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/ws-addr.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/ws-policy.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/ws-trust-1.3.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4-service.wsdl   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/ws-trust-1.4.wsdl   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/webapp/WEB-INF/wsdl/xmldsig-core-schema.xsd   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/sts/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/sts/provider/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/sts/provider/operation/
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/sts/provider/operation/IssueDelegateTest.java   (with props)
    cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/test/java/demo/sts/provider/operation/stsstore.jks
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/STSException.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/SecurityTokenService.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/SecurityTokenServiceImpl.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/SecurityTokenServiceProvider.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/CancelOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/IssueOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/KeyExchangeTokenOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/RenewOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/RequestCollectionOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/sts/provider/operation/ValidateOperation.java   (with props)
    cxf/trunk/rt/ws/security/src/main/model/
    cxf/trunk/rt/ws/security/src/main/model/binding.xjb   (with props)
    cxf/trunk/rt/ws/security/src/main/model/oasis-200401-wss-wssecurity-secext-1.0.xsd   (with props)
    cxf/trunk/rt/ws/security/src/main/model/oasis-200401-wss-wssecurity-utility-1.0.xsd   (with props)
    cxf/trunk/rt/ws/security/src/main/model/ws-addr.xsd   (with props)
    cxf/trunk/rt/ws/security/src/main/model/ws-policy.xsd   (with props)
    cxf/trunk/rt/ws/security/src/main/model/ws-trust-1.3.xsd   (with props)
    cxf/trunk/rt/ws/security/src/main/model/ws-trust-1.4-service.wsdl   (with props)
    cxf/trunk/rt/ws/security/src/main/model/ws-trust-1.4.wsdl   (with props)
    cxf/trunk/rt/ws/security/src/main/model/xmldsig-core-schema.xsd   (with props)
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/sts/
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/sts/provider/
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/sts/provider/SecurityTokenServiceImplTest.java   (with props)
    cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/sts/provider/SecurityTokenServiceProviderTest.java   (with props)
    cxf/trunk/rt/ws/security/src/test/resources/sts.jks
Modified:
    cxf/trunk/distribution/src/main/release/samples/pom.xml
    cxf/trunk/rt/ws/security/pom.xml

Modified: cxf/trunk/distribution/src/main/release/samples/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/pom.xml?rev=1088726&r1=1088725&r2=1088726&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/pom.xml (original)
+++ cxf/trunk/distribution/src/main/release/samples/pom.xml Mon Apr  4 18:59:51 2011
@@ -82,6 +82,7 @@
         <module>wsdl_first_rpclit</module>
         <module>jms_pubsub</module>
         <module>jax_rs/spring_security</module>
+        <module>sts_issue_operation</module>
 <!--
         <module>logbrowser</module>
 -->

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml Mon Apr  4 18:59:51 2011
@@ -0,0 +1,112 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements. See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership. The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License. You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied. See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>sample-issue-operation</artifactId>
+    <packaging>war</packaging>
+    <name>Apache CXF STS issue operation</name>
+    <url>http://cxf.apache.org</url>
+
+    <parent>
+        <groupId>org.apache.cxf.samples</groupId>
+        <artifactId>cxf-samples</artifactId>
+        <version>2.4.0-SNAPSHOT</version>
+    </parent>
+
+    <dependencies>
+        <!-- CXF -->
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-frontend-jaxws</artifactId>
+            <version>2.4.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-ws-security</artifactId>
+            <version>2.4.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http-jetty</artifactId>
+            <version>2.4.0-SNAPSHOT</version>
+        </dependency>
+        <dependency>
+            <groupId>org.opensaml</groupId>
+            <artifactId>opensaml</artifactId>
+            <version>2.4.1</version>
+            <type>jar</type>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.xalan</groupId>
+                    <artifactId>xalan</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk15</artifactId>
+        </dependency>
+
+        <!-- Test dependencies  -->
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <version>4.8.2</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.easymock</groupId>
+            <artifactId>easymockclassextension</artifactId>
+            <version>2.4</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <!-- Name of the generated WAR file --> 
+        <finalName>sts</finalName> 
+        <defaultGoal>install</defaultGoal>
+        <plugins>
+<!--
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-eclipse-plugin</artifactId>
+                <configuration>
+                    <downloadSources>true</downloadSources>
+                </configuration>
+            </plugin>
+-->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-war-plugin</artifactId>
+                <version>2.1</version>
+            </plugin>
+            <plugin>
+                <groupId>org.mortbay.jetty</groupId>
+                <artifactId>maven-jetty-plugin</artifactId>
+                <version>6.1.24</version>
+                <configuration>
+                    <contextPath>/${project.build.finalName}</contextPath>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/pom.xml
------------------------------------------------------------------------------
    svn:mime-type = text/xml

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,198 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.DERObject;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.DistributionPoint;
+import org.bouncycastle.asn1.x509.DistributionPointName;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.X509Extensions;
+
+public final class CRLVerifier {
+
+    /**
+     * Extracts the CRL distribution points from the certificate (if available)
+     * and checks the certificate revocation status against the CRLs coming from
+     * the distribution points. Supports HTTP, HTTPS, FTP and LDAP based URLs.
+     * 
+     * @param cert
+     *            the certificate to be checked for revocation
+     * @throws CertificateVerificationException
+     *             if the certificate is revoked
+     */
+    
+    private CRLVerifier() {
+        
+    }
+    
+    public static void verifyCertificateCRLs(X509Certificate cert) throws CertificateVerificationException {
+        try {
+            List<String> crlDistPoints = getCrlDistributionPoints(cert);
+            for (String crlDP : crlDistPoints) {
+                X509CRL crl = downloadCRL(crlDP);
+                if (crl.isRevoked(cert)) {
+                    throw new CertificateVerificationException(
+                            "The certificate is revoked by CRL: " + crlDP);
+                }
+            }
+        } catch (Exception ex) {
+            if (ex instanceof CertificateVerificationException) {
+                throw (CertificateVerificationException) ex;
+            } else {
+                throw new CertificateVerificationException(
+                        "Can not verify CRL for certificate: "
+                                + cert.getSubjectX500Principal());
+            }
+        }
+    }
+
+    /**
+     * Downloads CRL from given URL. Supports http, https, ftp and ldap based
+     * URLs.
+     */
+    private static X509CRL downloadCRL(String crlURL) throws IOException,
+            CertificateException, CRLException,
+            CertificateVerificationException, NamingException {
+        if (crlURL.startsWith("http://") || crlURL.startsWith("https://")
+                || crlURL.startsWith("ftp://")) {
+            return downloadCRLFromWeb(crlURL);
+        } else if (crlURL.startsWith("ldap://")) {
+            return downloadCRLFromLDAP(crlURL);
+        } else {
+            throw new CertificateVerificationException(
+                    "Can not download CRL from certificate "
+                            + "distribution point: " + crlURL);
+        }
+    }
+
+    /**
+     * Downloads a CRL from given LDAP url, e.g.
+     * ldap://ldap.infonotary.com/dc=identity-ca,dc=infonotary,dc=com
+     */
+    private static X509CRL downloadCRLFromLDAP(String ldapURL) throws CertificateException, 
+    NamingException, CRLException,
+            CertificateVerificationException {
+        Map<String, String> env = new Hashtable<String, String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY,
+                "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, ldapURL);
+
+        DirContext ctx = new InitialDirContext((Hashtable)env);
+        Attributes avals = ctx.getAttributes("");
+        Attribute aval = avals.get("certificateRevocationList;binary");
+        byte[] val = (byte[]) aval.get();
+        if ((val == null) || (val.length == 0)) {
+            throw new CertificateVerificationException(
+                    "Can not download CRL from: " + ldapURL);
+        } else {
+            InputStream inStream = new ByteArrayInputStream(val);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            return (X509CRL) cf.generateCRL(inStream);
+        }
+    }
+
+    /**
+     * Downloads a CRL from given HTTP/HTTPS/FTP URL, e.g.
+     * http://crl.infonotary.com/crl/identity-ca.crl
+     */
+    private static X509CRL downloadCRLFromWeb(String crlURL) throws MalformedURLException,
+    IOException, CertificateException,
+            CRLException {
+        URL url = new URL(crlURL);
+        InputStream crlStream = url.openStream();
+        try {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            return (X509CRL) cf.generateCRL(crlStream);
+        } finally {
+            crlStream.close();
+        }
+    }
+
+    /**
+     * Extracts all CRL distribution point URLs from the
+     * "CRL Distribution Point" extension in a X.509 certificate. If CRL
+     * distribution point extension is unavailable, returns an empty list.
+     */
+    public static List<String> 
+    getCrlDistributionPoints(X509Certificate cert) throws CertificateParsingException, IOException {
+        byte[] crldpExt = cert
+                .getExtensionValue(X509Extensions.CRLDistributionPoints.getId());
+        if (crldpExt == null) {
+            return new ArrayList<String>();
+        }
+        ASN1InputStream oAsnInStream = new ASN1InputStream(
+                new ByteArrayInputStream(crldpExt));
+        DERObject derObjCrlDP = oAsnInStream.readObject();
+        DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;
+        byte[] crldpExtOctets = dosCrlDP.getOctets();
+        ASN1InputStream oAsnInStream2 = new ASN1InputStream(
+                new ByteArrayInputStream(crldpExtOctets));
+        DERObject derObj2 = oAsnInStream2.readObject();
+        CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
+        List<String> crlUrls = new ArrayList<String>();
+        for (DistributionPoint dp : distPoint.getDistributionPoints()) {
+            DistributionPointName dpn = dp.getDistributionPoint();
+            // Look for URIs in fullName
+            if (dpn != null
+                && dpn.getType() == DistributionPointName.FULL_NAME) {
+                GeneralName[] genNames = GeneralNames.getInstance(
+                        dpn.getName()).getNames();
+                // Look for an URI
+                for (int j = 0; j < genNames.length; j++) {
+                    if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
+                        String url = DERIA5String.getInstance(
+                                genNames[j].getName()).getString();
+                        crlUrls.add(url);
+                    }
+                }
+            }
+        }
+        return crlUrls;
+    }
+
+}
\ No newline at end of file

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CRLVerifier.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,32 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.cert;
+
+public class CertificateVerificationException extends Exception {
+    private static final long serialVersionUID = 1L;
+
+    public CertificateVerificationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public CertificateVerificationException(String message) {
+        super(message);
+    }
+}
\ No newline at end of file

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationException.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,54 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.cert;
+
+import java.security.cert.PKIXCertPathBuilderResult;
+
+public class CertificateVerificationResult {
+    private boolean valid;
+    private PKIXCertPathBuilderResult result;
+    private Throwable exception;
+
+    /**
+     * Constructs a certificate verification result for valid certificate by
+     * given certification path.
+     */
+    public CertificateVerificationResult(PKIXCertPathBuilderResult result) {
+        this.valid = true;
+        this.result = result;
+    }
+
+    public CertificateVerificationResult(Throwable exception) {
+        this.valid = false;
+        this.exception = exception;
+    }
+
+    public boolean isValid() {
+        return valid;
+    }
+
+    public PKIXCertPathBuilderResult getResult() {
+        return result;
+    }
+
+    public Throwable getException() {
+        return exception;
+    }
+}

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerificationResult.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,188 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.cert;
+
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.PKIXCertPathBuilderResult;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.HashSet;
+import java.util.Set;
+
+public final class CertificateVerifier {
+
+    /**
+     * Attempts to build a certification chain for given certificate and to
+     * verify it. Relies on a set of root CA certificates and intermediate
+     * certificates that will be used for building the certification chain. The
+     * verification process assumes that all self-signed certificates in the set
+     * are trusted root CA certificates and all other certificates in the set
+     * are intermediate certificates.
+     * 
+     * @param cert
+     *            - certificate for validation
+     * @param additionalCerts
+     *            - set of trusted root CA certificates that will be used as
+     *            "trust anchors" and intermediate CA certificates that will be
+     *            used as part of the certification chain. All self-signed
+     *            certificates are considered to be trusted root CA
+     *            certificates. All the rest are considered to be intermediate
+     *            CA certificates.
+     * @return the certification chain (if verification is successful)
+     * @throws CertificateVerificationException
+     *             - if the certification is not successful (e.g. certification
+     *             path cannot be built or some certificate in the chain is
+     *             expired or CRL checks are failed)
+     */
+
+    private CertificateVerifier() {
+
+    }
+
+    public static PKIXCertPathBuilderResult verifyCertificate(
+            X509Certificate cert, Set<X509Certificate> additionalCerts,
+            boolean verifySelfSignedCert) throws CertificateVerificationException {
+        try {
+            // Check for self-signed certificate
+            if (!verifySelfSignedCert
+                && isSelfSigned(cert)) {
+                throw new CertificateVerificationException(
+                        "The certificate is self-signed.");
+            }
+
+            // Prepare a set of trusted root CA certificates
+            // and a set of intermediate certificates
+            Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
+            Set<X509Certificate> intermediateCerts = new HashSet<X509Certificate>();
+            for (X509Certificate additionalCert : additionalCerts) {
+                if (isSelfSigned(additionalCert)) {
+                    trustedRootCerts.add(additionalCert);
+                } else {
+                    intermediateCerts.add(additionalCert);
+                }
+            }
+
+            // Attempt to build the certification chain and verify it
+            PKIXCertPathBuilderResult verifiedCertChain = verifyCertificate(
+                    cert, trustedRootCerts, intermediateCerts,
+                    verifySelfSignedCert);
+
+            // Check whether the certificate is revoked by the CRL
+            // given in its CRL distribution point extension
+            CRLVerifier.verifyCertificateCRLs(cert);
+
+            // The chain is built and verified. Return it as a result
+            return verifiedCertChain;
+        } catch (CertPathBuilderException certPathEx) {
+            throw new CertificateVerificationException(
+                    "Error building certification path: "
+                            + cert.getSubjectX500Principal(), certPathEx);
+        } catch (CertificateVerificationException cvex) {
+            throw cvex;
+        } catch (Exception ex) {
+            throw new CertificateVerificationException(
+                    "Error verifying the certificate: "
+                            + cert.getSubjectX500Principal(), ex);
+        }
+    }
+
+    /**
+     * Checks whether given X.509 certificate is self-signed.
+     */
+    public static boolean isSelfSigned(X509Certificate cert) throws CertificateException, 
+    NoSuchAlgorithmException, NoSuchProviderException {
+        try {
+            // Try to verify certificate signature with its own public key
+            PublicKey key = cert.getPublicKey();
+            cert.verify(key);
+            return true;
+        } catch (SignatureException sigEx) {
+            // Invalid signature --> not self-signed
+            return false;
+        } catch (InvalidKeyException keyEx) {
+            // Invalid key --> not self-signed
+            return false;
+        }
+    }
+
+    /**
+     * Attempts to build a certification chain for given certificate and to
+     * verify it. Relies on a set of root CA certificates (trust anchors) and a
+     * set of intermediate certificates (to be used as part of the chain).
+     * 
+     * @param cert
+     *            - certificate for validation
+     * @param trustedRootCerts
+     *            - set of trusted root CA certificates
+     * @param intermediateCerts
+     *            - set of intermediate certificates
+     * @return the certification chain (if verification is successful)
+     * @throws GeneralSecurityException
+     *             - if the verification is not successful (e.g. certification
+     *             path cannot be built or some certificate in the chain is
+     *             expired)
+     */
+    private static PKIXCertPathBuilderResult verifyCertificate(
+            X509Certificate cert, Set<X509Certificate> trustedRootCerts,
+            Set<X509Certificate> intermediateCerts,
+            boolean verifySelfSignedCert) throws GeneralSecurityException {
+
+        // Create the selector that specifies the starting certificate
+        X509CertSelector selector = new X509CertSelector();
+        selector.setCertificate(cert);
+
+        // Create the trust anchors (set of root CA certificates)
+        Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>();
+        for (X509Certificate trustedRootCert : trustedRootCerts) {
+            trustAnchors.add(new TrustAnchor(trustedRootCert, null));
+        }
+
+        // Configure the PKIX certificate builder algorithm parameters
+        PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(
+                trustAnchors, selector);
+
+        // Disable CRL checks (this is done manually as additional step)
+        pkixParams.setRevocationEnabled(false);
+
+        // Specify a list of intermediate certificates
+        CertStore intermediateCertStore = CertStore.getInstance("Collection",
+                new CollectionCertStoreParameters(intermediateCerts));
+        pkixParams.addCertStore(intermediateCertStore);
+
+        // Build and verify the certification chain
+        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
+        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder
+                .build(pkixParams);
+        return result;
+    }
+
+}
\ No newline at end of file

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifier.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,82 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.cert;
+
+import java.util.List;
+
+public class CertificateVerifierConfig {
+    private String storePath;
+    private String storePwd;
+
+    private List<String> trustCertAliases;
+
+    private String keySignAlias;
+    private String keySignPwd;
+
+    private boolean verifySelfSignedCert;
+
+    public boolean isVerifySelfSignedCert() {
+        return verifySelfSignedCert;
+    }
+
+    public void setVerifySelfSignedCert(boolean verifySelfSignedCert) {
+        this.verifySelfSignedCert = verifySelfSignedCert;
+    }
+
+    public String getStorePath() {
+        return storePath;
+    }
+
+    public void setStorePath(String storePath) {
+        this.storePath = storePath;
+    }
+
+    public String getStorePwd() {
+        return storePwd;
+    }
+
+    public void setStorePwd(String storePwd) {
+        this.storePwd = storePwd;
+    }
+
+    public List<String> getTrustCertAliases() {
+        return trustCertAliases;
+    }
+
+    public void setTrustCertAliases(List<String> trustCertAliases) {
+        this.trustCertAliases = trustCertAliases;
+    }
+
+    public String getKeySignAlias() {
+        return keySignAlias;
+    }
+
+    public void setKeySignAlias(String keySignAlias) {
+        this.keySignAlias = keySignAlias;
+    }
+
+    public String getKeySignPwd() {
+        return keySignPwd;
+    }
+
+    public void setKeySignPwd(String keySignPwd) {
+        this.keySignPwd = keySignPwd;
+    }
+}

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/cert/CertificateVerifierConfig.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,446 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.operation.impl;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStore.PrivateKeyEntry;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import javax.xml.namespace.QName;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.apache.cxf.common.security.SecurityToken;
+import org.apache.cxf.common.security.UsernameToken;
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestedReferenceType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.UseKeyType;
+import org.apache.cxf.ws.security.sts.provider.model.secext.KeyIdentifierType;
+import org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType;
+import org.apache.cxf.ws.security.sts.provider.model.xmldsig.KeyInfoType;
+import org.apache.cxf.ws.security.sts.provider.model.xmldsig.X509DataType;
+import org.apache.cxf.ws.security.sts.provider.operation.IssueOperation;
+import org.apache.xml.security.utils.Constants;
+import org.opensaml.common.xml.SAMLConstants;
+
+import demo.sts.provider.cert.CertificateVerifier;
+import demo.sts.provider.cert.CertificateVerifierConfig;
+import demo.sts.provider.token.TokenProvider;
+
+public class SAMLTokenIssueOperation implements IssueOperation {
+
+    private static final org.apache.cxf.ws.security.sts.provider.model.ObjectFactory WS_TRUST_FACTORY 
+        = new org.apache.cxf.ws.security.sts.provider.model.ObjectFactory();
+    private static final org.apache.cxf.ws.security.sts.provider.model.secext.ObjectFactory WSSE_FACTORY 
+        = new org.apache.cxf.ws.security.sts.provider.model.secext.ObjectFactory();
+
+    private static final String SIGN_FACTORY_TYPE = "DOM";
+    private static final String JKS_INSTANCE = "JKS";
+    private static final String X_509 = "X.509";
+
+    private static final QName QNAME_WST_TOKEN_TYPE = WS_TRUST_FACTORY
+            .createTokenType("").getName();
+
+    private List<TokenProvider> tokenProviders;
+    private CertificateVerifierConfig certificateVerifierConfig;
+
+
+    public void setTokenProviders(List<TokenProvider> tokenProviders) {
+        this.tokenProviders = tokenProviders;
+    }
+
+    public void setCertificateVerifierConfig(
+            CertificateVerifierConfig certificateVerifierConfig) {
+        this.certificateVerifierConfig = certificateVerifierConfig;
+    }
+
+    public RequestSecurityTokenResponseCollectionType issue(
+            RequestSecurityTokenType request,
+            WebServiceContext context) {
+
+        String tokenType = SAMLConstants.SAML20_NS;
+        X509Certificate certificate = null;
+        String username = null;
+
+        // parse input arguments
+        for (Object requestObject : request.getAny()) {
+            // certificate
+            try {
+                if (certificate == null) {
+                    certificate = getCertificateFromRequest(requestObject);
+                }
+            } catch (CertificateException e) {
+                throw new STSException(
+                        "Can't extract X509 certificate from request", e);
+            }
+
+            // TokenType
+            if (requestObject instanceof JAXBElement) {
+                JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
+                if (QNAME_WST_TOKEN_TYPE.equals(jaxbElement.getName())) {
+                    tokenType = (String) jaxbElement.getValue();
+                }
+            }
+        }
+        if (certificate == null) {
+            if (context == null || context.getMessageContext() == null) {
+                throw new STSException("No message context found");
+            }
+            //find the username
+            MessageContext ctx = context.getMessageContext();
+            UsernameToken unt = (UsernameToken)ctx.get(SecurityToken.class.getName());
+            if (unt != null) {
+                username = unt.getName();
+            }
+        }
+
+        // check input arguments
+        if (certificate != null) { // certificate
+            try {
+                verifyCertificate(certificate);
+            } catch (Exception e) {
+                throw new STSException(
+                        "Can't verify X509 certificate from request", e);
+            }
+        }
+
+        // create token
+        TokenProvider tokenProvider = null;
+        for (TokenProvider tp : tokenProviders) {
+            if (tokenType.equals(tp.getTokenType())) {
+                tokenProvider = tp;
+                break;
+            }
+        }
+        if (tokenProvider == null) {
+            throw new STSException(
+                    "No token provider found for requested token type: "
+                            + tokenType);
+        }
+
+        Element elementToken = null;
+
+        if (certificate != null) {
+            elementToken = tokenProvider.createToken(certificate);
+        } else {
+            elementToken = tokenProvider.createToken(username);
+        }
+
+        String tokenId = tokenProvider.getTokenId(elementToken);
+        signSAML(elementToken, tokenId);
+
+        // prepare response
+        RequestSecurityTokenResponseType response = wrapAssertionToResponse(
+                tokenType, elementToken, tokenId);
+
+        RequestSecurityTokenResponseCollectionType responseCollection = WS_TRUST_FACTORY
+                .createRequestSecurityTokenResponseCollectionType();
+        responseCollection.getRequestSecurityTokenResponse().add(response);
+        return responseCollection;
+    }
+
+    private void verifyCertificate(X509Certificate certificate) throws Exception {
+        KeyStore ks = KeyStore.getInstance(JKS_INSTANCE);
+
+        ks.load(this.getClass().getResourceAsStream(
+                certificateVerifierConfig.getStorePath()),
+                certificateVerifierConfig.getStorePwd().toCharArray());
+        Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
+        for (String alias : certificateVerifierConfig.getTrustCertAliases()) {
+            java.security.cert.Certificate stsCert = ks.getCertificate(alias);
+            trustedRootCerts.add((X509Certificate) stsCert);
+        }
+
+        CertificateVerifier.verifyCertificate(certificate, trustedRootCerts,
+                certificateVerifierConfig.isVerifySelfSignedCert());
+    }
+
+    private RequestSecurityTokenResponseType wrapAssertionToResponse(
+            String tokenType, Element samlAssertion, String tokenId) {
+        RequestSecurityTokenResponseType response = WS_TRUST_FACTORY
+                .createRequestSecurityTokenResponseType();
+
+        // TokenType
+        JAXBElement<String> jaxbTokenType = WS_TRUST_FACTORY
+                .createTokenType(tokenType);
+        response.getAny().add(jaxbTokenType);
+
+        // RequestedSecurityToken
+        RequestedSecurityTokenType requestedTokenType = WS_TRUST_FACTORY
+                .createRequestedSecurityTokenType();
+        JAXBElement<RequestedSecurityTokenType> requestedToken = WS_TRUST_FACTORY
+                .createRequestedSecurityToken(requestedTokenType);
+        requestedTokenType.setAny(samlAssertion);
+        response.getAny().add(requestedToken);
+
+        // RequestedAttachedReference
+        RequestedReferenceType requestedReferenceType = WS_TRUST_FACTORY
+                .createRequestedReferenceType();
+        SecurityTokenReferenceType securityTokenReferenceType = WSSE_FACTORY
+                .createSecurityTokenReferenceType();
+        KeyIdentifierType keyIdentifierType = WSSE_FACTORY
+                .createKeyIdentifierType();
+        keyIdentifierType.setValue(tokenId);
+        JAXBElement<KeyIdentifierType> keyIdentifier = WSSE_FACTORY
+                .createKeyIdentifier(keyIdentifierType);
+        securityTokenReferenceType.getAny().add(keyIdentifier);
+        requestedReferenceType
+                .setSecurityTokenReference(securityTokenReferenceType);
+
+        JAXBElement<RequestedReferenceType> requestedAttachedReference = WS_TRUST_FACTORY
+                .createRequestedAttachedReference(requestedReferenceType);
+        response.getAny().add(requestedAttachedReference);
+
+        // RequestedUnattachedReference
+        JAXBElement<RequestedReferenceType> requestedUnattachedReference = WS_TRUST_FACTORY
+                .createRequestedUnattachedReference(requestedReferenceType);
+        response.getAny().add(requestedUnattachedReference);
+
+        return response;
+    }
+
+    private X509Certificate getCertificateFromRequest(Object requestObject) throws CertificateException {
+        UseKeyType useKeyType = extractType(requestObject, UseKeyType.class);
+        byte[] x509 = null;
+        if (null != useKeyType) {
+            KeyInfoType keyInfoType = extractType(useKeyType.getAny(),
+                    KeyInfoType.class);
+            if (null != keyInfoType) {
+                for (Object keyInfoContent : keyInfoType.getContent()) {
+                    X509DataType x509DataType = extractType(keyInfoContent,
+                            X509DataType.class);
+                    if (null != x509DataType) {
+                        for (Object x509Object : x509DataType
+                                .getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+                            x509 = extractType(x509Object, byte[].class);
+                            if (null != x509) {
+                                break;
+                            }
+                        }
+                    }
+                }
+            } else {
+                Element elementNSImpl = (Element) useKeyType.getAny();
+                NodeList x509CertData = elementNSImpl.getElementsByTagNameNS(
+                       Constants.SignatureSpecNS, Constants._TAG_X509CERTIFICATE);
+                if (x509CertData != null && x509CertData.getLength() > 0) {
+                    try {
+                        x509 = Base64Utility.decode(x509CertData.item(0)
+                                                    .getTextContent());
+                    } catch (Exception e) {
+                        throw new STSException(e.getMessage(), e);
+                    }
+                }
+            }
+            if (x509 != null) {
+                CertificateFactory cf = CertificateFactory.getInstance(X_509);
+                Certificate certificate = cf
+                        .generateCertificate(new ByteArrayInputStream(x509));
+                return (X509Certificate) certificate;
+            }
+
+        }
+        return null;
+    }
+
+    private static <T> T extractType(Object param, Class<T> clazz) {
+        if (param instanceof JAXBElement) {
+            JAXBElement<?> jaxbElement = (JAXBElement<?>) param;
+            if (clazz == jaxbElement.getDeclaredType()) {
+                return clazz.cast(jaxbElement.getValue());
+            }
+        }
+        return null;
+    }
+
+
+    private void signSAML(Element assertionDocument, String tokenId) {
+
+        InputStream isKeyStore = this.getClass().getResourceAsStream(
+                certificateVerifierConfig.getStorePath());
+
+        KeyStoreInfo keyStoreInfo = new KeyStoreInfo(isKeyStore,
+                certificateVerifierConfig.getStorePwd(),
+                certificateVerifierConfig.getKeySignAlias(),
+                certificateVerifierConfig.getKeySignPwd());
+
+        signXML(assertionDocument, tokenId, keyStoreInfo);
+
+    }
+
+    private void signXML(Element target, String refId, KeyStoreInfo keyStoreInfo) {
+
+        org.apache.xml.security.Init.init();
+
+        XMLSignatureFactory signFactory = XMLSignatureFactory
+                .getInstance(SIGN_FACTORY_TYPE);
+        try {
+            DigestMethod method = signFactory.newDigestMethod(
+                    DigestMethod.SHA1, null);
+            Transform transform = signFactory.newTransform(
+                    Transform.ENVELOPED,
+                    (TransformParameterSpec) null);
+            Reference ref = signFactory.newReference('#' + refId, method,
+                    Collections.singletonList(transform), null, null);
+
+            CanonicalizationMethod canonMethod = signFactory
+                    .newCanonicalizationMethod(
+                            CanonicalizationMethod.EXCLUSIVE,
+                            (C14NMethodParameterSpec) null);
+            SignatureMethod signMethod = signFactory.newSignatureMethod(
+                    SignatureMethod.RSA_SHA1, null);
+            SignedInfo si = signFactory.newSignedInfo(canonMethod, signMethod,
+                    Collections.singletonList(ref));
+
+            KeyStore.PrivateKeyEntry keyEntry = getKeyEntry(keyStoreInfo);
+            if (keyEntry == null) {
+                throw new IllegalStateException(
+                        "Key is not found in keystore. Alias: "
+                                + keyStoreInfo.getAlias());
+            }
+
+            KeyInfo ki = getKeyInfo(signFactory, keyEntry);
+
+            DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),
+                    target);
+
+            XMLSignature signature = signFactory.newXMLSignature(si, ki);
+
+            signature.sign(dsc);
+
+        } catch (Exception e) {
+            throw new STSException("Cannot sign xml document: "
+                    + e.getMessage(), e);
+        }
+    }
+
+    private PrivateKeyEntry getKeyEntry(KeyStoreInfo keyStoreInfo) throws Exception {
+
+        KeyStore ks = KeyStore.getInstance(JKS_INSTANCE);
+        ByteArrayInputStream is = new ByteArrayInputStream(
+                keyStoreInfo.getContent());
+        ks.load(is, keyStoreInfo.getStorePassword().toCharArray());
+        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(
+                keyStoreInfo.getKeyPassword().toCharArray());
+        KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) ks
+                .getEntry(keyStoreInfo.getAlias(), passwordProtection);
+        return keyEntry;
+    }
+
+    private KeyInfo getKeyInfo(XMLSignatureFactory signFactory,
+            PrivateKeyEntry keyEntry) {
+
+        X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
+
+        KeyInfoFactory kif = signFactory.getKeyInfoFactory();
+        List<Object> x509Content = new ArrayList<Object>();
+        x509Content.add(cert.getSubjectX500Principal().getName());
+        x509Content.add(cert);
+        X509Data xd = kif.newX509Data(x509Content);
+        return kif.newKeyInfo(Collections.singletonList(xd));
+    }
+
+    public class KeyStoreInfo {
+
+        private byte[] content;
+        private String storePassword;
+        private String alias;
+        private String keyPassword;
+
+        public KeyStoreInfo(InputStream is, String storePassword, String alias,
+                String keyPassword) {
+            this.content = getBytes(is);
+            this.alias = alias;
+            this.storePassword = storePassword;
+            this.keyPassword = keyPassword;
+        }
+
+        public byte[] getContent() {
+            return content;
+        }
+
+        public String getAlias() {
+            return alias;
+        }
+
+        public String getStorePassword() {
+            return storePassword;
+        }
+
+        public String getKeyPassword() {
+            return keyPassword;
+        }
+
+        private byte[] getBytes(InputStream is) {
+            try {
+                int len;
+                int size = 1024;
+                byte[] buf;
+
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                buf = new byte[size];
+                while ((len = is.read(buf, 0, size)) != -1) {
+                    bos.write(buf, 0, len);
+                }
+                buf = bos.toByteArray();
+                return buf;
+            } catch (IOException e) {
+                throw new IllegalStateException(
+                        "Cannot read keystore content: " + e.getMessage(), e);
+            }
+        }
+
+    }
+}

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/operation/impl/SAMLTokenIssueOperation.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java?rev=1088726&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java (added)
+++ cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java Mon Apr  4 18:59:51 2011
@@ -0,0 +1,445 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package demo.sts.provider.token;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.KeyStore.PrivateKeyEntry;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import javax.xml.namespace.QName;
+import javax.xml.ws.WebServiceContext;
+import javax.xml.ws.handler.MessageContext;
+
+import org.w3c.dom.Element;
+import org.w3c.dom.NodeList;
+
+import org.apache.cxf.common.security.SecurityToken;
+import org.apache.cxf.common.security.UsernameToken;
+import org.apache.cxf.common.util.Base64Utility;
+import org.apache.cxf.ws.security.sts.provider.STSException;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseCollectionType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenResponseType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestedReferenceType;
+import org.apache.cxf.ws.security.sts.provider.model.RequestedSecurityTokenType;
+import org.apache.cxf.ws.security.sts.provider.model.UseKeyType;
+import org.apache.cxf.ws.security.sts.provider.model.secext.KeyIdentifierType;
+import org.apache.cxf.ws.security.sts.provider.model.secext.SecurityTokenReferenceType;
+import org.apache.cxf.ws.security.sts.provider.model.xmldsig.KeyInfoType;
+import org.apache.cxf.ws.security.sts.provider.model.xmldsig.X509DataType;
+import org.apache.cxf.ws.security.sts.provider.operation.IssueOperation;
+import org.apache.xml.security.utils.Constants;
+import org.opensaml.common.xml.SAMLConstants;
+
+import demo.sts.provider.cert.CertificateVerifier;
+import demo.sts.provider.cert.CertificateVerifierConfig;
+
+public class SAMLTokenIssueOperation implements IssueOperation {
+
+    private static final org.apache.cxf.ws.security.sts.provider.model.ObjectFactory WS_TRUST_FACTORY 
+        = new org.apache.cxf.ws.security.sts.provider.model.ObjectFactory();
+    private static final org.apache.cxf.ws.security.sts.provider.model.secext.ObjectFactory WSSE_FACTORY 
+        = new org.apache.cxf.ws.security.sts.provider.model.secext.ObjectFactory();
+
+    private static final String SIGN_FACTORY_TYPE = "DOM";
+    private static final String JKS_INSTANCE = "JKS";
+    private static final String X_509 = "X.509";
+
+    private static final QName QNAME_WST_TOKEN_TYPE = WS_TRUST_FACTORY
+            .createTokenType("").getName();
+
+    private List<TokenProvider> tokenProviders;
+    private CertificateVerifierConfig certificateVerifierConfig;
+
+
+    public void setTokenProviders(List<TokenProvider> tokenProviders) {
+        this.tokenProviders = tokenProviders;
+    }
+
+    public void setCertificateVerifierConfig(
+            CertificateVerifierConfig certificateVerifierConfig) {
+        this.certificateVerifierConfig = certificateVerifierConfig;
+    }
+
+    public RequestSecurityTokenResponseCollectionType issue(
+            RequestSecurityTokenType request,
+            WebServiceContext context) {
+
+        String tokenType = SAMLConstants.SAML20_NS;
+        X509Certificate certificate = null;
+        String username = null;
+
+        // parse input arguments
+        for (Object requestObject : request.getAny()) {
+            // certificate
+            try {
+                if (certificate == null) {
+                    certificate = getCertificateFromRequest(requestObject);
+                }
+            } catch (CertificateException e) {
+                throw new STSException(
+                        "Can't extract X509 certificate from request", e);
+            }
+
+            // TokenType
+            if (requestObject instanceof JAXBElement) {
+                JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
+                if (QNAME_WST_TOKEN_TYPE.equals(jaxbElement.getName())) {
+                    tokenType = (String) jaxbElement.getValue();
+                }
+            }
+        }
+        if (certificate == null) {
+            if (context == null || context.getMessageContext() == null) {
+                throw new STSException("No message context found");
+            }
+            //find the username
+            MessageContext ctx = context.getMessageContext();
+            UsernameToken unt = (UsernameToken)ctx.get(SecurityToken.class.getName());
+            if (unt != null) {
+                username = unt.getName();
+            }
+        }
+
+        // check input arguments
+        if (certificate != null) { // certificate
+            try {
+                verifyCertificate(certificate);
+            } catch (Exception e) {
+                throw new STSException(
+                        "Can't verify X509 certificate from request", e);
+            }
+        }
+
+        // create token
+        TokenProvider tokenProvider = null;
+        for (TokenProvider tp : tokenProviders) {
+            if (tokenType.equals(tp.getTokenType())) {
+                tokenProvider = tp;
+                break;
+            }
+        }
+        if (tokenProvider == null) {
+            throw new STSException(
+                    "No token provider found for requested token type: "
+                            + tokenType);
+        }
+
+        Element elementToken = null;
+
+        if (certificate != null) {
+            elementToken = tokenProvider.createToken(certificate);
+        } else {
+            elementToken = tokenProvider.createToken(username);
+        }
+
+        String tokenId = tokenProvider.getTokenId(elementToken);
+        signSAML(elementToken, tokenId);
+
+        // prepare response
+        RequestSecurityTokenResponseType response = wrapAssertionToResponse(
+                tokenType, elementToken, tokenId);
+
+        RequestSecurityTokenResponseCollectionType responseCollection = WS_TRUST_FACTORY
+                .createRequestSecurityTokenResponseCollectionType();
+        responseCollection.getRequestSecurityTokenResponse().add(response);
+        return responseCollection;
+    }
+
+    private void verifyCertificate(X509Certificate certificate) throws Exception {
+        KeyStore ks = KeyStore.getInstance(JKS_INSTANCE);
+
+        ks.load(this.getClass().getResourceAsStream(
+                certificateVerifierConfig.getStorePath()),
+                certificateVerifierConfig.getStorePwd().toCharArray());
+        Set<X509Certificate> trustedRootCerts = new HashSet<X509Certificate>();
+        for (String alias : certificateVerifierConfig.getTrustCertAliases()) {
+            java.security.cert.Certificate stsCert = ks.getCertificate(alias);
+            trustedRootCerts.add((X509Certificate) stsCert);
+        }
+
+        CertificateVerifier.verifyCertificate(certificate, trustedRootCerts,
+                certificateVerifierConfig.isVerifySelfSignedCert());
+    }
+
+    private RequestSecurityTokenResponseType wrapAssertionToResponse(
+            String tokenType, Element samlAssertion, String tokenId) {
+        RequestSecurityTokenResponseType response = WS_TRUST_FACTORY
+                .createRequestSecurityTokenResponseType();
+
+        // TokenType
+        JAXBElement<String> jaxbTokenType = WS_TRUST_FACTORY
+                .createTokenType(tokenType);
+        response.getAny().add(jaxbTokenType);
+
+        // RequestedSecurityToken
+        RequestedSecurityTokenType requestedTokenType = WS_TRUST_FACTORY
+                .createRequestedSecurityTokenType();
+        JAXBElement<RequestedSecurityTokenType> requestedToken = WS_TRUST_FACTORY
+                .createRequestedSecurityToken(requestedTokenType);
+        requestedTokenType.setAny(samlAssertion);
+        response.getAny().add(requestedToken);
+
+        // RequestedAttachedReference
+        RequestedReferenceType requestedReferenceType = WS_TRUST_FACTORY
+                .createRequestedReferenceType();
+        SecurityTokenReferenceType securityTokenReferenceType = WSSE_FACTORY
+                .createSecurityTokenReferenceType();
+        KeyIdentifierType keyIdentifierType = WSSE_FACTORY
+                .createKeyIdentifierType();
+        keyIdentifierType.setValue(tokenId);
+        JAXBElement<KeyIdentifierType> keyIdentifier = WSSE_FACTORY
+                .createKeyIdentifier(keyIdentifierType);
+        securityTokenReferenceType.getAny().add(keyIdentifier);
+        requestedReferenceType
+                .setSecurityTokenReference(securityTokenReferenceType);
+
+        JAXBElement<RequestedReferenceType> requestedAttachedReference = WS_TRUST_FACTORY
+                .createRequestedAttachedReference(requestedReferenceType);
+        response.getAny().add(requestedAttachedReference);
+
+        // RequestedUnattachedReference
+        JAXBElement<RequestedReferenceType> requestedUnattachedReference = WS_TRUST_FACTORY
+                .createRequestedUnattachedReference(requestedReferenceType);
+        response.getAny().add(requestedUnattachedReference);
+
+        return response;
+    }
+
+    private X509Certificate getCertificateFromRequest(Object requestObject) throws CertificateException {
+        UseKeyType useKeyType = extractType(requestObject, UseKeyType.class);
+        byte[] x509 = null;
+        if (null != useKeyType) {
+            KeyInfoType keyInfoType = extractType(useKeyType.getAny(),
+                    KeyInfoType.class);
+            if (null != keyInfoType) {
+                for (Object keyInfoContent : keyInfoType.getContent()) {
+                    X509DataType x509DataType = extractType(keyInfoContent,
+                            X509DataType.class);
+                    if (null != x509DataType) {
+                        for (Object x509Object : x509DataType
+                                .getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
+                            x509 = extractType(x509Object, byte[].class);
+                            if (null != x509) {
+                                break;
+                            }
+                        }
+                    }
+                }
+            } else {
+                Element elementNSImpl = (Element) useKeyType.getAny();
+                NodeList x509CertData = elementNSImpl.getElementsByTagNameNS(
+                       Constants.SignatureSpecNS, Constants._TAG_X509CERTIFICATE);
+                if (x509CertData != null && x509CertData.getLength() > 0) {
+                    try {
+                        x509 = Base64Utility.decode(x509CertData.item(0)
+                                                    .getTextContent());
+                    } catch (Exception e) {
+                        throw new STSException(e.getMessage(), e);
+                    }
+                }
+            }
+            if (x509 != null) {
+                CertificateFactory cf = CertificateFactory.getInstance(X_509);
+                Certificate certificate = cf
+                        .generateCertificate(new ByteArrayInputStream(x509));
+                return (X509Certificate) certificate;
+            }
+
+        }
+        return null;
+    }
+
+    private static <T> T extractType(Object param, Class<T> clazz) {
+        if (param instanceof JAXBElement) {
+            JAXBElement<?> jaxbElement = (JAXBElement<?>) param;
+            if (clazz == jaxbElement.getDeclaredType()) {
+                return clazz.cast(jaxbElement.getValue());
+            }
+        }
+        return null;
+    }
+
+
+    private void signSAML(Element assertionDocument, String tokenId) {
+
+        InputStream isKeyStore = this.getClass().getResourceAsStream(
+                certificateVerifierConfig.getStorePath());
+
+        KeyStoreInfo keyStoreInfo = new KeyStoreInfo(isKeyStore,
+                certificateVerifierConfig.getStorePwd(),
+                certificateVerifierConfig.getKeySignAlias(),
+                certificateVerifierConfig.getKeySignPwd());
+
+        signXML(assertionDocument, tokenId, keyStoreInfo);
+
+    }
+
+    private void signXML(Element target, String refId, KeyStoreInfo keyStoreInfo) {
+
+        org.apache.xml.security.Init.init();
+
+        XMLSignatureFactory signFactory = XMLSignatureFactory
+                .getInstance(SIGN_FACTORY_TYPE);
+        try {
+            DigestMethod method = signFactory.newDigestMethod(
+                    DigestMethod.SHA1, null);
+            Transform transform = signFactory.newTransform(
+                    Transform.ENVELOPED,
+                    (TransformParameterSpec) null);
+            Reference ref = signFactory.newReference('#' + refId, method,
+                    Collections.singletonList(transform), null, null);
+
+            CanonicalizationMethod canonMethod = signFactory
+                    .newCanonicalizationMethod(
+                            CanonicalizationMethod.EXCLUSIVE,
+                            (C14NMethodParameterSpec) null);
+            SignatureMethod signMethod = signFactory.newSignatureMethod(
+                    SignatureMethod.RSA_SHA1, null);
+            SignedInfo si = signFactory.newSignedInfo(canonMethod, signMethod,
+                    Collections.singletonList(ref));
+
+            KeyStore.PrivateKeyEntry keyEntry = getKeyEntry(keyStoreInfo);
+            if (keyEntry == null) {
+                throw new IllegalStateException(
+                        "Key is not found in keystore. Alias: "
+                                + keyStoreInfo.getAlias());
+            }
+
+            KeyInfo ki = getKeyInfo(signFactory, keyEntry);
+
+            DOMSignContext dsc = new DOMSignContext(keyEntry.getPrivateKey(),
+                    target);
+
+            XMLSignature signature = signFactory.newXMLSignature(si, ki);
+
+            signature.sign(dsc);
+
+        } catch (Exception e) {
+            throw new STSException("Cannot sign xml document: "
+                    + e.getMessage(), e);
+        }
+    }
+
+    private PrivateKeyEntry getKeyEntry(KeyStoreInfo keyStoreInfo) throws Exception {
+
+        KeyStore ks = KeyStore.getInstance(JKS_INSTANCE);
+        ByteArrayInputStream is = new ByteArrayInputStream(
+                keyStoreInfo.getContent());
+        ks.load(is, keyStoreInfo.getStorePassword().toCharArray());
+        KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(
+                keyStoreInfo.getKeyPassword().toCharArray());
+        KeyStore.PrivateKeyEntry keyEntry = (KeyStore.PrivateKeyEntry) ks
+                .getEntry(keyStoreInfo.getAlias(), passwordProtection);
+        return keyEntry;
+    }
+
+    private KeyInfo getKeyInfo(XMLSignatureFactory signFactory,
+            PrivateKeyEntry keyEntry) {
+
+        X509Certificate cert = (X509Certificate) keyEntry.getCertificate();
+
+        KeyInfoFactory kif = signFactory.getKeyInfoFactory();
+        List<Object> x509Content = new ArrayList<Object>();
+        x509Content.add(cert.getSubjectX500Principal().getName());
+        x509Content.add(cert);
+        X509Data xd = kif.newX509Data(x509Content);
+        return kif.newKeyInfo(Collections.singletonList(xd));
+    }
+
+    public class KeyStoreInfo {
+
+        private byte[] content;
+        private String storePassword;
+        private String alias;
+        private String keyPassword;
+
+        public KeyStoreInfo(InputStream is, String storePassword, String alias,
+                String keyPassword) {
+            this.content = getBytes(is);
+            this.alias = alias;
+            this.storePassword = storePassword;
+            this.keyPassword = keyPassword;
+        }
+
+        public byte[] getContent() {
+            return content;
+        }
+
+        public String getAlias() {
+            return alias;
+        }
+
+        public String getStorePassword() {
+            return storePassword;
+        }
+
+        public String getKeyPassword() {
+            return keyPassword;
+        }
+
+        private byte[] getBytes(InputStream is) {
+            try {
+                int len;
+                int size = 1024;
+                byte[] buf;
+
+                ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                buf = new byte[size];
+                while ((len = is.read(buf, 0, size)) != -1) {
+                    bos.write(buf, 0, len);
+                }
+                buf = bos.toByteArray();
+                return buf;
+            } catch (IOException e) {
+                throw new IllegalStateException(
+                        "Cannot read keystore content: " + e.getMessage(), e);
+            }
+        }
+
+    }
+}

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/distribution/src/main/release/samples/sts_issue_operation/src/main/java/demo/sts/provider/token/SAMLTokenIssueOperation.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



Mime
View raw message