cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gma...@apache.org
Subject svn commit: r1089952 - in /cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https: ./ bin/ certs/ src/main/java/jaxrs/client/ src/main/resources/
Date Thu, 07 Apr 2011 19:34:56 GMT
Author: gmazza
Date: Thu Apr  7 19:34:55 2011
New Revision: 1089952

URL: http://svn.apache.org/viewvc?rev=1089952&view=rev
Log:
simplified key names and handling

Added:
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
  (with props)
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
  (with props)
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh 
 (with props)
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
  (with props)
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
Removed:
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/bin/
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/cherry.jks
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/truststore.jks
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/wibble.jks
Modified:
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
    cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml

Modified: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt (original)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt Thu Apr
 7 19:34:55 2011
@@ -52,7 +52,7 @@ Using either UNIX or Windows:
   mvn -Pclient  (from a second command line window)
     
 
-To remove the target dir, run mvn clean".
+To remove the target dir, run "mvn clean".
 
 
 
@@ -60,9 +60,9 @@ To remove the target dir, run mvn clean"
 Certificates
 ------------
 
-If the certificates are expired for some reason, a shell script in 
-bin/gencerts.sh will generate the set of certificates needed for
-this sample. Just do the following:
+If the certificates are expired or unusable for some reason, a shell 
+script in the certs folder will generate a new set of certificates 
+needed for this sample. Just do the following:
 
-        cd certs
-        sh ../bin/gencerts.sh
+  cd certs
+  sh gencerts.sh

Added: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.

Propchange: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.

Propchange: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh?rev=1089952&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh (added)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh Thu
Apr  7 19:34:55 2011
@@ -0,0 +1,166 @@
+#!/bin/sh
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+#
+# This file uses openssl and keytool to generate 2 chains of 3 certificates 
+# CN=Wibble (client)            CN=Cherry (service)
+#             CN=TheRA
+#             CN=TheCA
+# and generates a CRL to revoke the "CN=TheRA" certificate.
+#
+# These keys are not for production use (they're not signed by a reputable
+# 3rd-party CA), for testing/code samples only.
+#
+# This file also serves as a specification on what needs to be done to
+# get the underlying CXF to work correctly.
+# For the most part, you need to use only JKS (Java Key Store) formatted
+# keystores and truststores.
+
+
+# Initialize the default openssl DataBase.
+# According to a default /usr/lib/ssl/openssl.cnf file it is ./demoCA
+# Depending on the Openssl version, comment out "crlnumber" in config file.
+# We echo 1345 to start the certificate serial number counter.
+
+    rm -rf demoCA
+    mkdir -p demoCA/newcerts
+    cp /dev/null demoCA/index.txt
+    echo "1345" > demoCA/serial
+
+# This file makes sure that the certificate for CN=TheRA can be a Certificate
+# Authority, i.e. can sign the user certificates, e.g. "CN=Wibble".
+
+cat <<EOF > exts
+[x509_extensions]
+basicConstraints=CA:TRUE
+EOF
+
+# Create the CA's keypair and self-signed certificate
+#   -x509 means create self-sign cert
+#   -keyout means generate keypair
+#   -nodes means do not encrypt private key.
+#   -set_serial sets the serial number of the certificate
+
+    openssl req -verbose -x509 -new -nodes -set_serial 1234 \
+    -subj "/CN=TheCA/OU=NOT FOR PRODUCTION/O=Apache/ST=NY/C=US" \
+    -days 7300 -out cacert.pem -keyout caprivkey.pem 
+
+# Create the RA's keypair and Certificate Request
+#    without -x509, we generate an x509 cert request.
+#   -keyout means generate keypair
+#   -nodes means do not encrypt private key.
+
+    openssl req -verbose -new -nodes \
+    -subj "/CN=TheRA/OU=NOT FOR PRODUCTION/O=Apache/ST=NY/C=US" \
+    -days 7300 -out csrra.pem -keyout raprivkey.pem 
+
+# Have the CN=TheCA issue a certificate for the CN=TheRA
+# We need -extfile exts -extenstions x509_extensions to make sure 
+# CN=TheRA can be a Certificate Authority.
+
+    openssl ca -batch -days 7300 -cert cacert.pem -keyfile caprivkey.pem \
+    -in csrra.pem -out ra-ca-cert.pem -extfile exts -extensions x509_extensions
+
+# Create keypairs and Cert Request for a certificate for CN=Wibble and CN=Cherry
+# This procedure must be done in JKS, because we need to use a JKS keystore.
+# The current version of CXF using PCKS12 will not work for a number of 
+# internal CXF reasons.
+
+    rm -f clientKeystore.jks
+
+    keytool -genkey \
+    -dname "CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US" \
+    -keystore clientKeystore.jks -storetype jks -storepass password -keypass password
+
+    keytool -certreq -keystore clientKeystore.jks -storetype jks -storepass password \
+    -keypass password -file csrwibble.pem
+
+
+    rm -f serverKeystore.jks
+
+    keytool -genkey \
+    -dname "CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US" \
+    -keystore serverKeystore.jks -storetype jks -storepass password -keypass password
+
+    keytool -certreq -keystore serverKeystore.jks -storetype jks -storepass password \
+    -keypass password -file csrcherry.pem
+
+
+# Have the CN=TheRA issue a certificate for CN=Wibble and CN=Cherry via
+# their Certificate Requests.
+
+   openssl ca -batch -days 7300 -cert ra-ca-cert.pem -keyfile raprivkey.pem \
+   -in csrwibble.pem -out wibble-ra-cert.pem 
+   
+   openssl ca -batch -days 7300 -cert ra-ca-cert.pem -keyfile raprivkey.pem \
+   -in csrcherry.pem -out cherry-ra-cert.pem
+
+
+# Rewrite the certificates in PEM only format. This allows us to concatenate
+# them into chains.
+
+    openssl x509 -in cacert.pem -out cacert.pem -outform PEM
+    openssl x509 -in ra-ca-cert.pem -out ra-ca-cert.pem -outform PEM
+    openssl x509 -in wibble-ra-cert.pem -out wibble-ra-cert.pem -outform PEM
+    openssl x509 -in cherry-ra-cert.pem -out cherry-ra-cert.pem -outform PEM
+
+# Create a chain readable by CertificateFactory.getCertificates.
+
+    cat wibble-ra-cert.pem ra-ca-cert.pem cacert.pem > wibble.chain
+    cat cherry-ra-cert.pem ra-ca-cert.pem cacert.pem > cherry.chain
+
+# Replace the certificate in the Wibble keystore with their respective
+# full chains.
+
+    keytool -import -file wibble.chain -keystore clientKeystore.jks -storetype jks \
+    -storepass password -keypass password -noprompt
+
+    keytool -import -file cherry.chain -keystore serverKeystore.jks -storetype jks \
+    -storepass password -keypass password -noprompt
+
+# Revoke the CN=TheRA certificate (happens in the Openssl DB)
+
+    openssl ca -verbose -cert cacert.pem -keyfile caprivkey.pem \
+    -revoke ra-ca-cert.pem -crl_reason keyCompromise 
+
+# Create the CRL from that revocation (from the Openssl DB)
+
+    openssl ca -verbose -gencrl -out ca.crl -cert cacert.pem \
+    -keyfile caprivkey.pem
+
+# Create the Truststore file containing the CA cert.
+
+    rm -f commonTruststore.jks
+    
+    keytool -import -file cacert.pem -alias TheCA -keystore commonTruststore.jks \
+    -storepass password -noprompt
+
+# Uncomment to see what's in the Keystores and CRL
+
+    keytool -v -list -keystore clientKeystore.jks -storepass password
+    
+    keytool -v -list -keystore serverKeystore.jks -storepass password
+    
+    keytool -v -list -keystore commonTruststore.jks -storepass password
+    
+    openssl crl -in ca.crl -text -noout
+
+# Get rid of everything but wibble.chain and ra.crl
+#rm -rf *.pem exts demoCA *pk12

Propchange: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
------------------------------------------------------------------------------
    svn:executable = *

Added: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.

Propchange: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Modified: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml (original)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml Thu Apr  7
19:34:55 2011
@@ -86,10 +86,6 @@
                                 </goals>
                                 <configuration>
                                     <mainClass>demo.jaxrs.client.Client</mainClass>
-                                    <arguments>
-                                        <argument>${basedir}/certs/wibble.jks</argument>
-                                        <argument>${basedir}/certs/truststore.jks</argument>
-                                    </arguments>
                                 </configuration>
                             </execution>
                         </executions>

Modified: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
(original)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
Thu Apr  7 19:34:55 2011
@@ -32,27 +32,29 @@ import org.apache.commons.httpclient.pro
 
 public final class Client {
 
+    private static final String CLIENT_CONFIG_FILE = "ClientConfig.xml";
+
     private Client() {
     }
 
     public static void main(String args[]) throws Exception {
-        File wibble = new File(args[0]);
-        File truststore = new File(args[1]);
+       
+        File clientKeystore = new File("certs/clientKeystore.jks");
+        File truststore = new File("certs/commonTruststore.jks");
 
+        // Send HTTP GET request to query customer info - using portable HttpClient method
         Protocol authhttps = new Protocol("https",
-                new AuthSSLProtocolSocketFactory(wibble.toURL(), "password",
-                truststore.toURL(), "password"),
+                new AuthSSLProtocolSocketFactory(clientKeystore.toURI().toURL(), "password",
+                truststore.toURI().toURL(), "password"),
                 9000);
         Protocol.registerProtocol("https", authhttps);
 
-        // Sent HTTP GET request to query customer info
         System.out.println("Sent HTTPS GET request to query customer info");
         HttpClient httpclient = new HttpClient();
         GetMethod httpget = new GetMethod("https://localhost:9000/customerservice/customers/123");
         httpget.addRequestHeader("Accept" , "text/xml");
         
-        // If Basic Authentication required (not needed in this sample) could 
-        // do so via the following:
+        // If Basic Authentication required (not needed in this sample) could use: 
         /*
         String authorizationHeader = "Basic " 
            + org.apache.cxf.common.util.Base64Utility.encode("username:password".getBytes());
@@ -65,10 +67,9 @@ public final class Client {
             httpget.releaseConnection();
         }
 
-        // Sent HTTP PUT request to update customer info
+        // Send HTTP PUT request to update customer info
         System.out.println("\n");
         System.out.println("Sent HTTPS PUT request to update customer info");
-        Client client = new Client();
         String inputFile = Client.class.getClassLoader().getResource("update_customer.xml").getFile();
         File input = new File(inputFile);
         PutMethod put = new PutMethod("https://localhost:9000/customerservice/customers");
@@ -84,7 +85,7 @@ public final class Client {
             put.releaseConnection();
         }
 
-        // Sent HTTP POST request to add customer
+        // Send HTTP POST request to add customer
         System.out.println("\n");
         System.out.println("Sent HTTPS POST request to add customer");
         inputFile = Client.class.getClassLoader().getResource("add_customer.xml").getFile();

Added: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml?rev=1089952&view=auto
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
(added)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
Thu Apr  7 19:34:55 2011
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns:http="http://cxf.apache.org/transports/http/configuration"
+       xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
+       xmlns:sec="http://cxf.apache.org/configuration/security"
+       xsi:schemaLocation="
+        http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
+        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
+        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd
+        ">
+   <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+    <!-- -->
+    <!-- HTTP/S configuration for proxy & web clients -->
+    <!-- -->
+    <http:conduit name="https://localhost:.*/customerservice/.*">
+        <http:client ConnectionTimeout="3000000" ReceiveTimeout="3000000"/>
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPassword="password">
+              <sec:keyStore type="JKS" password="password" 
+                   file="certs/clientKeystore.jks"/>
+              </sec:keyManagers>
+           <sec:trustManagers>
+              <sec:keyStore type="JKS" password="password"
+                  file="certs/commonTruststore.jks"/>
+           </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+
+</beans>

Modified: cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
(original)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
Thu Apr  7 19:34:55 2011
@@ -41,11 +41,11 @@
     <httpj:tlsServerParameters>
       <sec:keyManagers keyPassword="password">
            <sec:keyStore type="JKS" password="password" 
-                file="certs/cherry.jks"/>
+                file="certs/serverKeystore.jks"/>
       </sec:keyManagers>
       <sec:trustManagers>
           <sec:keyStore type="JKS" password="password"
-               file="certs/truststore.jks"/>
+               file="certs/commonTruststore.jks"/>
       </sec:trustManagers>
       <sec:cipherSuitesFilter>
         <!-- these filters ensure that a ciphersuite with



Mime
View raw message