cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1297436 - in /cxf/trunk/services/sts: sts-core/src/main/java/org/apache/cxf/sts/request/ sts-core/src/main/java/org/apache/cxf/sts/token/provider/ sts-core/src/test/java/org/apache/cxf/sts/request/ sts-core/src/test/java/org/apache/cxf/sts...
Date Tue, 06 Mar 2012 12:11:27 GMT
Author: coheigea
Date: Tue Mar  6 12:11:26 2012
New Revision: 1297436

URL: http://svn.apache.org/viewvc?rev=1297436&view=rev
Log:
[CXF-4161] - Support processing a UseKey Element that uses a SecurityTokenReference to another
token
 - Only merging this to trunk, as it breaks backwards compatibility in the KeyRequirements
class.

Added:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedKey.java
Modified:
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/KeyRequirements.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
    cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/request/RequestParserUnitTest.java
    cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
    cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SCTSAMLTokenProvider.java

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/KeyRequirements.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/KeyRequirements.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/KeyRequirements.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/KeyRequirements.java
Tue Mar  6 12:11:26 2012
@@ -18,8 +18,6 @@
  */
 package org.apache.cxf.sts.request;
 
-import java.security.cert.X509Certificate;
-
 /**
  * This class contains values that have been extracted from a RequestSecurityToken corresponding
to 
  * various key and encryption requirements.
@@ -34,7 +32,7 @@ public class KeyRequirements {
     private String c14nAlgorithm;
     private String computedKeyAlgorithm;
     private String keywrapAlgorithm;
-    private X509Certificate certificate;
+    private ReceivedKey receivedKey;
     private Entropy entropy;
     
     public String getAuthenticationType() {
@@ -113,12 +111,12 @@ public class KeyRequirements {
         this.keywrapAlgorithm = keywrapAlgorithm;
     }
 
-    public X509Certificate getCertificate() {
-        return certificate;
+    public ReceivedKey getReceivedKey() {
+        return receivedKey;
     }
 
-    public void setCertificate(X509Certificate certificate) {
-        this.certificate = certificate;
+    public void setReceivedKey(ReceivedKey receivedKey) {
+        this.receivedKey = receivedKey;
     }
     
     public Entropy getEntropy() {

Added: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedKey.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedKey.java?rev=1297436&view=auto
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedKey.java
(added)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/ReceivedKey.java
Tue Mar  6 12:11:26 2012
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.sts.request;
+
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+
+import javax.crypto.SecretKey;
+
+/**
+ * This class represents a received Key. It can contain either an X509Certificate, PublicKey
or
+ * SecretKey object.
+ */
+public class ReceivedKey {
+    
+    private X509Certificate x509Cert;
+    private PublicKey publicKey;
+    private SecretKey secretKey;
+    
+    public X509Certificate getX509Cert() {
+        return x509Cert;
+    }
+    public void setX509Cert(X509Certificate x509Cert) {
+        this.x509Cert = x509Cert;
+    }
+    public PublicKey getPublicKey() {
+        return publicKey;
+    }
+    public void setPublicKey(PublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+    public SecretKey getSecretKey() {
+        return secretKey;
+    }
+    public void setSecretKey(SecretKey secretKey) {
+        this.secretKey = secretKey;
+    }
+    
+}
\ No newline at end of file

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/request/RequestParser.java
Tue Mar  6 12:11:26 2012
@@ -91,7 +91,7 @@ public class RequestParser {
                 JAXBElement<?> jaxbElement = (JAXBElement<?>) requestObject;
                 boolean found = parseTokenRequirements(jaxbElement, tokenRequirements, wsContext);
                 if (!found) {
-                    found = parseKeyRequirements(jaxbElement, keyRequirements);
+                    found = parseKeyRequirements(jaxbElement, keyRequirements, wsContext);
                 }
                 if (!found) {
                     LOG.log(Level.WARNING, "Found a JAXB object of unknown type: " + jaxbElement.getName());
@@ -143,7 +143,7 @@ public class RequestParser {
      * Parse the Key and Encryption requirements into the KeyRequirements argument.
      */
     private static boolean parseKeyRequirements(
-        JAXBElement<?> jaxbElement, KeyRequirements keyRequirements
+        JAXBElement<?> jaxbElement, KeyRequirements keyRequirements, WebServiceContext
wsContext
     ) {
         if (QNameConstants.AUTHENTICATION_TYPE.equals(jaxbElement.getName())) {
             String authenticationType = (String)jaxbElement.getValue();
@@ -179,8 +179,8 @@ public class RequestParser {
             LOG.fine("Found KeyWrapAlgorithm: " + keywrapAlgorithm);
         } else if (QNameConstants.USE_KEY.equals(jaxbElement.getName())) {
             UseKeyType useKey = (UseKeyType)jaxbElement.getValue();
-            X509Certificate cert = parseUseKey(useKey);
-            keyRequirements.setCertificate(cert);
+            ReceivedKey receivedKey = parseUseKey(useKey, wsContext);
+            keyRequirements.setReceivedKey(receivedKey);
         } else if (QNameConstants.ENTROPY.equals(jaxbElement.getName())) {
             EntropyType entropyType = (EntropyType)jaxbElement.getValue();
             Entropy entropy = parseEntropy(entropyType);
@@ -229,16 +229,18 @@ public class RequestParser {
         } else if (QNameConstants.VALIDATE_TARGET.equals(jaxbElement.getName())) {
             ValidateTargetType validateTargetType = (ValidateTargetType)jaxbElement.getValue();
             ReceivedToken validateTarget = new ReceivedToken(validateTargetType.getAny());
-            if (isTokenReferenced(validateTarget)) {
-                validateTarget = fetchTokenFromReference(validateTarget, wsContext);
+            if (isTokenReferenced(validateTarget.getToken())) {
+                Element target = fetchTokenElementFromReference(validateTarget.getToken(),
wsContext);
+                validateTarget = new ReceivedToken(target);
             }  
             tokenRequirements.setValidateTarget(validateTarget);
             LOG.fine("Found ValidateTarget token");
         } else if (QNameConstants.CANCEL_TARGET.equals(jaxbElement.getName())) {
             CancelTargetType cancelTargetType = (CancelTargetType)jaxbElement.getValue();
             ReceivedToken cancelTarget = new ReceivedToken(cancelTargetType.getAny());
-            if (isTokenReferenced(cancelTarget)) {
-                cancelTarget = fetchTokenFromReference(cancelTarget, wsContext);
+            if (isTokenReferenced(cancelTarget.getToken())) {
+                Element target = fetchTokenElementFromReference(cancelTarget.getToken(),
wsContext);
+                cancelTarget = new ReceivedToken(target);
             }          
             tokenRequirements.setCancelTarget(cancelTarget);
             LOG.fine("Found CancelTarget token");
@@ -254,45 +256,79 @@ public class RequestParser {
     }
     
     /**
-     * Parse the UseKey structure to get a certificate
+     * Parse the UseKey structure to get a ReceivedKey containing a cert/public-key/secret-key.
      * @param useKey The UseKey object
-     * @return the X509 certificate that has been parsed
+     * @param wsContext The WebServiceContext object
+     * @return the ReceivedKey that has been parsed
      * @throws STSException
      */
-    private static X509Certificate parseUseKey(UseKeyType useKey) throws STSException {
+    private static ReceivedKey parseUseKey(
+        UseKeyType useKey, 
+        WebServiceContext wsContext
+    ) throws STSException {
         byte[] x509 = null;
-        KeyInfoType keyInfoType = extractType(useKey.getAny(), KeyInfoType.class);
-        if (null != keyInfoType) {
-            LOG.fine("Found KeyInfo UseKey type");
-            for (Object keyInfoContent : keyInfoType.getContent()) {
-                X509DataType x509DataType = extractType(keyInfoContent, X509DataType.class);
-                if (null != x509DataType) {
-                    LOG.fine("Found X509Data KeyInfo type");
-                    for (Object x509Object 
-                        : x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName()) {
-                        x509 = extractType(x509Object, byte[].class);
-                        if (null != x509) {
-                            LOG.fine("Found X509Certificate UseKey type");
-                            break;
+        if (useKey.getAny() instanceof JAXBElement<?>) {
+            JAXBElement<?> useKeyJaxb = (JAXBElement<?>)useKey.getAny();
+            if (KeyInfoType.class == useKeyJaxb.getDeclaredType()) {
+                KeyInfoType keyInfoType = KeyInfoType.class.cast(useKeyJaxb.getValue());
+                LOG.fine("Found KeyInfo UseKey type");
+                for (Object keyInfoContent : keyInfoType.getContent()) {
+                    X509DataType x509DataType = extractType(keyInfoContent, X509DataType.class);
+                    if (null != x509DataType) {
+                        LOG.fine("Found X509Data KeyInfo type");
+                        for (Object x509Object 
+                            : x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName())
{
+                            x509 = extractType(x509Object, byte[].class);
+                            if (null != x509) {
+                                LOG.fine("Found X509Certificate UseKey type");
+                                break;
+                            }
                         }
                     }
                 }
+            } else if (SecurityTokenReferenceType.class == useKeyJaxb.getDeclaredType())
{
+                SecurityTokenReferenceType strType = 
+                    SecurityTokenReferenceType.class.cast(useKeyJaxb.getValue());
+                Element token = fetchTokenElementFromReference(strType, wsContext);
+                try {
+                    x509 = Base64Utility.decode(token.getTextContent());
+                    LOG.fine("Found X509Certificate UseKey type via reference");
+                } catch (Exception e) {
+                    LOG.log(Level.WARNING, "", e);
+                    throw new STSException(e.getMessage(), e, STSException.INVALID_REQUEST);
+                }
             }
         } else if (useKey.getAny() instanceof Element) {
-            Element elementNSImpl = (Element) useKey.getAny();
-            NodeList x509CertData = 
-                elementNSImpl.getElementsByTagNameNS(
-                    Constants.SignatureSpecNS, Constants._TAG_X509CERTIFICATE
-                );
-            if (x509CertData != null && x509CertData.getLength() > 0) {
+            if (isTokenReferenced(useKey.getAny())) {
+                Element token = fetchTokenElementFromReference(useKey.getAny(), wsContext);
                 try {
-                    x509 = Base64Utility.decode(x509CertData.item(0).getTextContent());
-                    LOG.fine("Found X509Certificate UseKey type");
+                    x509 = Base64Utility.decode(token.getTextContent());
+                    LOG.fine("Found X509Certificate UseKey type via reference");
                 } catch (Exception e) {
                     LOG.log(Level.WARNING, "", e);
                     throw new STSException(e.getMessage(), e, STSException.INVALID_REQUEST);
                 }
+            } else {
+                Element elementNSImpl = (Element) useKey.getAny();
+                NodeList x509CertData = 
+                    elementNSImpl.getElementsByTagNameNS(
+                        Constants.SignatureSpecNS, Constants._TAG_X509CERTIFICATE
+                    );
+                if (x509CertData != null && x509CertData.getLength() > 0) {
+                    try {
+                        x509 = Base64Utility.decode(x509CertData.item(0).getTextContent());
+                        LOG.fine("Found X509Certificate UseKey type");
+                    } catch (Exception e) {
+                        LOG.log(Level.WARNING, "", e);
+                        throw new STSException(e.getMessage(), e, STSException.INVALID_REQUEST);
+                    }
+                }
             }
+        } else {
+            LOG.log(Level.WARNING, "An unknown element was received");
+            throw new STSException(
+                "An unknown element was received", STSException.BAD_REQUEST
+            );
         }
         
         if (x509 != null) {
@@ -301,7 +337,9 @@ public class RequestParser {
                 X509Certificate cert =
                     (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(x509));
                 LOG.fine("Successfully parsed X509 Certificate from UseKey");
-                return cert;
+                ReceivedKey receivedKey = new ReceivedKey();
+                receivedKey.setX509Cert(cert);
+                return receivedKey;
             } catch (CertificateException ex) {
                 LOG.log(Level.WARNING, "", ex);
                 throw new STSException("Error in parsing certificate: ", ex, STSException.INVALID_REQUEST);
@@ -474,8 +512,7 @@ public class RequestParser {
     /**
      * Method to check if the passed token is a SecurityTokenReference
      */
-    private static boolean isTokenReferenced(ReceivedToken token) {
-        Object targetToken = token.getToken();
+    private static boolean isTokenReferenced(Object targetToken) {
         if (targetToken instanceof Element) {
             Element tokenElement = (Element)targetToken;
             String namespace = tokenElement.getNamespaceURI();
@@ -493,12 +530,11 @@ public class RequestParser {
     /**
      * Method to fetch token from the SecurityTokenReference
      */
-    private static ReceivedToken fetchTokenFromReference(
-        ReceivedToken tokenReference, WebServiceContext wsContext
+    private static Element fetchTokenElementFromReference(
+        Object targetToken, WebServiceContext wsContext
     ) {
         // Get the reference URI
         String referenceURI = null;
-        Object targetToken = tokenReference.getToken();
         if (targetToken instanceof Element) {
             Element tokenElement = (Element) targetToken;
             NodeList refList = 
@@ -519,7 +555,14 @@ public class RequestParser {
                 }
             }
         }
+        
         LOG.fine("Reference URI found " + referenceURI);
+        if (referenceURI == null) {
+            LOG.log(Level.WARNING, "No Reference URI was received");
+            throw new STSException(
+                "An unknown element was received", STSException.BAD_REQUEST
+            );
+        }
    
         // Find processed token corresponding to the URI
         if (referenceURI.charAt(0) == '#') {
@@ -544,14 +587,14 @@ public class RequestParser {
                             "Cannot retrieve token from reference", STSException.INVALID_REQUEST
                         );
                     }
-                    return new ReceivedToken(tokenElement);
+                    return tokenElement;
                 } else if (actInt == WSConstants.SCT) {
                     // Need to check special case of SecurityContextToken Identifier separately
                     SecurityContextToken sct = 
                         (SecurityContextToken)
                             engineResult.get(WSSecurityEngineResult.TAG_SECURITY_CONTEXT_TOKEN);
                     if (referenceURI.equals(sct.getIdentifier())) {
-                        return new ReceivedToken(sct.getElement());
+                        return sct.getElement();
                     }
                 }
             }

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
Tue Mar  6 12:11:26 2012
@@ -30,6 +30,7 @@ import org.apache.cxf.common.logging.Log
 import org.apache.cxf.sts.STSConstants;
 import org.apache.cxf.sts.STSPropertiesMBean;
 import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedKey;
 import org.apache.cxf.sts.request.ReceivedToken;
 import org.apache.cxf.sts.request.ReceivedToken.STATE;
 import org.apache.cxf.sts.request.TokenRequirements;
@@ -132,7 +133,8 @@ public class DefaultSubjectProvider impl
                 throw new STSException(ex.getMessage(), ex);
             }
         } else if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
-            KeyInfoBean keyInfo = createKeyInfo(keyRequirements.getCertificate());
+            ReceivedKey receivedKey = keyRequirements.getReceivedKey();
+            KeyInfoBean keyInfo = createKeyInfo(receivedKey.getX509Cert());
             subjectBean.setKeyInfo(keyInfo);
         }
         

Modified: cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java
Tue Mar  6 12:11:26 2012
@@ -473,7 +473,8 @@ public class SAMLTokenProvider implement
 
         String keyType = keyRequirements.getKeyType();
         if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
-            if (keyRequirements.getCertificate() == null) {
+            if (keyRequirements.getReceivedKey() == null
+                || keyRequirements.getReceivedKey().getX509Cert() == null) {
                 LOG.log(Level.WARNING, "A PublicKey Keytype is requested, but no certificate
is provided");
                 throw new STSException(
                     "No client certificate for PublicKey KeyType", STSException.INVALID_REQUEST

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/request/RequestParserUnitTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/request/RequestParserUnitTest.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/request/RequestParserUnitTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/request/RequestParserUnitTest.java
Tue Mar  6 12:11:26 2012
@@ -21,6 +21,7 @@ package org.apache.cxf.sts.request;
 import java.io.StringReader;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Properties;
 
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
@@ -41,6 +42,9 @@ import org.apache.cxf.sts.token.validato
 import org.apache.cxf.ws.security.sts.provider.model.RequestSecurityTokenType;
 import org.apache.ws.security.WSSecurityEngine;
 import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
 import org.apache.ws.security.handler.RequestData;
 import org.apache.ws.security.handler.WSHandlerConstants;
 import org.apache.ws.security.handler.WSHandlerResult;
@@ -58,6 +62,35 @@ public class RequestParserUnitTest exten
         + "xmlns:wsc=\"http://schemas.xmlsoap.org/ws/2005/02/sc\" "
         + "xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"
"
         + "wsu:Id=\"sct\"><wsc:Identifier>check</wsc:Identifier></wsc:SecurityContextToken></wsse:Security>";
+    
+    private static final String SECURITY_HEADER_X509 = 
+        "<?xml version=\"1.0\" encoding=\"UTF-8\"?><wsse:Security "
+        + "xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\""
+        + " xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\""
+        + "><wsse:UsernameToken wsu:Id=\"UsernameToken-5\"><wsse:Username>alice</wsse:Username>"
+        + "<wsse:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username"
+        + "-token-profile-1.0#PasswordText\">clarinet</wsse:Password>"
+        + "</wsse:UsernameToken><wsse:BinarySecurityToken "
+        + "xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"
"
+        + "EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0"
+        + "#Base64Binary\" " 
+        + "ValueType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0"
+        + "#X509v3\" " + "wsu:Id=\"x509\">"
+        + "MIIEFjCCA3+gAwIBAgIJAJORWX2Xsa8DMA0GCSqGSIb3DQEBBQUAMIG5MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcm"
+        + "sxFjAUBgNVBAcTDU5pYWdhcmEgRmFsbHMxLDAqBgNVBAoTI1NhbXBsZSBDbGllbnQgLS0gTk9UIEZPUiBQUk9EVUNUSU9OMRYw"
+        + "FAYDVQQLEw1JVCBEZXBhcnRtZW50MRcwFQYDVQQDEw53d3cuY2xpZW50LmNvbTEgMB4GCSqGSIb3DQEJARYRY2xpZW50QGNsaW"
+        + "VudC5jb20wHhcNMTEwMjA5MTgzMDI3WhcNMjEwMjA2MTgzMDI3WjCBuTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3Jr"
+        + "MRYwFAYDVQQHEw1OaWFnYXJhIEZhbGxzMSwwKgYDVQQKEyNTYW1wbGUgQ2xpZW50IC0tIE5PVCBGT1IgUFJPRFVDVElPTjEWMB"
+        + "QGA1UECxMNSVQgRGVwYXJ0bWVudDEXMBUGA1UEAxMOd3d3LmNsaWVudC5jb20xIDAeBgkqhkiG9w0BCQEWEWNsaWVudEBjbGll"
+        + "bnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDauFNVqi4B2+u/PC9ktDkn82bglEQYcL4o5JRUhQVEhTK2iEloz1"
+        + "Rvo/qyfDhBPc1lzIUn4ams+DKBSSjZMCgop3XbeCXzIVP784ruC8HF5QrYsXUQfTc7lzqafXZXH8Bk89gSScA1fFme6TpvYzM0"
+        + "zjBETSXADtKOs9oKB2VOIwIDAQABo4IBIjCCAR4wHQYDVR0OBBYEFFIz+0BSZlLtXkA/udRjRgphtREuMIHuBgNVHSMEgeYwge"
+        + "OAFFIz+0BSZlLtXkA/udRjRgphtREuoYG/pIG8MIG5MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxFjAUBgNVBAcT"
+        + "DU5pYWdhcmEgRmFsbHMxLDAqBgNVBAoTI1NhbXBsZSBDbGllbnQgLS0gTk9UIEZPUiBQUk9EVUNUSU9OMRYwFAYDVQQLEw1JVC"
+        + "BEZXBhcnRtZW50MRcwFQYDVQQDEw53d3cuY2xpZW50LmNvbTEgMB4GCSqGSIb3DQEJARYRY2xpZW50QGNsaWVudC5jb22CCQCT"
+        + "kVl9l7GvAzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEjEr9QfaYsZf7ELnqB++OkWcKxpMt1Yj/VOyL99AekkVT"
+        + "M+rRHCU9Bu+tncMNsfy8mIXUC1JqKQ+Cq5RlaDh/ujzt6i17G7uSGd6U1U/DPZBqTm3Dxwl1cMAGU/CoAKTWE+o+fS4Q2xHv7L"
+        + "1KiXQQc9EWJ4C34Ik45fB6g3DiTj</wsse:BinarySecurityToken></wsse:Security>";
 
     private static final String CANCEL_SCT_REFERENCE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
         + "<wst:RequestSecurityToken xmlns:wst=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
@@ -79,6 +112,16 @@ public class RequestParserUnitTest exten
         + "<wsse:Reference URI=\"#sct\"></wsse:Reference></wsse:SecurityTokenReference>"
         + "</wst:ValidateTarget>" + "</wst:RequestSecurityToken>";
     
+    private static final String USE_KEY_X509_REFERENCE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+        + "<wst:RequestSecurityToken xmlns:wst=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">"
+        + "<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>"
+        + "<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>"
+        + "<wst:UseKey>"
+        + "<wsse:SecurityTokenReference "
+        + "xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">"
+        + "<wsse:Reference URI=\"#x509\"></wsse:Reference></wsse:SecurityTokenReference>"
+        + "</wst:UseKey>" + "</wst:RequestSecurityToken>";
+    
     /**
      * Test for fetching (and cancelling) a referenced SecurityContextToken.
      */
@@ -141,6 +184,37 @@ public class RequestParserUnitTest exten
         assertTrue(sctValidator.canHandleToken(parser.getTokenRequirements().getValidateTarget()));
     }
     
+    /**
+     * Test for fetching (and validating) a referenced BinarySecurityToken from a UseKey
Element.
+     */
+    @org.junit.Test
+    public void testUseKeyX509() throws Exception {
+        Element secHeaderElement = (Element) parseStringToElement(SECURITY_HEADER_X509).getFirstChild();
+        RequestSecurityTokenType request = createJaxbObject(USE_KEY_X509_REFERENCE);
+        RequestParser parser = new RequestParser();
+        
+        // Mock up message context
+        MessageImpl msg = new MessageImpl();
+        WrappedMessageContext msgContext = new WrappedMessageContext(msg);
+        WebServiceContextImpl wsContext = new WebServiceContextImpl(msgContext);
+        
+        // Process the security header and store the results in the message context
+        WSSecurityEngine securityEngine = new WSSecurityEngine();
+        RequestData reqData = new RequestData();
+        reqData.setSigCrypto(getCrypto());
+        reqData.setCallbackHandler(new PasswordCallbackHandler());
+        
+        List<WSSecurityEngineResult> engineResultList = 
+            securityEngine.processSecurityHeader(secHeaderElement, reqData);
+        List<WSHandlerResult> resultsList = new ArrayList<WSHandlerResult>();
+        resultsList.add(new WSHandlerResult("actor", engineResultList));
+        msgContext.put(WSHandlerConstants.RECV_RESULTS, resultsList);
+        
+        parser.parseRequest(request, wsContext);
+        
+        assertNotNull(parser.getKeyRequirements().getReceivedKey().getX509Cert());
+    }
+    
     private Document parseStringToElement(String str) throws Exception {
         DocumentBuilderFactory builderFac = DocumentBuilderFactory.newInstance();
         builderFac.setNamespaceAware(true);
@@ -158,5 +232,16 @@ public class RequestParserUnitTest exten
             (JAXBElement<?>) unmarshaller.unmarshal(new InputSource(new StringReader(str)));
         return (RequestSecurityTokenType) jaxbElement.getValue();
     }
+    
+    private Crypto getCrypto() throws WSSecurityException {
+        Properties properties = new Properties();
+        properties.put(
+            "org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin"
+        );
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.password", "stsspass");
+        properties.put("org.apache.ws.security.crypto.merlin.keystore.file", "stsstore.jks");
+        
+        return CryptoFactory.getInstance(properties);
+    }
 
 }

Modified: cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
(original)
+++ cxf/trunk/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
Tue Mar  6 12:11:26 2012
@@ -35,6 +35,7 @@ import org.apache.cxf.sts.StaticSTSPrope
 import org.apache.cxf.sts.common.PasswordCallbackHandler;
 import org.apache.cxf.sts.request.Entropy;
 import org.apache.cxf.sts.request.KeyRequirements;
+import org.apache.cxf.sts.request.ReceivedKey;
 import org.apache.cxf.sts.request.TokenRequirements;
 import org.apache.cxf.sts.service.EncryptionProperties;
 import org.apache.cxf.ws.security.sts.provider.STSException;
@@ -123,7 +124,9 @@ public class SAMLProviderKeyTypeTest ext
         CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
         cryptoType.setAlias("myclientkey");
         X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
-        providerParameters.getKeyRequirements().setCertificate(certs[0]);
+        ReceivedKey receivedKey = new ReceivedKey();
+        receivedKey.setX509Cert(certs[0]);
+        providerParameters.getKeyRequirements().setReceivedKey(receivedKey);
         
         TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
         assertTrue(providerResponse != null);
@@ -161,7 +164,9 @@ public class SAMLProviderKeyTypeTest ext
         CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
         cryptoType.setAlias("myclientkey");
         X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
-        providerParameters.getKeyRequirements().setCertificate(certs[0]);
+        ReceivedKey receivedKey = new ReceivedKey();
+        receivedKey.setX509Cert(certs[0]);
+        providerParameters.getKeyRequirements().setReceivedKey(receivedKey);
         
         TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
         assertTrue(providerResponse != null);

Modified: cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SCTSAMLTokenProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SCTSAMLTokenProvider.java?rev=1297436&r1=1297435&r2=1297436&view=diff
==============================================================================
--- cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SCTSAMLTokenProvider.java
(original)
+++ cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/secure_conv/SCTSAMLTokenProvider.java
Tue Mar  6 12:11:26 2012
@@ -259,7 +259,8 @@ public class SCTSAMLTokenProvider implem
 
         String keyType = keyRequirements.getKeyType();
         if (STSConstants.PUBLIC_KEY_KEYTYPE.equals(keyType)) {
-            if (keyRequirements.getCertificate() == null) {
+            if (keyRequirements.getReceivedKey() == null
+                || keyRequirements.getReceivedKey().getX509Cert() == null) {
                 LOG.log(Level.WARNING, "A PublicKey Keytype is requested, but no certificate
is provided");
                 throw new STSException(
                     "No client certificate for PublicKey KeyType", STSException.INVALID_REQUEST



Mime
View raw message