cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ff...@apache.org
Subject svn commit: r1305775 - in /cxf/trunk: api/src/main/java/org/apache/cxf/configuration/jsse/ api/src/main/resources/schemas/configuration/ rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/ rt/transports/http/src/main/java/org/a...
Date Tue, 27 Mar 2012 08:30:32 GMT
Author: ffang
Date: Tue Mar 27 08:30:32 2012
New Revision: 1305775

URL: http://svn.apache.org/viewvc?rev=1305775&view=rev
Log:
[CXF-4204]CXF https transport should support to specify the cert alias name

Added:
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/AliasedX509ExtendedKeyManager.java
Modified:
    cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java
    cxf/trunk/api/src/main/resources/schemas/configuration/security.xsd
    cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
    cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
    cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
    cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server.xml

Modified: cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java (original)
+++ cxf/trunk/api/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterBase.java Tue
Mar 27 08:30:32 2012
@@ -41,7 +41,7 @@ public class TLSParameterBase {
     private CertificateConstraintsType certConstraints;
     private SecureRandom    secureRandom;
     private String          protocol;
-    
+    private String          certAlias;
     /**
      * Set the JSSE provider. If not set,
      * it uses system default.
@@ -164,4 +164,19 @@ public class TLSParameterBase {
     public String getSecureSocketProtocol() {
         return protocol;
     }
+    
+    /**
+     * This parameter configures the cert alias used on server side
+     * this is useful when keystore has multiple certs
+     */
+    public final void setCertAlias(String ctAlias) {
+        certAlias = ctAlias;
+    }
+    
+    /**
+     * This parameter retrieves the cert alias specified on server side
+     */
+    public String getCertAlias() {
+        return certAlias;
+    }
 }

Modified: cxf/trunk/api/src/main/resources/schemas/configuration/security.xsd
URL: http://svn.apache.org/viewvc/cxf/trunk/api/src/main/resources/schemas/configuration/security.xsd?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/api/src/main/resources/schemas/configuration/security.xsd (original)
+++ cxf/trunk/api/src/main/resources/schemas/configuration/security.xsd Tue Mar 27 08:30:32
2012
@@ -426,6 +426,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="certAlias" type="xs:string" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the Certificate Alias.
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
         </xs:all>
            <xs:attribute name="useHttpsURLConnectionDefaultSslSocketFactory" type="pt:ParameterizedBoolean"
default="false">
              <xs:annotation>
@@ -536,6 +543,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:element>
+           <xs:element name="certAlias" type="xs:string" minOccurs="0">
+              <xs:annotation>
+                <xs:documentation>
+                This element contains the Certificate Alias.
+                </xs:documentation>
+              </xs:annotation>
+           </xs:element>
         </xs:all>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>

Modified: cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
(original)
+++ cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/CXFJettySslSocketConnector.java
Tue Mar 27 08:30:32 2012
@@ -26,11 +26,13 @@ import java.util.logging.Logger;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509KeyManager;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.ReflectionInvokationHandler;
 import org.apache.cxf.configuration.security.ClientAuthentication;
 import org.apache.cxf.configuration.security.FiltersType;
+import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager;
 import org.apache.cxf.transport.https.SSLUtils;
 import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
 
@@ -47,7 +49,7 @@ public class CXFJettySslSocketConnector 
     protected SecureRandom   secureRandom;
     protected List<String>   cipherSuites;
     protected FiltersType    cipherSuitesFilter;
-    
+       
     /**
      * Set the cipherSuites
      */
@@ -83,6 +85,7 @@ public class CXFJettySslSocketConnector 
         secureRandom = random;
     }
     
+    
     /**
      * Set the ClientAuthentication (from the JAXB type) that
      * configures an HTTP Destination.
@@ -114,6 +117,9 @@ public class CXFJettySslSocketConnector 
             ? SSLContext.getInstance(proto)
                 : SSLContext.getInstance(proto, getCxfSslContextFactory().getProvider());
             
+        if (getCxfSslContextFactory().getCertAlias() != null) {
+            getKeyManagersWithCertAlias();
+        }
         context.init(keyManagers, trustManagers, secureRandom);
 
         String[] cs = 
@@ -128,6 +134,17 @@ public class CXFJettySslSocketConnector 
         return context;
     }
     
+    protected void getKeyManagersWithCertAlias() throws Exception {
+        if (getCxfSslContextFactory().getCertAlias() != null) {
+            for (int idx = 0; idx < keyManagers.length; idx++) {
+                if (keyManagers[idx] instanceof X509KeyManager) {
+                    keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+                        getCxfSslContextFactory().getCertAlias(), (X509KeyManager)keyManagers[idx]);
+                }
+            }
+        }
+    }
+    
     public CxfSslContextFactory getCxfSslContextFactory() {
         try {
             Object o = getClass().getMethod("getSslContextFactory").invoke(this);
@@ -155,6 +172,10 @@ public class CXFJettySslSocketConnector 
         void setProtocol(String secureSocketProtocol);
 
         void setProvider(String jsseProvider);
+        
+        void setCertAlias(String certAlias);
+        
+        String getCertAlias();
     }
     
 }

Modified: cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java
(original)
+++ cxf/trunk/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/https_jetty/JettySslConnectorFactory.java
Tue Mar 27 08:30:32 2012
@@ -87,6 +87,7 @@ public final class JettySslConnectorFact
         con.getCxfSslContextFactory().setProvider(tlsServerParameters.getJsseProvider());
         con.setCipherSuites(tlsServerParameters.getCipherSuites());
         con.setCipherSuitesFilter(tlsServerParameters.getCipherSuitesFilter());
+        con.getCxfSslContextFactory().setCertAlias(tlsServerParameters.getCertAlias());
     }
 
 

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSClientParametersConfig.java
Tue Mar 27 08:30:32 2012
@@ -116,6 +116,9 @@ public final class TLSClientParametersCo
         if (params.isSetSslCacheTimeout()) {
             ret.setSslCacheTimeout(params.getSslCacheTimeout());
         }
+        if (params.isSetCertAlias()) {
+            ret.setCertAlias(params.getCertAlias());
+        }
         return ret;
     }
     

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/configuration/jsse/spring/TLSServerParametersConfig.java
Tue Mar 27 08:30:32 2012
@@ -69,5 +69,8 @@ public class TLSServerParametersConfig 
         if (params.isSetCertConstraints()) {
             this.setCertConstraints(params.getCertConstraints());
         }
+        if (params.isSetCertAlias()) {
+            this.setCertAlias(params.getCertAlias());
+        }
     }
 }

Added: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/AliasedX509ExtendedKeyManager.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/AliasedX509ExtendedKeyManager.java?rev=1305775&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/AliasedX509ExtendedKeyManager.java
(added)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/AliasedX509ExtendedKeyManager.java
Tue Mar 27 08:30:32 2012
@@ -0,0 +1,121 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.transport.https;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.net.ssl.X509KeyManager;
+
+/* ------------------------------------------------------------ */
+/**
+ * KeyManager to select a key with desired alias while delegating processing to specified
KeyManager Can be
+ * used both with server and client sockets
+ */
+public class AliasedX509ExtendedKeyManager extends X509ExtendedKeyManager {
+    private String keyAlias;
+    private X509KeyManager keyManager;
+
+    /* ------------------------------------------------------------ */
+    /**
+     * Construct KeyManager instance
+     * 
+     * @param keyAlias Alias of the key to be selected
+     * @param keyManager Instance of KeyManager to be wrapped
+     * @throws Exception
+     */
+    public AliasedX509ExtendedKeyManager(String keyAlias, X509KeyManager keyManager) throws
Exception {
+        this.keyAlias = keyAlias;
+        this.keyManager = keyManager;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[],
+     *      java.net.Socket)
+     */
+    public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
{
+        return keyAlias == null ? keyManager.chooseClientAlias(keyType, issuers, socket)
: keyAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[],
+     *      java.net.Socket)
+     */
+    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
+        return keyAlias == null ? keyManager.chooseServerAlias(keyType, issuers, socket)
: keyAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
+     */
+    public String[] getClientAliases(String keyType, Principal[] issuers) {
+        return keyManager.getClientAliases(keyType, issuers);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
+     */
+    public String[] getServerAliases(String keyType, Principal[] issuers) {
+        return keyManager.getServerAliases(keyType, issuers);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
+     */
+    public X509Certificate[] getCertificateChain(String alias) {
+        return keyManager.getCertificateChain(alias);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
+     */
+    public PrivateKey getPrivateKey(String alias) {
+        return keyManager.getPrivateKey(alias);
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineServerAlias(java.lang.String,
+     *      java.security.Principal[], javax.net.ssl.SSLEngine)
+     */
+    @Override
+    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine
engine) {
+        return keyAlias == null ? super.chooseEngineServerAlias(keyType, issuers, engine)
: keyAlias;
+    }
+
+    /* ------------------------------------------------------------ */
+    /**
+     * @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineClientAlias(String[], Principal[],
SSLEngine)
+     */
+    @Override
+    public String chooseEngineClientAlias(String keyType[], Principal[] issuers, SSLEngine
engine) {
+        return keyAlias == null ? super.chooseEngineClientAlias(keyType, issuers, engine)
: keyAlias;
+    }
+}

Modified: cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
(original)
+++ cxf/trunk/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java
Tue Mar 27 08:30:32 2012
@@ -32,13 +32,16 @@ import java.util.logging.Logger;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.X509KeyManager;
 
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.ReflectionInvokationHandler;
 import org.apache.cxf.configuration.jsse.TLSClientParameters;
 
+
 /**
  * This HttpsURLConnectionFactory implements the HttpURLConnectionFactory
  * for using the given SSL Policy to configure TLS connections for "https:"
@@ -147,7 +150,11 @@ public class HttpsURLConnectionFactory {
             SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext
                 .getInstance(protocol, provider);
             ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout());
-            ctx.init(tlsClientParameters.getKeyManagers(), tlsClientParameters.getTrustManagers(),
+            KeyManager[] keyManagers = tlsClientParameters.getKeyManagers();
+            if (tlsClientParameters.getCertAlias() != null) {
+                getKeyManagersWithCertAlias(tlsClientParameters, keyManagers);
+            }
+            ctx.init(keyManagers, tlsClientParameters.getTrustManagers(),
                      tlsClientParameters.getSecureRandom());
 
             // The "false" argument means opposite of exclude.
@@ -239,6 +246,22 @@ public class HttpsURLConnectionFactory {
     protected void addLogHandler(Handler handler) {
         LOG.addHandler(handler);
     }
+    
+    protected void getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters,
+                                               KeyManager[] keyManagers) throws GeneralSecurityException
{
+        if (tlsClientParameters.getCertAlias() != null) {
+            for (int idx = 0; idx < keyManagers.length; idx++) {
+                if (keyManagers[idx] instanceof X509KeyManager) {
+                    try {
+                        keyManagers[idx] = new AliasedX509ExtendedKeyManager(
+                            tlsClientParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
+                    } catch (Exception e) {
+                        throw new GeneralSecurityException(e);
+                    }
+                }
+            }
+        }
+    }
 
 }
 

Modified: cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server.xml?rev=1305775&r1=1305774&r2=1305775&view=diff
==============================================================================
--- cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server.xml
(original)
+++ cxf/trunk/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-server.xml
Tue Mar 27 08:30:32 2012
@@ -86,6 +86,8 @@ under the License.
 	          	<sec:keyStore type="JKS" password="password"
 	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
 	     		</sec:trustManagers>
+                <sec:clientAuthentication want="true" required="true"/>
+                <sec:certAlias>bethal</sec:certAlias>
             </httpj:tlsServerParameters>
         </httpj:engine>
     </httpj:engine-factory>
@@ -103,7 +105,8 @@ under the License.
 	           <sec:keyStore type="JKS" password="password"
 	               file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
 	        </sec:trustManagers>
+            <sec:certAlias>morpit</sec:certAlias>
         </http:tlsClientParameters>
     </http:conduit>
 
-</beans>
\ No newline at end of file
+</beans>



Mime
View raw message