cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1520542 - in /cxf/trunk/services/xkms/xkms-x509-handlers/src: main/java/org/apache/cxf/xkms/x509/repo/ main/java/org/apache/cxf/xkms/x509/repo/file/ main/java/org/apache/cxf/xkms/x509/repo/ldap/ main/java/org/apache/cxf/xkms/x509/validator...
Date Fri, 06 Sep 2013 11:12:21 GMT
Author: coheigea
Date: Fri Sep  6 11:12:21 2013
New Revision: 1520542

URL: http://svn.apache.org/r1520542
Log:
[CXF-5255] - Support revocation lists in the XKMS Service

Added:
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40.cer
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CA.cer
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CACRL.cer
    cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40rev.cer
Modified:
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java?rev=1520542&r1=1520541&r2=1520542&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
Fri Sep  6 11:12:21 2013
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.xkms.x509.repo;
 
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.List;
 
@@ -26,6 +27,7 @@ import org.apache.cxf.xkms.model.xkms.Us
 public interface CertificateRepo {
     List<X509Certificate> getTrustedCaCerts();
     List<X509Certificate> getCaCerts();
+    List<X509CRL> getCRLs();
     void saveCertificate(X509Certificate cert, UseKeyWithType key);
     X509Certificate findBySubjectDn(String dn);
     X509Certificate findByServiceName(String serviceName);

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java?rev=1520542&r1=1520541&r2=1520542&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
Fri Sep  6 11:12:21 2013
@@ -25,8 +25,10 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.math.BigInteger;
 import java.net.URISyntaxException;
+import java.security.cert.CRLException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -45,6 +47,7 @@ public class FileCertificateRepo impleme
     private static final Logger LOG = LoggerFactory.getLogger(FileCertificateRepo.class);
     private static final String CN_PREFIX = "cn=";
     private static final String TRUSTED_CAS_PATH = "trusted_cas";
+    private static final String CRLS_PATH = "crls";
     private static final String CAS_PATH = "cas";
     private final File storageDir;
     private final CertificateFactory certFactory;
@@ -69,6 +72,27 @@ public class FileCertificateRepo impleme
     public void saveCACertificate(X509Certificate cert, UseKeyWithType id) {
         saveCategorizedCertificate(cert, id, false, true);
     }
+    
+    public void saveCRL(X509CRL crl, UseKeyWithType id) {
+        String name = crl.getIssuerX500Principal().getName();
+        try {
+            String path = convertDnForFileSystem(name) + ".cer";
+            Pattern p = Pattern.compile("[a-zA-Z_0-9-_]");
+            if (!p.matcher(path).find()) {
+                throw new URISyntaxException(path, "Input did not match [a-zA-Z_0-9-_].");
+            }
+            
+            File certFile = new File(storageDir + "/" + CRLS_PATH, path);
+            certFile.getParentFile().mkdirs();
+            FileOutputStream fos = new FileOutputStream(certFile);
+            BufferedOutputStream bos = new BufferedOutputStream(fos);
+            bos.write(crl.getEncoded());
+            bos.close();
+            fos.close();
+        } catch (Exception e) {
+            throw new RuntimeException("Error saving CRL " + name + ": " + e.getMessage(),
e);
+        }
+    }
 
     private boolean saveCategorizedCertificate(X509Certificate cert, UseKeyWithType id, boolean
isTrustedCA,
                                                boolean isCA) {
@@ -94,7 +118,7 @@ public class FileCertificateRepo impleme
         }
         return true;
     }
-
+    
     public String convertDnForFileSystem(String dn) {
         String result = dn.replace("=", "-");
         result = result.replace(", ", "_");
@@ -126,6 +150,7 @@ public class FileCertificateRepo impleme
             certificateFiles.addAll(Arrays.asList(storageDir.listFiles()));
             certificateFiles.addAll(Arrays.asList(new File(storageDir + "/" + TRUSTED_CAS_PATH).listFiles()));
             certificateFiles.addAll(Arrays.asList(new File(storageDir + "/" + CAS_PATH).listFiles()));
+            certificateFiles.addAll(Arrays.asList(new File(storageDir + "/" + CRLS_PATH).listFiles()));
         } catch (NullPointerException e) {
             //
         }
@@ -142,6 +167,11 @@ public class FileCertificateRepo impleme
         FileInputStream fis = new FileInputStream(certFile);
         return (X509Certificate)certFactory.generateCertificate(fis);
     }
+    
+    public X509CRL readCRL(File crlFile) throws FileNotFoundException, CRLException {
+        FileInputStream fis = new FileInputStream(crlFile);
+        return (X509CRL)certFactory.generateCRL(fis);
+    }
 
     @Override
     public List<X509Certificate> getTrustedCaCerts() {
@@ -186,6 +216,29 @@ public class FileCertificateRepo impleme
         }
         return results;
     }
+    
+    @Override
+    public List<X509CRL> getCRLs() {
+        List<X509CRL> results = new ArrayList<X509CRL>();
+        File[] list = getX509Files();
+        for (File crlFile : list) {
+            try {
+                if (crlFile.isDirectory()) {
+                    continue;
+                }
+                if (crlFile.getParent().endsWith(CRLS_PATH)) {
+                    X509CRL crl = readCRL(crlFile);
+                    results.add(crl);
+                }
+            } catch (Exception e) {
+                LOG.warn(String.format("Cannot load CRL from file: %s. Error: %s", crlFile,
+                                       e.getMessage()));
+            }
+
+        }
+        
+        return results;
+    }
 
     @Override
     public X509Certificate findByServiceName(String serviceName) {

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java?rev=1520542&r1=1520541&r2=1520542&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
Fri Sep  6 11:12:21 2013
@@ -21,8 +21,10 @@ package org.apache.cxf.xkms.x509.repo.ld
 import java.io.ByteArrayInputStream;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -84,6 +86,12 @@ public class LdapCertificateRepo impleme
     public List<X509Certificate> getCaCerts() {
         return getCertificatesFromLdap(rootDN, ldapConfig.getIntermediateFilter(), ldapConfig.getAttrCrtBinary());
     }
+    
+    @Override
+    public List<X509CRL> getCRLs() {
+        // TODO
+        return Collections.emptyList();
+    }
 
     private List<X509Certificate> getCertificatesFromLdap(String tmpRootDN, String
tmpFilter, String tmpAttrName) {
         try {

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1520542&r1=1520541&r2=1520542&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
Fri Sep  6 11:12:21 2013
@@ -28,6 +28,7 @@ import java.security.cert.CertStoreParam
 import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.TrustAnchor;
+import java.security.cert.X509CRL;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.HashSet;
@@ -67,13 +68,18 @@ public class TrustedAuthorityValidator i
         try {
             List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
             List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
+            List<X509CRL> crls = certRepo.getCRLs();
             Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
             CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
             CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
+            CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
             PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector);
             pkixParams.addCertStore(CertStore.getInstance("Collection", intermediateParams));
             pkixParams.addCertStore(CertStore.getInstance("Collection", certificateParams));
-            pkixParams.setRevocationEnabled(false);
+            pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+            if (crls.isEmpty()) {
+                pkixParams.setRevocationEnabled(false);
+            }
             CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
             builder.build(pkixParams);
         } catch (InvalidAlgorithmParameterException e) {

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java?rev=1520542&view=auto
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
(added)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidatorCRLTest.java
Fri Sep  6 11:12:21 2013
@@ -0,0 +1,110 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.xkms.x509.validator;
+
+import java.io.File;
+import java.io.InputStream;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+
+import org.apache.cxf.helpers.FileUtils;
+import org.apache.cxf.xkms.handlers.Applications;
+import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
+import org.apache.cxf.xkms.x509.repo.file.FileCertificateRepo;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TrustedAuthorityValidatorCRLTest extends BasicValidationTest {
+    private static final String PATH_TO_RESOURCES = "/trustedAuthorityValidator/";
+    private final X509Certificate certificateRoot;
+    private final X509Certificate certificateWss40Rev;
+    private final X509Certificate certificateWss40;
+    private final X509CRL crl;
+    private FileCertificateRepo certificateRepo;
+
+    public TrustedAuthorityValidatorCRLTest() throws CertificateException, CRLException {
+        certificateRoot = readCertificate("wss40CA.cer");
+        certificateWss40Rev = readCertificate("wss40rev.cer");
+        certificateWss40 = readCertificate("wss40.cer");
+        crl = readCRL("wss40CACRL.cer");
+    }
+
+    @Before
+    public void setUpCertificateRepo() throws CertificateException {
+        File storageDir = new File("target/teststore_trusted_authority_validator");
+        FileUtils.removeDir(storageDir);
+        storageDir.mkdirs();
+        certificateRepo = new FileCertificateRepo("target/teststore_trusted_authority_validator");
+
+        UseKeyWithType rootKey = new UseKeyWithType();
+        rootKey.setApplication(Applications.PKIX.getUri());
+        String subjectDN = certificateRoot.getSubjectX500Principal().getName();
+        rootKey.setIdentifier(subjectDN);
+        certificateRepo.saveTrustedCACertificate(certificateRoot, rootKey);
+
+        UseKeyWithType aliceKey = new UseKeyWithType();
+        aliceKey.setApplication(Applications.PKIX.getUri());
+        subjectDN = certificateWss40Rev.getSubjectX500Principal().getName();
+        aliceKey.setIdentifier(subjectDN);
+        certificateRepo.saveCACertificate(certificateWss40Rev, aliceKey);
+        
+        UseKeyWithType bobKey = new UseKeyWithType();
+        bobKey.setApplication(Applications.PKIX.getUri());
+        subjectDN = certificateWss40.getSubjectX500Principal().getName();
+        bobKey.setIdentifier(subjectDN);
+        certificateRepo.saveCACertificate(certificateWss40, bobKey);
+        
+        UseKeyWithType crlKey = new UseKeyWithType();
+        crlKey.setApplication(Applications.PKIX.getUri());
+        crlKey.setIdentifier(crl.getIssuerX500Principal().getName());
+        certificateRepo.saveCRL(crl, crlKey);
+    }
+
+    @Test
+    public void testIsCertChainValid() throws CertificateException {
+        TrustedAuthorityValidator validator = new TrustedAuthorityValidator(certificateRepo);
+        Assert.assertTrue("Root should be valid",
+                          validator.isCertificateChainValid(Arrays.asList(certificateRoot)));
+        Assert.assertTrue("wss40rev should not be valid",
+                          !validator.isCertificateChainValid(Arrays.asList(certificateWss40Rev)));
+        Assert.assertTrue("wss40 should be valid",
+                          validator.isCertificateChainValid(Arrays.asList(certificateWss40)));
+    }
+
+    private static X509Certificate readCertificate(String path) throws CertificateException
{
+        InputStream inputStream = TrustedAuthorityValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES
+                                                                                        
 + path);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        return (X509Certificate)cf.generateCertificate(inputStream);
+    }
+    
+    private static X509CRL readCRL(String path) throws CertificateException, CRLException
{
+        InputStream inputStream = TrustedAuthorityValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES
+                                                                                        
 + path);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        return (X509CRL)cf.generateCRL(inputStream);
+    }
+
+}

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40.cer?rev=1520542&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40.cer
(added) and cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40.cer
Fri Sep  6 11:12:21 2013 differ

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CA.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CA.cer?rev=1520542&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CA.cer
(added) and cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CA.cer
Fri Sep  6 11:12:21 2013 differ

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CACRL.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CACRL.cer?rev=1520542&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CACRL.cer
(added) and cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40CACRL.cer
Fri Sep  6 11:12:21 2013 differ

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40rev.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40rev.cer?rev=1520542&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40rev.cer
(added) and cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/trustedAuthorityValidator/wss40rev.cer
Fri Sep  6 11:12:21 2013 differ



Mime
View raw message