cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1521504 - in /cxf/trunk/services/xkms: xkms-itests/src/test/java/org/apache/cxf/xkms/itests/ xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ xkms-itests/src/test/resources/data/xkms/certificates/ xkms-itests/src/te...
Date Tue, 10 Sep 2013 14:26:49 GMT
Author: coheigea
Date: Tue Sep 10 14:26:49 2013
New Revision: 1521504

URL: http://svn.apache.org/r1521504
Log:
[CXF-5255] - Finished with CRL support in XKMS

Added:
    cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg
      - copied, changed from r1521415, cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
Modified:
    cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
    cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
    cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java

Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
(original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
Tue Sep 10 14:26:49 2013
@@ -74,10 +74,14 @@ public class BasicIntegrationTest {
 
             replaceConfigurationFile("data/xkms/certificates/trusted_cas/root.cer",
                                      new File("src/test/resources/data/xkms/certificates/trusted_cas/root.cer")),
+            replaceConfigurationFile("data/xkms/certificates/trusted_cas/wss40CA.cer",
+                                     new File("src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer")),
             replaceConfigurationFile("data/xkms/certificates/cas/alice.cer",
                                      new File("src/test/resources/data/xkms/certificates/cas/alice.cer")),
             replaceConfigurationFile("data/xkms/certificates/dave.cer",
                                      new File("src/test/resources/data/xkms/certificates/dave.cer")),
+            replaceConfigurationFile("data/xkms/certificates/crls/wss40CACRL.cer",
+                                     new File("src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer")),
             replaceConfigurationFile("etc/org.apache.cxf.xkms.cfg", getConfigFile()),
 
             editConfigurationFilePut("etc/org.ops4j.pax.url.mvn.cfg", "org.ops4j.pax.url.mvn.repositories",
REPOS), 

Added: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java?rev=1521504&view=auto
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
(added)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
Tue Sep 10 14:26:49 2013
@@ -0,0 +1,139 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.xkms.itests.handlers.validator;
+
+import java.io.File;
+import java.io.InputStream;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.UUID;
+
+import javax.xml.bind.JAXBElement;
+
+import org.apache.cxf.xkms.handlers.XKMSConstants;
+import org.apache.cxf.xkms.itests.BasicIntegrationTest;
+import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
+import org.apache.cxf.xkms.model.xkms.QueryKeyBindingType;
+import org.apache.cxf.xkms.model.xkms.ReasonEnum;
+import org.apache.cxf.xkms.model.xkms.StatusType;
+import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
+import org.apache.cxf.xkms.model.xmldsig.KeyInfoType;
+import org.apache.cxf.xkms.model.xmldsig.X509DataType;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.ops4j.pax.exam.junit.PaxExam;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@RunWith(PaxExam.class)
+public class ValidatorCRLTest extends BasicIntegrationTest {
+    private static final String PATH_TO_RESOURCES = "/data/xkms/certificates/";
+
+    private static final org.apache.cxf.xkms.model.xmldsig.ObjectFactory DSIG_OF = 
+        new org.apache.cxf.xkms.model.xmldsig.ObjectFactory();
+    private static final org.apache.cxf.xkms.model.xkms.ObjectFactory XKMS_OF = 
+        new org.apache.cxf.xkms.model.xkms.ObjectFactory();
+    
+    private static final Logger LOG = LoggerFactory.getLogger(ValidatorCRLTest.class);
+    
+    @Override
+    protected File getConfigFile() {
+        return new File("src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg");
+    }
+    
+    @Test
+    public void testValidCertWithCRL() throws CertificateException {
+        X509Certificate wss40Certificate = readCertificate("wss40.cer");
+        ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+        StatusType result = doValidate(request);
+
+        Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID, result.getStatusValue());
+        Assert.assertFalse(result.getValidReason().isEmpty());
+        Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALIDITY_INTERVAL.value(),
result
+            .getValidReason().get(0));
+        Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(),
result
+            .getValidReason().get(1));
+    }
+    
+    @Test
+    public void testRevokedCertificate() throws CertificateException {
+        X509Certificate wss40Certificate = readCertificate("wss40rev.cer");
+        ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+        StatusType result = doValidate(request);
+
+        Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID, result.getStatusValue());
+        Assert.assertFalse(result.getInvalidReason().isEmpty());
+        Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(),
result
+            .getInvalidReason().get(0));
+    }
+
+    /*
+     * Method is taken from {@link org.apache.cxf.xkms.client.XKMSInvoker}.
+     */
+    private ValidateRequestType prepareValidateXKMSRequest(X509Certificate cert) {
+        JAXBElement<byte[]> x509Cert;
+        try {
+            x509Cert = DSIG_OF.createX509DataTypeX509Certificate(cert.getEncoded());
+        } catch (CertificateEncodingException e) {
+            throw new IllegalArgumentException(e);
+        }
+        X509DataType x509DataType = DSIG_OF.createX509DataType();
+        x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(x509Cert);
+        JAXBElement<X509DataType> x509Data = DSIG_OF.createX509Data(x509DataType);
+
+        KeyInfoType keyInfoType = DSIG_OF.createKeyInfoType();
+        keyInfoType.getContent().add(x509Data);
+
+        QueryKeyBindingType queryKeyBindingType = XKMS_OF.createQueryKeyBindingType();
+        queryKeyBindingType.setKeyInfo(keyInfoType);
+
+        ValidateRequestType validateRequestType = XKMS_OF.createValidateRequestType();
+        setGenericRequestParams(validateRequestType);
+        validateRequestType.setQueryKeyBinding(queryKeyBindingType);
+        // temporary
+        validateRequestType.setId(cert.getSubjectDN().toString());
+        return validateRequestType;
+    }
+
+    private void setGenericRequestParams(MessageAbstractType request) {
+        request.setService(XKMSConstants.XKMS_ENDPOINT_NAME);
+        request.setId(UUID.randomUUID().toString());
+    }
+
+    private X509Certificate readCertificate(String path) throws CertificateException {
+        InputStream inputStream = ValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES
+ path);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        return (X509Certificate)cf.generateCertificate(inputStream);
+    }
+    
+    private StatusType doValidate(ValidateRequestType request) {
+        try {
+            return xkmsService.validate(request).getKeyBinding().get(0).getStatus();
+        } catch (Exception e) {
+            // Avoid serialization problems for some exceptions when transported by pax exam

+            LOG.error(e.getMessage(), e);
+            throw new RuntimeException(e.getMessage());
+        }
+    }
+
+}

Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
(added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
Tue Sep 10 14:26:49 2013 differ

Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
(added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
Tue Sep 10 14:26:49 2013 differ

Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
(added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
Tue Sep 10 14:26:49 2013 differ

Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
(added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
Tue Sep 10 14:26:49 2013 differ

Modified: cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg Tue
Sep 10 14:26:49 2013
@@ -23,6 +23,9 @@ xkms.enableXKRSS=true
 # Certificate repository ldap or file
 xkms.certificate.repo=file
 
+# Disable Revocation
+xkms.enableRevocation=false
+
 # Filesystem backend
 xkms.file.storageDir=data/xkms/certificates
 
@@ -39,9 +42,11 @@ xkms.ldap.schema.attrUID=uid
 xkms.ldap.schema.attrIssuerID=manager
 xkms.ldap.schema.attrSerialNumber=employeeNumber
 xkms.ldap.schema.attrCrtBinary=userCertificate;binary
+xkms.ldap.schema.attrCrlBinary=certificateRevocationList;binary
 xkms.ldap.schema.constAttrNamesCSV=sn
 xkms.ldap.schema.constAttrValuesCSV=X509 certificate
 xkms.ldap.schema.serviceCertRDNTemplate=cn=%s,ou=services
 xkms.ldap.schema.serviceCertUIDTemplate=cn=%s
 xkms.ldap.schema.trustedAuthorities=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
+xkms.ldap.schema.crls=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
 xkms.ldap.schema.intermediates=(&(objectClass=inetOrgPerson)(ou:dn:=intermediateCAs))

Copied: cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg
(from r1521415, cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg)
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg?p2=cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg&p1=cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg&r1=1521415&r2=1521504&rev=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg
Tue Sep 10 14:26:49 2013
@@ -23,6 +23,9 @@ xkms.enableXKRSS=true
 # Certificate repository ldap or file
 xkms.certificate.repo=file
 
+# Enable Revocation
+xkms.enableRevocation=true
+
 # Filesystem backend
 xkms.file.storageDir=data/xkms/certificates
 
@@ -39,9 +42,11 @@ xkms.ldap.schema.attrUID=uid
 xkms.ldap.schema.attrIssuerID=manager
 xkms.ldap.schema.attrSerialNumber=employeeNumber
 xkms.ldap.schema.attrCrtBinary=userCertificate;binary
+xkms.ldap.schema.attrCrlBinary=certificateRevocationList;binary
 xkms.ldap.schema.constAttrNamesCSV=sn
 xkms.ldap.schema.constAttrValuesCSV=X509 certificate
 xkms.ldap.schema.serviceCertRDNTemplate=cn=%s,ou=services
 xkms.ldap.schema.serviceCertUIDTemplate=cn=%s
 xkms.ldap.schema.trustedAuthorities=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
+xkms.ldap.schema.crls=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
 xkms.ldap.schema.intermediates=(&(objectClass=inetOrgPerson)(ou:dn:=intermediateCAs))

Modified: cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
(original)
+++ cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
Tue Sep 10 14:26:49 2013
@@ -30,6 +30,7 @@
 			<cm:property name="xkms.ldap.pwd" value=""/>
 			<cm:property name="xkms.ldap.retry" value="2"/>
 			<cm:property name="xkms.ldap.rootDN" value=""/>
+			<cm:property name="xkms.enableRevocation" value="true"/>
 		</cm:default-properties>
 	</cm:property-placeholder>
 
@@ -46,6 +47,7 @@
         <property name="attrIssuerID" value="${xkms.ldap.schema.attrIssuerID}" />
         <property name="attrSerialNumber" value="${xkms.ldap.schema.attrSerialNumber}"
/>
         <property name="attrCrtBinary" value="${xkms.ldap.schema.attrCrtBinary}" />
+        <property name="attrCrlBinary" value="${xkms.ldap.schema.attrCrlBinary}" />
         <property name="constAttrNamesCSV" value="${xkms.ldap.schema.constAttrNamesCSV}"
/>
         <property name="constAttrValuesCSV" value="${xkms.ldap.schema.constAttrValuesCSV}"
/>
         <property name="serviceCertRDNTemplate"
@@ -53,6 +55,7 @@
         <property name="serviceCertUIDTemplate"
             value="${xkms.ldap.schema.serviceCertUIDTemplate}" />
         <property name="trustedAuthorityFilter" value="${xkms.ldap.schema.trustedAuthorities}"
/>
+        <property name="crlFilter" value="${xkms.ldap.schema.crls}" />
         <property name="intermediateFilter" value="${xkms.ldap.schema.intermediates}"
/>
     </bean>
 
@@ -69,6 +72,7 @@
     <bean id="trustedAuthorityValidator"
         class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
         <argument ref="certificateRepo" />
+        <property name="enableRevocation" value="${xkms.enableRevocation}" />
     </bean>
 
     <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
Tue Sep 10 14:26:49 2013
@@ -19,12 +19,12 @@
 package org.apache.cxf.xkms.x509.repo.ldap;
 
 import java.io.ByteArrayInputStream;
+import java.security.cert.CRLException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -89,8 +89,7 @@ public class LdapCertificateRepo impleme
     
     @Override
     public List<X509CRL> getCRLs() {
-        // TODO
-        return Collections.emptyList();
+        return getCRLsFromLdap(rootDN, ldapConfig.getAttrCrlBinary(), ldapConfig.getAttrCrlBinary());
     }
 
     private List<X509Certificate> getCertificatesFromLdap(String tmpRootDN, String
tmpFilter, String tmpAttrName) {
@@ -115,6 +114,31 @@ public class LdapCertificateRepo impleme
             throw new RuntimeException(e.getMessage(), e);
         }
     }
+    
+    private List<X509CRL> getCRLsFromLdap(String tmpRootDN, String tmpFilter, String
tmpAttrName) {
+        try {
+            List<X509CRL> crls = new ArrayList<X509CRL>();
+            NamingEnumeration<SearchResult> answer = ldapSearch.searchSubTree(tmpRootDN,
tmpFilter);
+            while (answer.hasMore()) {
+                SearchResult sr = answer.next();
+                Attributes attrs = sr.getAttributes();
+                Attribute attribute = attrs.get(tmpAttrName);
+                if (attribute != null) {
+                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                    X509CRL crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(
+                            (byte[]) attribute.get()));
+                    crls.add(crl);
+                }
+            }
+            return crls;
+        } catch (CertificateException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        } catch (NamingException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        } catch (CRLException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
 
     private void saveCertificate(X509Certificate cert, String dn) {
         Attributes attribs = new BasicAttributes();

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
Tue Sep 10 14:26:49 2013
@@ -24,12 +24,14 @@ public class LdapSchemaConfig {
     private String attrIssuerID = "manager";
     private String attrSerialNumber = "employeeNumber";
     private String attrCrtBinary = "userCertificate;binary";
+    private String attrCrlBinary = "certificateRevocationList;binary";
     private String constAttrNamesCSV = "sn";
     private String constAttrValuesCSV = "X509 certificate";
     private String serviceCertRDNTemplate = "cn=%s,ou=services";
     private String serviceCertUIDTemplate = "cn=%s";
     private String trustedAuthorityFilter = "(&(objectClass=inetOrgPerson)(ou:dn:=CAs))";
     private String intermediateFilter = "(objectClass=*)";
+    private String crlFilter = "(&(objectClass=inetOrgPerson)(ou:dn:=CAs))";
 
     public String getCertObjectClass() {
         return certObjectClass;
@@ -119,4 +121,20 @@ public class LdapSchemaConfig {
         this.intermediateFilter = intermediateFilter;
     }
 
+    public String getCrlFilter() {
+        return crlFilter;
+    }
+
+    public void setCrlFilter(String crlFilter) {
+        this.crlFilter = crlFilter;
+    }
+
+    public String getAttrCrlBinary() {
+        return attrCrlBinary;
+    }
+
+    public void setAttrCrlBinary(String attrCrlBinary) {
+        this.attrCrlBinary = attrCrlBinary;
+    }
+
 }

Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
(original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
Tue Sep 10 14:26:49 2013
@@ -53,11 +53,12 @@ public class TrustedAuthorityValidator i
     private static final Logger LOG = LogUtils.getL7dLogger(TrustedAuthorityValidator.class);
 
     CertificateRepo certRepo;
+    boolean enableRevocation = true;
     
     public TrustedAuthorityValidator(CertificateRepo certRepo) {
         this.certRepo = certRepo;
     }
-
+    
     /**
      * Checks if a certificate is signed by a trusted authority.
      * 
@@ -71,7 +72,6 @@ public class TrustedAuthorityValidator i
         try {
             List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
             List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
-            List<X509CRL> crls = certRepo.getCRLs();
             Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
             CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
             CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
@@ -84,12 +84,15 @@ public class TrustedAuthorityValidator i
             CertPath certPath = builder.build(pkixParams).getCertPath();
             
             // Now validate the CertPath (including CRL checking)
-            if (!crls.isEmpty()) {
-                pkixParams.setRevocationEnabled(true);
-                CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
-                pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+            if (enableRevocation) {
+                List<X509CRL> crls = certRepo.getCRLs();
+                if (!crls.isEmpty()) {
+                    pkixParams.setRevocationEnabled(true);
+                    CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
+                    pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+                }
             }
-            
+                
             CertPathValidator validator = CertPathValidator.getInstance("PKIX");
             validator.validate(certPath, pkixParams);
         } catch (InvalidAlgorithmParameterException e) {
@@ -132,4 +135,12 @@ public class TrustedAuthorityValidator i
         return status;
     }
 
+    public boolean isEnableRevocation() {
+        return enableRevocation;
+    }
+
+    public void setEnableRevocation(boolean enableRevocation) {
+        this.enableRevocation = enableRevocation;
+    }
+    
 }



Mime
View raw message