cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashaki...@apache.org
Subject svn commit: r1527385 - in /cxf/trunk/services/xkms: xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/ xkms-common/src/main/java/org/apache/cxf/xkms/crypto/
Date Sun, 29 Sep 2013 18:55:52 GMT
Author: ashakirin
Date: Sun Sep 29 18:55:52 2013
New Revision: 1527385

URL: http://svn.apache.org/r1527385
Log:
XKMSCrypto: Introduced allowX509FromJKS property, simplified XKMSCryptoProvider implementation

Modified:
    cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
    cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
    cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java

Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
(original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
Sun Sep 29 18:55:52 2013
@@ -46,24 +46,31 @@ public class XkmsCryptoProvider extends 
     private static final Logger LOG = LogUtils.getL7dLogger(XkmsCryptoProvider.class);
 
     private final XKMSInvoker xkmsInvoker;
-    private Crypto defaultCrypto;
+    private Crypto fallbackCrypto;
     private XKMSClientCache xkmsClientCache;
+    private boolean allowX509FromJKS = true;
 
     public XkmsCryptoProvider(XKMSPortType xkmsConsumer) {
         this(xkmsConsumer, null);
     }
 
-    public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto defaultCrypto) {
-        this(xkmsConsumer, defaultCrypto, new EHCacheXKMSClientCache());
+    public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto) {
+        this(xkmsConsumer, fallbackCrypto, new EHCacheXKMSClientCache(), true);
     }
     
-    public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto defaultCrypto, XKMSClientCache
xkmsClientCache) {
+    public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto, boolean allowX509FromJKS)
{
+        this(xkmsConsumer, fallbackCrypto, new EHCacheXKMSClientCache(), allowX509FromJKS);
+    }
+
+    public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto,
+                              XKMSClientCache xkmsClientCache, boolean allowX509FromJKS)
{
         if (xkmsConsumer == null) {
             throw new IllegalArgumentException("xkmsConsumer may not be null");
         }
         this.xkmsInvoker = new XKMSInvoker(xkmsConsumer);
-        this.defaultCrypto = defaultCrypto;
+        this.fallbackCrypto = fallbackCrypto;
         this.xkmsClientCache = xkmsClientCache;
+        this.allowX509FromJKS = allowX509FromJKS;
     }
     
     @Override
@@ -73,9 +80,9 @@ public class XkmsCryptoProvider extends 
                 .format("XKMS Runtime: getting public certificate for alias: %s; issuer:
%s; subjectDN: %s",
                         cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
         }
-        X509Certificate[] certs = getX509CertificatesInternal(cryptoType);
+        X509Certificate[] certs = getX509(cryptoType);
         if (certs == null) {
-            LOG.severe(String
+            LOG.warning(String
                 .format(
                         "Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s",
                         cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
@@ -86,20 +93,20 @@ public class XkmsCryptoProvider extends 
     @Override
     public String getX509Identifier(X509Certificate cert) throws WSSecurityException {
         assertDefaultCryptoProvider();
-        return defaultCrypto.getX509Identifier(cert);
+        return fallbackCrypto.getX509Identifier(cert);
     }
 
     @Override
     public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler)
         throws WSSecurityException {
         assertDefaultCryptoProvider();
-        return defaultCrypto.getPrivateKey(certificate, callbackHandler);
+        return fallbackCrypto.getPrivateKey(certificate, callbackHandler);
     }
 
     @Override
     public PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException
{
         assertDefaultCryptoProvider();
-        return defaultCrypto.getPrivateKey(identifier, password);
+        return fallbackCrypto.getPrivateKey(identifier, password);
     }
 
     @Override
@@ -144,66 +151,44 @@ public class XkmsCryptoProvider extends 
     }
 
     private void assertDefaultCryptoProvider() {
-        if (defaultCrypto == null) {
+        if (fallbackCrypto == null) {
             throw new UnsupportedOperationException("Not supported by this crypto provider");
         }
     }
 
-    private X509Certificate[] getX509CertificatesInternal(CryptoType cryptoType) {
-        CryptoType.TYPE type = cryptoType.getType();
-        if (type == TYPE.SUBJECT_DN) {
-            return getX509CertificatesFromXKMS(Applications.PKIX, cryptoType.getSubjectDN());
-        } else if (type == TYPE.ALIAS) {
-            return getX509CertificatesFromXKMS(cryptoType);
-        } else if (type == TYPE.ISSUER_SERIAL) {
-            // Try local Crypto first
+    private X509Certificate[] getX509(CryptoType cryptoType) {
+        // Try to get X509 certificate from local keystore if it is configured
+        if (allowX509FromJKS && (fallbackCrypto != null)) {
             X509Certificate[] localCerts = getCertificateLocally(cryptoType);
-            if (localCerts != null) {
+            if ((localCerts != null) && localCerts.length > 0) {
                 return localCerts;
             }
+        }
+        CryptoType.TYPE type = cryptoType.getType();
+        if (type == TYPE.SUBJECT_DN) {
+            return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
             
-            String key = getKeyForIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
-            // Try local cache next
-            if (xkmsClientCache != null) {
-                XKMSCacheToken cachedToken = xkmsClientCache.get(key);
-                if (cachedToken != null && cachedToken.getX509Certificate() != null)
{
-                    return new X509Certificate[] {cachedToken.getX509Certificate()};
-                }
+        } else if (type == TYPE.ALIAS) {
+            Applications appId = null;
+            boolean isServiceName = isServiceName(cryptoType);
+            if (!isServiceName) {
+                appId = Applications.PKIX;
+            } else {
+                appId = Applications.SERVICE_SOAP;
             }
-            // Now ask the XKMS Service
-            X509Certificate certificate = xkmsInvoker.getCertificateForIssuerSerial(cryptoType
-                .getIssuer(), cryptoType.getSerial());
+            return getX509FromXKMSByID(appId, cryptoType.getAlias());
             
-            // Store in the cache
-            storeCertificateInCache(certificate, key, false);
-
-            return new X509Certificate[] {
-                certificate
-            };
+        } else if (type == TYPE.ISSUER_SERIAL) {
+            return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
         }
         throw new IllegalArgumentException("Unsupported type " + type);
     }
 
-    private X509Certificate[] getX509CertificatesFromXKMS(CryptoType cryptoType) {
-        Applications appId = null;
-        boolean isServiceName = isServiceName(cryptoType);
-        if (!isServiceName) {
-            X509Certificate[] localCerts = getCertificateLocally(cryptoType);
-            if (localCerts != null) {
-                return localCerts;
-            }
-            appId = Applications.PKIX;
-        } else {
-            appId = Applications.SERVICE_SOAP;
-        }
-        return getX509CertificatesFromXKMS(appId, cryptoType.getAlias());
-    }
-
-    private X509Certificate[] getX509CertificatesFromXKMS(Applications application, String
id) {
+    private X509Certificate[] getX509FromXKMSByID(Applications application, String id) {
         LOG.fine(String.format("Getting public certificate from XKMS for application:%s;
id: %s",
                                application, id));
         if (id == null) {
-            throw new CryptoProviderException("Id is not specified for certificate request");
+            throw new IllegalArgumentException("Id is not specified for certificate request");
         }
         
         // Try local cache first
@@ -225,6 +210,29 @@ public class XkmsCryptoProvider extends 
         };
     }
 
+    private X509Certificate[] getX509FromXKMSByIssuerSerial(String issuer, BigInteger serial)
{
+        LOG.fine(String.format("Getting public certificate from XKMS for issuer:%s; serial:
%x",
+                               issuer, serial));
+        
+        String key = getKeyForIssuerSerial(issuer, serial);
+        // Try local cache first
+        if (xkmsClientCache != null) {
+            XKMSCacheToken cachedToken = xkmsClientCache.get(key);
+            if (cachedToken != null && cachedToken.getX509Certificate() != null)
{
+                return new X509Certificate[] {cachedToken.getX509Certificate()};
+            }
+        }
+        // Now ask the XKMS Service
+        X509Certificate certificate = xkmsInvoker.getCertificateForIssuerSerial(issuer, serial);
+        
+        // Store in the cache
+        storeCertificateInCache(certificate, key, false);
+
+        return new X509Certificate[] {
+            certificate
+        };
+    }
+
     /**
      * Try to get certificate locally. First try using the supplied CryptoType. If this
      * does not work, and if the supplied CryptoType is a ALIAS, then try again with SUBJECT_DN
@@ -235,14 +243,14 @@ public class XkmsCryptoProvider extends 
      */
     private X509Certificate[] getCertificateLocally(CryptoType cryptoType) {
         // This only applies if we've configured a local Crypto instance...
-        if (defaultCrypto == null) {
+        if (fallbackCrypto == null) {
             return null;
         }
         
         // First try using the supplied CryptoType instance
         X509Certificate[] localCerts = null;
         try {
-            localCerts = defaultCrypto.getX509Certificates(cryptoType);
+            localCerts = fallbackCrypto.getX509Certificates(cryptoType);
         } catch (Exception e) {
             LOG.info("Certificate is not found in local keystore using desired CryptoType:
" 
                      + cryptoType.getType().name());
@@ -256,7 +264,7 @@ public class XkmsCryptoProvider extends 
             newCryptoType.setSubjectDN(cryptoType.getAlias());
             
             try {
-                localCerts = defaultCrypto.getX509Certificates(newCryptoType);
+                localCerts = fallbackCrypto.getX509Certificates(newCryptoType);
             } catch (Exception e) {
                 LOG.info("Certificate is not found in local keystore and will be requested
from "
                     + "XKMS (first trying the cache): " + cryptoType.getAlias());

Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
(original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
Sun Sep 29 18:55:52 2013
@@ -70,4 +70,9 @@ public class XkmsCryptoProviderFactory i
     public Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto) {
         return new XkmsCryptoProvider(xkmsClient, fallbackCrypto);
     }
+
+    @Override
+    public Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto, boolean allowX509FromJKS)
{
+        return new XkmsCryptoProvider(xkmsClient, fallbackCrypto, allowX509FromJKS);
+    }
 }

Modified: cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java
(original)
+++ cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java
Sun Sep 29 18:55:52 2013
@@ -56,4 +56,15 @@ public interface CryptoProviderFactory {
      * @return
      */
     Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto);
+    
+    /**
+     * Create with overridden XKMSPortType, fallbackCrypto and control of getting X509 from
local keystore
+     * 
+     * @param xkmsClient
+     * @param fallbackCrypto
+     * @param allowX509FromJKS
+     * @return
+     */
+    Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto, boolean allowX509FromJKS);
+
 }



Mime
View raw message