Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EF44F106E4 for ; Tue, 31 Dec 2013 10:48:58 +0000 (UTC) Received: (qmail 62566 invoked by uid 500); 31 Dec 2013 10:48:56 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 62505 invoked by uid 500); 31 Dec 2013 10:48:54 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 62494 invoked by uid 99); 31 Dec 2013 10:48:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Dec 2013 10:48:53 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Dec 2013 10:48:47 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id 49D01238890D; Tue, 31 Dec 2013 10:48:24 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1554397 - in /cxf/trunk/services/xkms: xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/ xkms-common/src/main/java/org/apache/cxf/xkms/handlers/ xkms-features/src/main/resources/ xkms-itests/src/test/java/org/apache/cxf/xkms/itest... Date: Tue, 31 Dec 2013 10:48:23 -0000 To: commits@cxf.apache.org From: ashakirin@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20131231104824.49D01238890D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: ashakirin Date: Tue Dec 31 10:48:22 2013 New Revision: 1554397 URL: http://svn.apache.org/r1554397 Log: [CXF-5443] STS Symmetric HOK: using server endpoint (AppliesTo) as certificate identifier to encrypt symmetric key Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer (with props) cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer.cer - copied unchanged from r1554225, cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer Removed: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml cxf/trunk/services/xkms/xkms-war/pom.xml cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java (original) +++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java Tue Dec 31 10:48:22 2013 @@ -73,7 +73,7 @@ class XKMSInvoker { } public X509Certificate getServiceCertificate(QName serviceName) { - return getCertificateForId(Applications.SERVICE_SOAP, serviceName.toString()); + return getCertificateForId(Applications.SERVICE_NAME, serviceName.toString()); } public X509Certificate getCertificateForId(Applications application, String id) { @@ -88,6 +88,12 @@ class XKMSInvoker { return getCertificate(ids); } + public X509Certificate getCertificateForEndpoint(String endpoint) { + List ids = new ArrayList(); + ids.add(new X509AppId(Applications.SERVICE_ENDPOINT, endpoint)); + return getCertificate(ids); + } + public X509Certificate getCertificate(List ids) { try { LocateRequestType locateRequestType = prepareLocateXKMSRequest(ids); Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java (original) +++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java Tue Dec 31 10:48:22 2013 @@ -159,7 +159,7 @@ public class XkmsCryptoProvider extends private X509Certificate[] getX509(CryptoType cryptoType) { // Try to get X509 certificate from local keystore if it is configured if (allowX509FromJKS && (fallbackCrypto != null)) { - X509Certificate[] localCerts = getCertificateLocally(cryptoType); + X509Certificate[] localCerts = getCertificateLocaly(cryptoType); if ((localCerts != null) && localCerts.length > 0) { return localCerts; } @@ -167,14 +167,15 @@ public class XkmsCryptoProvider extends CryptoType.TYPE type = cryptoType.getType(); if (type == TYPE.SUBJECT_DN) { return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN()); - + } else if (type == TYPE.ENDPOINT) { + return getX509FromXKMSByEndpoint(cryptoType.getEndpoint()); } else if (type == TYPE.ALIAS) { Applications appId = null; boolean isServiceName = isServiceName(cryptoType); if (!isServiceName) { appId = Applications.PKIX; } else { - appId = Applications.SERVICE_SOAP; + appId = Applications.SERVICE_NAME; } return getX509FromXKMSByID(appId, cryptoType.getAlias()); @@ -220,6 +221,22 @@ public class XkmsCryptoProvider extends return buildX509GetResult(key, cert); } + private X509Certificate[] getX509FromXKMSByEndpoint(String endpoint) { + LOG.fine(String.format("Getting public certificate from XKMS for endpoint:%s", + endpoint)); + + // Try local cache first + X509Certificate[] certs = checkX509Cache(endpoint); + if (certs != null) { + return certs; + } + + // Now ask the XKMS Service + X509Certificate cert = xkmsInvoker.getCertificateForEndpoint(endpoint); + + return buildX509GetResult(endpoint, cert); + } + private X509Certificate[] checkX509Cache(String key) { if (xkmsClientCache == null) { return null; @@ -257,7 +274,7 @@ public class XkmsCryptoProvider extends * @param cryptoType * @return if found certificate otherwise null returned */ - private X509Certificate[] getCertificateLocally(CryptoType cryptoType) { + private X509Certificate[] getCertificateLocaly(CryptoType cryptoType) { // This only applies if we've configured a local Crypto instance... if (fallbackCrypto == null) { return null; Modified: cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java (original) +++ cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java Tue Dec 31 10:48:22 2013 @@ -28,9 +28,13 @@ public enum Applications { */ TLS_HTTPS("urn:ietf:rfc:2818"), /** - * Service Endpoint Name + * Service Name */ - SERVICE_SOAP("urn:apache:cxf:service:soap"), + SERVICE_NAME("urn:apache:cxf:service:name"), + /** + * Service Endpoint + */ + SERVICE_ENDPOINT("urn:apache:cxf:service:endpoint"), /** * Certificate Issuer */ Modified: cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg (original) +++ cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg Tue Dec 31 10:48:22 2013 @@ -39,6 +39,7 @@ xkms.ldap.schema.certObjectClass=inetOrg xkms.ldap.schema.attrUID=uid xkms.ldap.schema.attrIssuerID=manager xkms.ldap.schema.attrSerialNumber=employeeNumber +xkms.ldap.schema.attrEndpoint=labeledURI xkms.ldap.schema.attrCrtBinary=userCertificate;binary xkms.ldap.schema.constAttrNamesCSV=sn xkms.ldap.schema.constAttrValuesCSV=X509 certificate Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java (original) +++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java Tue Dec 31 10:48:22 2013 @@ -78,6 +78,9 @@ public class BasicIntegrationTest { new File("src/test/resources/data/xkms/certificates/cas/alice.cer")), replaceConfigurationFile("data/xkms/certificates/dave.cer", new File("src/test/resources/data/xkms/certificates/dave.cer")), + replaceConfigurationFile("data/xkms/certificates/http___localhost_8080_services_TestService.cer", + new File("src/test/resources/data/xkms/certificates/" + + "http___localhost_8080_services_TestService.cer")), replaceConfigurationFile("data/xkms/certificates/crls/wss40CACRL.cer", new File("src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer")), replaceConfigurationFile("etc/org.apache.cxf.xkms.cfg", getConfigFile()), Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java (original) +++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java Tue Dec 31 10:48:22 2013 @@ -49,7 +49,7 @@ public class XKMSServiceTest extends Bas new org.apache.cxf.xkms.model.xkms.ObjectFactory(); @Test - public void testLocate() throws URISyntaxException, Exception { + public void testLocatePKIX() throws URISyntaxException, Exception { LocateRequestType request = XKMS_OF.createLocateRequestType(); setGenericRequestParams(request); QueryKeyBindingType queryKeyBindingType = XKMS_OF.createQueryKeyBindingType(); @@ -58,6 +58,25 @@ public class XKMSServiceTest extends Bas useKeyWithType.setIdentifier("CN=Dave, OU=Apache, O=CXF, L=CGN, ST=NRW, C=DE"); useKeyWithType.setApplication(Applications.PKIX.getUri()); + locateCertificate(request, queryKeyBindingType, useKeyWithType); + } + + @Test + public void testLocateByEndpoint() throws URISyntaxException, Exception { + LocateRequestType request = XKMS_OF.createLocateRequestType(); + setGenericRequestParams(request); + QueryKeyBindingType queryKeyBindingType = XKMS_OF.createQueryKeyBindingType(); + + UseKeyWithType useKeyWithType = XKMS_OF.createUseKeyWithType(); + useKeyWithType.setIdentifier("http://localhost:8080/services/TestService"); + useKeyWithType.setApplication(Applications.SERVICE_ENDPOINT.getUri()); + + locateCertificate(request, queryKeyBindingType, useKeyWithType); + } + + private void locateCertificate(LocateRequestType request, + QueryKeyBindingType queryKeyBindingType, + UseKeyWithType useKeyWithType) { queryKeyBindingType.getUseKeyWith().add(useKeyWithType); request.setQueryKeyBinding(queryKeyBindingType); @@ -101,8 +120,6 @@ public class XKMSServiceTest extends Bas result.getResultMajor()); Assert.assertEquals(ResultMinorEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_FAILURE.value(), result.getResultMinor()); - ResultDetails message = (ResultDetails)result.getMessageExtension().get(0); - Assert.assertEquals("Exactly one useKeyWith element needed", message.getDetails()); } } Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer?rev=1554397&view=auto ============================================================================== Binary file - no diff available. Propchange: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml (original) +++ cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml Tue Dec 31 10:48:22 2013 @@ -35,6 +35,7 @@ + Modified: cxf/trunk/services/xkms/xkms-war/pom.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/pom.xml?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-war/pom.xml (original) +++ cxf/trunk/services/xkms/xkms-war/pom.xml Tue Dec 31 10:48:22 2013 @@ -42,6 +42,11 @@ runtime + commons-logging + commons-logging + runtime + + org.springframework spring-web Modified: cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml (original) +++ cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml Tue Dec 31 10:48:22 2013 @@ -37,6 +37,7 @@ + Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java Tue Dec 31 10:48:22 2013 @@ -80,8 +80,10 @@ public class X509Locator implements Loca String id = ids.get(0).getIdentifier(); if (application == Applications.PKIX) { cert = certRepo.findBySubjectDn(id); - } else if (application == Applications.SERVICE_SOAP) { + } else if (application == Applications.SERVICE_NAME) { cert = certRepo.findByServiceName(id); + } else if (application == Applications.SERVICE_ENDPOINT) { + cert = certRepo.findByEndpoint(id); } } String issuer = getIdForApplication(Applications.ISSUER, ids); Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java Tue Dec 31 10:48:22 2013 @@ -81,7 +81,7 @@ public class X509Register implements Reg X509Utils.assertElementNotNull(binding, KeyInfoType.class); List useKeyWithList = binding.getUseKeyWith(); if (useKeyWithList == null || useKeyWithList.size() != 1) { - throw new IllegalArgumentException("Exactly one useKeyWith element needed"); + throw new IllegalArgumentException("Exactly one useKeyWith element is supported"); //TODO standard requires support for multiple useKeyWith attributes } UseKeyWithType useKeyWith = useKeyWithList.get(0); Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java Tue Dec 31 10:48:22 2013 @@ -31,5 +31,6 @@ public interface CertificateRepo { void saveCertificate(X509Certificate cert, UseKeyWithType key); X509Certificate findBySubjectDn(String dn); X509Certificate findByServiceName(String serviceName); + X509Certificate findByEndpoint(String endpoint); X509Certificate findByIssuerSerial(String issuer, String serial); } Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java Tue Dec 31 10:48:22 2013 @@ -36,6 +36,7 @@ import java.util.List; import java.util.regex.Pattern; import org.apache.cxf.xkms.exception.XKMSConfigurationException; +import org.apache.cxf.xkms.handlers.Applications; import org.apache.cxf.xkms.model.xkms.ResultMajorEnum; import org.apache.cxf.xkms.model.xkms.ResultMinorEnum; import org.apache.cxf.xkms.model.xkms.UseKeyWithType; @@ -76,7 +77,7 @@ public class FileCertificateRepo impleme public void saveCRL(X509CRL crl, UseKeyWithType id) { String name = crl.getIssuerX500Principal().getName(); try { - String path = convertDnForFileSystem(name) + ".cer"; + String path = convertIdForFileSystem(name) + ".cer"; Pattern p = Pattern.compile("[a-zA-Z_0-9-_]"); if (!p.matcher(path).find()) { throw new URISyntaxException(path, "Input did not match [a-zA-Z_0-9-_]."); @@ -96,7 +97,6 @@ public class FileCertificateRepo impleme private boolean saveCategorizedCertificate(X509Certificate cert, UseKeyWithType id, boolean isTrustedCA, boolean isCA) { - String name = cert.getSubjectX500Principal().getName(); String category = ""; if (isTrustedCA) { category = TRUSTED_CAS_PATH; @@ -106,7 +106,7 @@ public class FileCertificateRepo impleme } try { File certFile = new File(storageDir + "/" + category, - getRelativePathForSubjectDn(cert)); + getCertPath(cert, id)); certFile.getParentFile().mkdirs(); FileOutputStream fos = new FileOutputStream(certFile); BufferedOutputStream bos = new BufferedOutputStream(fos); @@ -114,12 +114,12 @@ public class FileCertificateRepo impleme bos.close(); fos.close(); } catch (Exception e) { - throw new RuntimeException("Error saving certificate " + name + ": " + e.getMessage(), e); + throw new RuntimeException("Error saving certificate " + cert.getSubjectDN() + ": " + e.getMessage(), e); } return true; } - - public String convertDnForFileSystem(String dn) { + + public String convertIdForFileSystem(String dn) { String result = dn.replace("=", "-"); result = result.replace(", ", "_"); result = result.replace(",", "_"); @@ -131,15 +131,26 @@ public class FileCertificateRepo impleme return result; } - public String getRelativePathForSubjectDn(X509Certificate cert) + public String getCertPath(X509Certificate cert, UseKeyWithType id) throws URISyntaxException { - BigInteger serialNumber = cert.getSerialNumber(); - String issuer = cert.getIssuerX500Principal().getName(); - String path = convertDnForFileSystem(issuer) + "-" + serialNumber.toString() + ".cer"; - Pattern p = Pattern.compile("[a-zA-Z_0-9-_]"); - if (p.matcher(path).find()) { - return path; + Applications application = null; + String path = null; + if (id != null) { + application = Applications.fromUri(id.getApplication()); + } + if (application == Applications.SERVICE_ENDPOINT) { + path = id.getIdentifier(); } else { + path = cert.getSubjectDN().getName(); + } + path = convertIdForFileSystem(path) + ".cer"; + validateCertificatePath(path); + return path; + } + + private void validateCertificatePath(String path) throws URISyntaxException { + Pattern p = Pattern.compile("[a-zA-Z_0-9-_]"); + if (!p.matcher(path).find()) { throw new URISyntaxException(path, "Input did not match [a-zA-Z_0-9-_]."); } } @@ -246,6 +257,25 @@ public class FileCertificateRepo impleme } @Override + public X509Certificate findByEndpoint(String endpoint) { + try { + String path = convertIdForFileSystem(endpoint) + ".cer"; + validateCertificatePath(path); + File certFile = new File(storageDir.getAbsolutePath() + "/" + path); + if (!certFile.exists()) { + LOG.warn(String.format("Certificate not found for endpoint %s, path %s", endpoint, + certFile.getAbsolutePath())); + return null; + } + return (X509Certificate)certFactory.generateCertificate(new FileInputStream(certFile)); + } catch (Exception e) { + LOG.warn(String.format("Cannot load certificate by endpoint: %s. Error: %s", endpoint, + e.getMessage()), e); + return null; + } + } + + @Override public X509Certificate findBySubjectDn(String subjectDn) { List result = new ArrayList(); File[] list = getX509Files(); @@ -299,4 +329,5 @@ public class FileCertificateRepo impleme } return null; } + } Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java Tue Dec 31 10:48:22 2013 @@ -25,7 +25,9 @@ import java.security.cert.CertificateFac import java.security.cert.X509CRL; import java.security.cert.X509Certificate; import java.util.ArrayList; +import java.util.HashMap; import java.util.List; +import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Matcher; @@ -140,13 +142,18 @@ public class LdapCertificateRepo impleme } } - private void saveCertificate(X509Certificate cert, String dn) { + private void saveCertificate(X509Certificate cert, String dn, Map appAttrs) { Attributes attribs = new BasicAttributes(); attribs.put(new BasicAttribute(ATTR_OBJECT_CLASS, ldapConfig.getCertObjectClass())); attribs.put(new BasicAttribute(ldapConfig.getAttrUID(), cert.getSubjectX500Principal().getName())); attribs.put(new BasicAttribute(ldapConfig.getAttrIssuerID(), cert.getIssuerX500Principal().getName())); attribs.put(new BasicAttribute(ldapConfig.getAttrSerialNumber(), cert.getSerialNumber().toString(16))); addConstantAttributes(ldapConfig.getConstAttrNamesCSV(), ldapConfig.getConstAttrValuesCSV(), attribs); + if ((appAttrs != null) && (!appAttrs.isEmpty())) { + for (String attrName : appAttrs.keySet()) { + attribs.put(new BasicAttribute(attrName, appAttrs.get(attrName))); + } + } try { attribs.put(new BasicAttribute(ldapConfig.getAttrCrtBinary(), cert.getEncoded())); ldapSearch.bind(dn, attribs); @@ -192,7 +199,7 @@ public class LdapCertificateRepo impleme public X509Certificate findByServiceName(String serviceName) { X509Certificate cert = null; try { - String dn = getDnForServiceName(serviceName); + String dn = getDnForIdentifier(serviceName); cert = getCertificateForDn(dn); } catch (NamingException e) { // Not found @@ -207,8 +214,22 @@ public class LdapCertificateRepo impleme return cert; } - private String getDnForServiceName(String serviceName) { - String escapedIdentifier = serviceName.replaceAll("\\/", Matcher.quoteReplacement("\\/")); + @Override + public X509Certificate findByEndpoint(String endpoint) { + X509Certificate cert = null; + String filter = String.format("(%s=%s)", ldapConfig.getAttrEndpoint(), endpoint); + try { + Attribute attr = ldapSearch.findAttribute(rootDN, filter, ldapConfig.getAttrCrtBinary()); + cert = getCert(attr); + } catch (NamingException e) { + // Not found + } + return cert; + } + + + private String getDnForIdentifier(String id) { + String escapedIdentifier = id.replaceAll("\\/", Matcher.quoteReplacement("\\/")); return String.format(ldapConfig.getServiceCertRDNTemplate(), escapedIdentifier) + "," + rootDN; } @@ -260,15 +281,19 @@ public class LdapCertificateRepo impleme @Override public void saveCertificate(X509Certificate cert, UseKeyWithType key) { Applications application = Applications.fromUri(key.getApplication()); - String dn; + String dn = null; + Map attrs = new HashMap(); if (application == Applications.PKIX) { dn = key.getIdentifier() + "," + rootDN; - } else if (application == Applications.SERVICE_SOAP) { - dn = getDnForServiceName(key.getIdentifier()); + } else if (application == Applications.SERVICE_NAME) { + dn = getDnForIdentifier(key.getIdentifier()); + } else if (application == Applications.SERVICE_ENDPOINT) { + attrs.put(ldapConfig.getAttrEndpoint(), key.getIdentifier()); + dn = getDnForIdentifier(key.getIdentifier()); } else { throw new IllegalArgumentException("Unsupported Application " + application); } - saveCertificate(cert, dn); + saveCertificate(cert, dn, attrs); } } Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java Tue Dec 31 10:48:22 2013 @@ -23,6 +23,7 @@ public class LdapSchemaConfig { private String attrUID = "uid"; private String attrIssuerID = "manager"; private String attrSerialNumber = "employeeNumber"; + private String attrEndpoint = "labeledURI"; private String attrCrtBinary = "userCertificate;binary"; private String attrCrlBinary = "certificateRevocationList;binary"; private String constAttrNamesCSV = "sn"; @@ -137,4 +138,12 @@ public class LdapSchemaConfig { this.attrCrlBinary = attrCrlBinary; } + public String getAttrEndpoint() { + return attrEndpoint; + } + + public void setAttrEndpoint(String attrEndpoint) { + this.attrEndpoint = attrEndpoint; + } + } Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java Tue Dec 31 10:48:22 2013 @@ -39,8 +39,7 @@ import org.junit.Test; public class FileCertificateRepoTest { private static final String EXAMPLE_SUBJECT_DN = "CN=www.issuer.com, L=CGN, ST=NRW, C=DE, O=Issuer"; - private static final String EXPECTED_CERT_FILE_NAME = - "CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer"; + private static final String EXPECTED_CERT_FILE_NAME = "CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer.cer"; @Test public void testSaveAndFind() throws CertificateException, IOException { @@ -113,7 +112,7 @@ public class FileCertificateRepoTest { @Test public void testConvertDnForFileSystem() throws CertificateException { String convertedName = new FileCertificateRepo("src/test/resources/store1") - .convertDnForFileSystem(EXAMPLE_SUBJECT_DN); + .convertIdForFileSystem(EXAMPLE_SUBJECT_DN); Assert.assertEquals("CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer", convertedName); } Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff ============================================================================== --- cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java (original) +++ cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java Tue Dec 31 10:48:22 2013 @@ -130,7 +130,7 @@ public class LDAPCertificateRepoTest { c.replay(); UseKeyWithType key = new UseKeyWithType(); - key.setApplication(Applications.SERVICE_SOAP.getUri()); + key.setApplication(Applications.SERVICE_NAME.getUri()); key.setIdentifier(EXPECTED_SERVICE_URI); ldapCertRepo.saveCertificate(cert, key); c.verify();