cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashaki...@apache.org
Subject svn commit: r1555845 - in /cxf/trunk/services/xkms: xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/ xkms-common/src/main/java/org/apache/cxf/xkms/handlers/ xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ xkms-osgi/sr...
Date Mon, 06 Jan 2014 15:03:42 GMT
Author: ashakirin
Date: Mon Jan  6 15:03:42 2014
New Revision: 1555845

URL: http://svn.apache.org/r1555845
Log:
[CXF-5482]: XKMS: provide direct trust validator

Added:
    cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
Modified:
    cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
    cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
    cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
    cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
    cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml
    cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml

Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
(original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
Mon Jan  6 15:03:42 2014
@@ -40,6 +40,7 @@ import org.apache.cxf.xkms.exception.XKM
 import org.apache.cxf.xkms.handlers.Applications;
 import org.apache.cxf.xkms.handlers.XKMSConstants;
 import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
 import org.apache.cxf.xkms.model.xkms.LocateRequestType;
 import org.apache.cxf.xkms.model.xkms.LocateResultType;
 import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
@@ -110,8 +111,20 @@ class XKMSInvoker {
     }
 
     public boolean validateCertificate(X509Certificate cert) {
+        return checkCertificateValidity(cert, false);
+    }
+
+    public boolean validateDirectTrustCertificate(X509Certificate cert) {
+        return checkCertificateValidity(cert, true);
+    }
+
+    protected boolean checkCertificateValidity(X509Certificate cert, boolean directTrust)
{
         try {
             ValidateRequestType validateRequestType = prepareValidateXKMSRequest(cert);
+            if (directTrust) {
+                validateRequestType.getQueryKeyBinding().getKeyUsage()
+                    .add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+            }
             ValidateResultType validateResultType = xkmsConsumer.validate(validateRequestType);
             String id = cert.getSubjectDN().getName();
             CertificateValidationResult result = parseValidateXKMSResponse(validateResultType,
id);

Modified: cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
(original)
+++ cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
Mon Jan  6 15:03:42 2014
@@ -20,6 +20,7 @@ package org.apache.cxf.xkms.handlers;
 
 public final class XKMSConstants {
     public static final String XKMS_ENDPOINT_NAME = "http://cxf.apache.org/services/XKMS/";
+    public static final String DIRECT_TRUST_VALIDATION = "http://cxf.apache.org/xkms#DirectTrust";
 
     private XKMSConstants() {
     }

Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
(original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
Mon Jan  6 15:03:42 2014
@@ -31,6 +31,7 @@ import javax.xml.bind.JAXBException;
 import org.apache.cxf.xkms.handlers.XKMSConstants;
 import org.apache.cxf.xkms.itests.BasicIntegrationTest;
 import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
 import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
 import org.apache.cxf.xkms.model.xkms.QueryKeyBindingType;
 import org.apache.cxf.xkms.model.xkms.ReasonEnum;
@@ -122,6 +123,36 @@ public class ValidatorTest extends Basic
             .getInvalidReason().get(0));
     }
 
+    @Test
+    public void testDaveDirectTrust() throws JAXBException, CertificateException {
+        X509Certificate daveCertificate = readCertificate("dave.cer");
+        ValidateRequestType request = prepareValidateXKMSRequest(daveCertificate);
+        request.getQueryKeyBinding().getKeyUsage().add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+        StatusType result = doValidate(request);
+
+        Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID, result.getStatusValue());
+        Assert.assertFalse(result.getValidReason().isEmpty());
+        Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALIDITY_INTERVAL.value(),
result
+            .getValidReason().get(0));
+        Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(),
result
+            .getValidReason().get(1));
+        Assert.assertEquals(XKMSConstants.DIRECT_TRUST_VALIDATION, result
+                            .getValidReason().get(2));
+    }
+
+    @Test
+    public void testWss40DirectTrustNegative() throws JAXBException, CertificateException
{
+        X509Certificate wss40Certificate = readCertificate("wss40.cer");
+        ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+        request.getQueryKeyBinding().getKeyUsage().add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+        StatusType result = doValidate(request);
+
+        Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID, result.getStatusValue());
+        Assert.assertFalse(result.getInvalidReason().isEmpty());
+        Assert.assertEquals(XKMSConstants.DIRECT_TRUST_VALIDATION, result
+                            .getInvalidReason().get(0));
+    }
+
     /*
      * Method is taken from {@link org.apache.cxf.xkms.client.XKMSInvokder}.
      */

Modified: cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
(original)
+++ cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
Mon Jan  6 15:03:42 2014
@@ -58,6 +58,9 @@
         <argument ref="certificateRepo"/>
         <property name="enableRevocation" value="${xkms.enableRevocation}"/>
     </bean>
+    <bean id="directTrustValidator" class="org.apache.cxf.xkms.x509.validator.DirectTrustValidator">
+        <argument ref="certificateRepo"/>
+    </bean>
     <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
         <argument ref="certificateRepo"/>
     </bean>
@@ -71,6 +74,7 @@
             <list>
                 <ref component-id="dateValidator"/>
                 <ref component-id="trustedAuthorityValidator"/>
+                <ref component-id="directTrustValidator"/>
             </list>
         </property>
         <property name="locators">

Modified: cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml (original)
+++ cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml Mon Jan  6
15:03:42 2014
@@ -28,6 +28,7 @@
             <list>
                 <ref bean="dateValidator"/>
                 <ref bean="trustedAuthorityValidator"/>
+                <ref bean="directTrustValidator"/>
             </list>
         </property>
         <property name="locators">

Modified: cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml (original)
+++ cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml Mon Jan
 6 15:03:42 2014
@@ -14,6 +14,9 @@
     <bean id="trustedAuthorityValidator" class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
         <constructor-arg ref="certificateRepo"/>
     </bean>
+    <bean id="directTrustValidator" class="org.apache.cxf.xkms.x509.validator.DirectTrustValidator">
+        <constructor-arg ref="certificateRepo"/>
+    </bean>
     <bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
         <constructor-arg ref="certificateRepo"/>
     </bean>

Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java?rev=1555845&view=auto
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
(added)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
Mon Jan  6 15:03:42 2014
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.xkms.x509.validator;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.xkms.handlers.Validator;
+import org.apache.cxf.xkms.handlers.XKMSConstants;
+import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
+import org.apache.cxf.xkms.model.xkms.StatusType;
+import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
+import org.apache.cxf.xkms.x509.repo.CertificateRepo;
+
+public class DirectTrustValidator implements Validator {
+
+    private static final Logger LOG = LogUtils.getL7dLogger(DirectTrustValidator.class);
+    
+    private CertificateRepo certRepo;
+
+    public DirectTrustValidator(CertificateRepo certRepo) {
+        this.certRepo = certRepo;
+    }
+
+    /**
+     * Checks if a certificate is located in XKMS storage.
+     *
+     * @param certificate to check
+     * @return true if certificate is found
+     */
+    public boolean isCertificateInRepo(X509Certificate certificate) {
+        X509Certificate findCert = certRepo.findBySubjectDn(certificate.getSubjectDN().getName());
+        return findCert != null;
+    }
+
+    @Override
+    public StatusType validate(ValidateRequestType request) {
+        StatusType status = new StatusType();
+
+        if (request.getQueryKeyBinding() != null) {
+            List<KeyUsageEnum> keyUsages = request.getQueryKeyBinding().getKeyUsage();
+            if (keyUsages.contains(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE))
{
+                List<X509Certificate> certificates = ValidateRequestParser.parse(request);
+                if (certificates == null || certificates.isEmpty()) {
+                    status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INDETERMINATE);
+                    status.getIndeterminateReason().add("http://www.cxf.apache.org/2002/03/xkms#RequestNotSupported");
+                    return status;
+                }
+                for (X509Certificate certificate : certificates) {
+                    if (!isCertificateInRepo(certificate)) {
+                        LOG.warning("Certificate is not found in XKMS repo and is not directly
trusted: "
+                                    + certificate.getSubjectDN().getName());
+                        status.getInvalidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
+                        status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID);
+                        return status;
+                    }
+                }
+                status.getValidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
+            }
+        }
+
+        status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID);
+
+        return status;
+    }
+}



Mime
View raw message