cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1559120 - /cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Date Fri, 17 Jan 2014 14:37:33 GMT
Author: coheigea
Date: Fri Jan 17 14:37:32 2014
New Revision: 1559120

URL: http://svn.apache.org/r1559120
Log:
Add more strict validation of X.509 tokens

Modified:
    cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java

Modified: cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java?rev=1559120&r1=1559119&r2=1559120&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
(original)
+++ cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
Fri Jan 17 14:37:32 2014
@@ -19,17 +19,22 @@
 
 package org.apache.cxf.ws.security.wss4j.policyvalidators;
 
+import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 import org.w3c.dom.Element;
-
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.ws.policy.AssertionInfo;
 import org.apache.cxf.ws.policy.AssertionInfoMap;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
+import org.apache.wss4j.dom.message.token.X509Security;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.X509Token;
@@ -40,6 +45,8 @@ import org.apache.wss4j.policy.model.X50
  */
 public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator implements TokenPolicyValidator
{
     
+    private static final Logger LOG = LogUtils.getL7dLogger(X509TokenPolicyValidator.class);
+    
     private static final String X509_V3_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509v3";
     private static final String PKI_VALUETYPE = WSConstants.X509TOKEN_NS + "#X509PKIPathv1";
     
@@ -107,9 +114,13 @@ public class X509TokenPolicyValidator ex
         }
 
         String requiredType = X509_V3_VALUETYPE;
+        boolean v3certRequired = false;
         if (tokenType == TokenType.WssX509PkiPathV1Token10
             || tokenType == TokenType.WssX509PkiPathV1Token11) {
             requiredType = PKI_VALUETYPE;
+        } else if (tokenType == TokenType.WssX509V3Token10 
+            || tokenType == TokenType.WssX509V3Token11) {
+            v3certRequired = true;
         }
 
         for (WSSecurityEngineResult result : bstResults) {
@@ -118,7 +129,19 @@ public class X509TokenPolicyValidator ex
             if (binarySecurityToken != null) {
                 String type = binarySecurityToken.getValueType();
                 if (requiredType.equals(type)) {
-                    return true;
+                    if (v3certRequired && binarySecurityToken instanceof X509Security)
{
+                        try {
+                            X509Certificate cert = 
+                                 ((X509Security)binarySecurityToken).getX509Certificate(null);
+                            if (cert != null && cert.getVersion() == 3) {
+                                return true;
+                            }
+                        } catch (WSSecurityException e) {
+                            LOG.log(Level.FINE, e.getMessage());
+                        }
+                    } else {
+                        return true;
+                    }
                 }
             }
         }



Mime
View raw message