cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ashaki...@apache.org
Subject git commit: [CXF-5926]: Extend SSL KeyManagers with password callback handler
Date Mon, 04 Aug 2014 13:49:43 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 13893abc4 -> 2ba773274


[CXF-5926]: Extend SSL KeyManagers with password callback handler


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2ba77327
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2ba77327
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2ba77327

Branch: refs/heads/master
Commit: 2ba77327488a8446e6a92af137f644eaf3b06e2e
Parents: 13893ab
Author: Andrei Shakirin <andrei.shakirin@gmail.com>
Authored: Mon Aug 4 15:49:07 2014 +0200
Committer: Andrei Shakirin <andrei.shakirin@gmail.com>
Committed: Mon Aug 4 15:49:07 2014 +0200

----------------------------------------------------------------------
 .../jsse/TLSParameterJaxBUtils.java             | 38 +++++++++++-
 .../schemas/configuration/security.xsd          |  8 +++
 .../cxf/systest/http/HTTPSClientTest.java       |  5 ++
 .../http/KeyPasswordCallbackHandler.java        | 39 ++++++++++++
 .../http/resources/jaxws-publish-callback.xml   | 64 ++++++++++++++++++++
 5 files changed, 151 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2ba77327/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
index 8996c8b..080db9e 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
@@ -32,12 +32,15 @@ import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
 
 import org.apache.cxf.Bus;
 import org.apache.cxf.BusFactory;
@@ -267,9 +270,7 @@ public final class TLSParameterJaxBUtils {
                      ? kmc.getFactoryAlgorithm()
                      : KeyManagerFactory.getDefaultAlgorithm();
 
-        char[] keyPass = kmc.isSetKeyPassword()
-                     ? deobfuscate(kmc.getKeyPassword())
-                     : null;
+        char[] keyPass = getKeyPassword(kmc);
 
         KeyManagerFactory fac =
                      kmc.isSetProvider()
@@ -281,6 +282,37 @@ public final class TLSParameterJaxBUtils {
         return fac.getKeyManagers();
     }
 
+    private static char[] getKeyPassword(KeyManagersType kmc) {
+        char[] keyPass = kmc.isSetKeyPassword()
+            ? deobfuscate(kmc.getKeyPassword())
+            : null;
+
+        if (keyPass != null) {
+            return keyPass;
+        }
+
+        String callbackHandlerClass = kmc.getKeyPasswordCallbackHandler();
+        if (callbackHandlerClass == null) {
+            return null;
+        }
+        CallbackHandler ch = null;
+        try {
+            ch = (CallbackHandler)ClassLoaderUtils.loadClass(callbackHandlerClass, TLSParameterJaxBUtils.class)
+                .newInstance();
+            if (ch == null) {
+                return null;
+            }
+            PasswordCallback pwCb = new PasswordCallback(kmc.getKeyStore().getFile(), false);
+            PasswordCallback[] callbacks = new PasswordCallback[] {pwCb};
+            ch.handle(callbacks);
+            keyPass = callbacks[0].getPassword();
+        } catch (Exception e) {
+            LOG.log(Level.WARNING,
+                    "Cannot load key password from callback handler: " + e.getMessage(),
e);
+        }
+        return keyPass;
+    }
+
     /**
      * This method converts the JAXB KeyManagersType into a list of
      * JSSE TrustManagers.

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ba77327/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index e68e65a..8e59e89 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -249,6 +249,14 @@
                 </xs:documentation>
               </xs:annotation>
             </xs:attribute>
+            <xs:attribute name="keyPasswordCallbackHandler" type="xs:string">
+              <xs:annotation>
+                <xs:documentation>
+                This attribute contains the name of the class implementing
+                password callback handler. Alternative to keyPassword attribute.
+                </xs:documentation>
+              </xs:annotation>
+            </xs:attribute>
             <xs:attribute name="provider" type="xs:string">
               <xs:annotation>
                 <xs:documentation>

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ba77327/systests/transports/src/test/java/org/apache/cxf/systest/http/HTTPSClientTest.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/http/HTTPSClientTest.java
b/systests/transports/src/test/java/org/apache/cxf/systest/http/HTTPSClientTest.java
index 3fcda30..53a6434 100644
--- a/systests/transports/src/test/java/org/apache/cxf/systest/http/HTTPSClientTest.java
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/http/HTTPSClientTest.java
@@ -153,6 +153,11 @@ public class HTTPSClientTest extends AbstractBusClientServerTestBase
{
                            "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
     }
     @Test
+    public final void testJaxwsEndpointCallback() throws Exception {
+        testSuccessfulCall("resources/jaxws-publish-callback.xml",
+                           "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");
+    }
+    @Test
     public final void testJaxwsTLSRefsEndpoint() throws Exception {
         testSuccessfulCall("resources/jaxws-tlsrefs-publish.xml",
                            "https://localhost:" + BusServer.getPort(1) + "/SoapContext/HttpsPort");

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ba77327/systests/transports/src/test/java/org/apache/cxf/systest/http/KeyPasswordCallbackHandler.java
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/http/KeyPasswordCallbackHandler.java
b/systests/transports/src/test/java/org/apache/cxf/systest/http/KeyPasswordCallbackHandler.java
new file mode 100644
index 0000000..118d766
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/http/KeyPasswordCallbackHandler.java
@@ -0,0 +1,39 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.http;
+
+import java.io.IOException;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+public class KeyPasswordCallbackHandler implements CallbackHandler {
+
+    @Override
+    public void handle(Callback[] callbacks) throws IOException,
+        UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            PasswordCallback pc = (PasswordCallback)callbacks[i];
+            pc.setPassword("password".toCharArray());
+        }
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ba77327/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-publish-callback.xml
----------------------------------------------------------------------
diff --git a/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-publish-callback.xml
b/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-publish-callback.xml
new file mode 100644
index 0000000..05d5c95
--- /dev/null
+++ b/systests/transports/src/test/java/org/apache/cxf/systest/http/resources/jaxws-publish-callback.xml
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration" xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="         http://www.springframework.org/schema/beans                 http://www.springframework.org/schema/beans/spring-beans.xsd
        http://cxf.apache.org/jaxws                                 http://cxf.apache.org/schemas/jaxws.xsd
        http://cxf.apache.org/transports/http/configuration         http://cxf.apache.org/schemas/configuration/http-conf.xsd
        http://cxf.apache.org/transports/http-jetty/configuration   http://cxf.apache.org/schemas/configuration/http-jetty.xsd
        http://cxf.apache.org/configuration/security                http://cxf.apache.org/schemas/configuration/security.xsd
        ">
+    <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+    <!-- -->
+    <!-- This Spring config file is designed to represent a minimal -->
+    <!-- configuration for spring-loading a CXF servant, where the -->
+    <!-- servant listens using HTTP/S as the transport protocol. -->
+    <!-- -->
+    <!-- Note that the service endpoint is spring-loaded.  In the -->
+    <!-- scenario in which this config is designed to run, the -->
+    <!-- server application merely instantiates a Bus, and does not -->
+    <!-- publish any services programmatically -->
+    <!-- -->
+    <!-- -->
+    <!-- Spring-load an HTTPS servant -->
+    <!-- -->
+    <jaxws:endpoint xmlns:e="http://apache.org/hello_world/services" xmlns:s="http://apache.org/hello_world/services"
id="JaxwsHttpsEndpoint" implementor="org.apache.cxf.systest.http.GreeterImpl" address="https://localhost:${testutil.ports.BusServer.1}/SoapContext/HttpsPort"
serviceName="s:SOAPService" endpointName="e:HttpsPort" depends-on="port-9001-tls-config"/>
+    <!-- -->
+    <!-- TLS Port configuration parameters for port 9001 -->
+    <!-- -->
+    <httpj:engine-factory id="port-9001-tls-config">
+        <httpj:engine port="${testutil.ports.BusServer.1}">
+            <httpj:tlsServerParameters>
+                <sec:keyManagers keyPasswordCallbackHandler="org.apache.cxf.systest.http.KeyPasswordCallbackHandler">
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Bethal.jks"/>
+                </sec:keyManagers>
+                <sec:trustManagers>
+                    <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+                </sec:trustManagers>
+            </httpj:tlsServerParameters>
+        </httpj:engine>
+    </httpj:engine-factory>
+    <!-- -->
+    <!-- HTTP/S configuration for clients -->
+    <!-- -->
+    <http:conduit name="{http://apache.org/hello_world/services}HttpsPort.http-conduit">
+        <http:tlsClientParameters disableCNCheck="true">
+            <sec:keyManagers keyPasswordCallbackHandler="org.apache.cxf.systest.http.KeyPasswordCallbackHandler">
+                <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Morpit.jks"/>
+            </sec:keyManagers>
+            <sec:trustManagers>
+                <sec:keyStore type="JKS" password="password" file="src/test/java/org/apache/cxf/systest/http/resources/Truststore.jks"/>
+            </sec:trustManagers>
+        </http:tlsClientParameters>
+    </http:conduit>
+</beans>


Mime
View raw message