Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8423A17733 for ; Thu, 12 Mar 2015 17:03:16 +0000 (UTC) Received: (qmail 22538 invoked by uid 500); 12 Mar 2015 17:03:16 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 22477 invoked by uid 500); 12 Mar 2015 17:03:16 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 22468 invoked by uid 99); 12 Mar 2015 17:03:16 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Mar 2015 17:03:16 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 28A3DE18D3; Thu, 12 Mar 2015 17:03:16 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <58a99e4793964c5ea7d36e1312f23ba6@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: [CXF-6279] Prototyping the initial X509 path validation code, validating it agaisnt the demo, to be enhanced at the later stage Date: Thu, 12 Mar 2015 17:03:16 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 5c0055245 -> ed23f73ee [CXF-6279] Prototyping the initial X509 path validation code, validating it agaisnt the demo, to be enhanced at the later stage Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ed23f73e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ed23f73e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ed23f73e Branch: refs/heads/3.0.x-fixes Commit: ed23f73ee4ba3f0e2066c62d892aaabf2fae14ad Parents: 5c00552 Author: Sergey Beryozkin Authored: Thu Mar 12 16:58:44 2015 +0000 Committer: Sergey Beryozkin Committed: Thu Mar 12 17:02:42 2015 +0000 ---------------------------------------------------------------------- .../security/jose/jaxrs/KeyManagementUtils.java | 55 ++++++++++++++++---- .../cxf/rs/security/jose/jwe/JweUtils.java | 8 +++ .../cxf/rs/security/jose/jws/JwsUtils.java | 8 +++ 3 files changed, 60 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/ed23f73e/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java index a246a14..cad54f8 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java @@ -24,7 +24,15 @@ import java.security.KeyStore; import java.security.Principal; import java.security.PrivateKey; import java.security.PublicKey; +import java.security.cert.CertPath; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertPathBuilderResult; +import java.security.cert.CertPathValidator; +import java.security.cert.CertStore; import java.security.cert.Certificate; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509CertSelector; import java.security.cert.X509Certificate; import java.security.interfaces.RSAPrivateKey; import java.util.ArrayList; @@ -36,6 +44,7 @@ import java.util.Properties; import org.apache.cxf.Bus; import org.apache.cxf.common.util.PropertyUtils; import org.apache.cxf.common.util.crypto.CryptoUtils; +import org.apache.cxf.jaxrs.utils.JAXRSUtils; import org.apache.cxf.jaxrs.utils.ResourceUtils; import org.apache.cxf.message.Message; import org.apache.cxf.message.MessageUtils; @@ -237,12 +246,32 @@ public final class KeyManagementUtils { throw new SecurityException(ex); } } - //TODO: validate the chain return certs; } else { return null; } } + public static void validateCertificateChain(Properties storeProperties, List inCerts) { + KeyStore ks = loadPersistKeyStore(JAXRSUtils.getCurrentMessage(), storeProperties); + validateCertificateChain(ks, inCerts); + } + public static void validateCertificateChain(KeyStore ks, List inCerts) { + // Initial chain validation, to be enhanced as needed + try { + X509CertSelector certSelect = new X509CertSelector(); + certSelect.setCertificate((X509Certificate) inCerts.get(0)); + PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ks, certSelect); + pbParams.addCertStore(CertStore.getInstance("Collection", + new CollectionCertStoreParameters(inCerts))); + pbParams.setMaxPathLength(-1); + pbParams.setRevocationEnabled(false); + CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams); + CertPath certPath = buildResult.getCertPath(); + CertPathValidator.getInstance("PKIX").validate(certPath, pbParams); + } catch (Exception ex) { + throw new SecurityException(ex); + } + } public static X509Certificate[] toX509CertificateChainArray(List base64EncodedChain) { List chain = toX509CertificateChain(base64EncodedChain); return chain == null ? null : chain.toArray(new X509Certificate[]{}); @@ -290,21 +319,25 @@ public final class KeyManagementUtils { return props; } public static RSAPrivateKey loadPrivateKey(Message m, Properties props, - List inCert, String keyOper) { - KeyStore keyStore = loadPersistKeyStore(m, props); + List inCerts, String keyOper) { + KeyStore ks = loadPersistKeyStore(m, props); + try { - Object[] inCertArray = inCert.toArray(); - // perhaps inCert properties can be optionally used as aliases - for (Enumeration e = keyStore.aliases(); e.hasMoreElements();) { - String alias = e.nextElement(); - X509Certificate[] chain = loadX509CertificateOrChain(keyStore, alias); - if (chain != null && Arrays.equals(chain, inCertArray)) { - return loadPrivateKey(keyStore, m, props, keyOper, alias); + String alias = ks.getCertificateAlias(inCerts.get(0)); + if (alias != null) { + for (Enumeration e = ks.aliases(); e.hasMoreElements();) { + String currentAlias = e.nextElement(); + X509Certificate[] currentCertArray = loadX509CertificateOrChain(ks, currentAlias); + if (currentCertArray != null) { + alias = currentAlias; + break; + } } } + return loadPrivateKey(ks, m, props, keyOper, alias); + } catch (Exception ex) { throw new SecurityException(ex); } - return null; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/ed23f73e/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 5389205..95aa785 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -320,6 +320,7 @@ public final class JweUtils { //TODO: optionally validate inHeaders.getAlgorithm against a property in props // Supporting loading a private key via a certificate for now List chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); + KeyManagementUtils.validateCertificateChain(props, chain); RSAPrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, chain, JsonWebKey.KEY_OPER_DECRYPT); contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm(); @@ -589,4 +590,11 @@ public final class JweUtils { private static JweHeaders toJweHeaders(String ct) { return new JweHeaders(Collections.singletonMap(JoseConstants.HEADER_CONTENT_TYPE, ct)); } + public static void validateJweCertificateChain(List certs) { + + Message m = JAXRSUtils.getCurrentMessage(); + Properties props = KeyManagementUtils.loadStoreProperties(m, true, + RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); + KeyManagementUtils.validateCertificateChain(props, certs); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/ed23f73e/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java index 338a206..06ea79a 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java @@ -260,6 +260,7 @@ public final class JwsUtils { return getSignatureVerifier(publicJwk, inHeaders.getAlgorithm()); } else if (inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) { List chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain()); + KeyManagementUtils.validateCertificateChain(props, chain); return getRSAKeySignatureVerifier((RSAPublicKey)chain.get(0).getPublicKey(), inHeaders.getAlgorithm()); } } @@ -323,4 +324,11 @@ public final class JwsUtils { jws.signWith(jwsSig); return jws.getSignedEncodedJws(); } + public static void validateJwsCertificateChain(List certs) { + + Message m = JAXRSUtils.getCurrentMessage(); + Properties props = KeyManagementUtils.loadStoreProperties(m, true, + RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); + KeyManagementUtils.validateCertificateChain(props, certs); + } }