cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf git commit: CXF-7296 - Add support to enable revocation for TLS via configuration
Date Thu, 23 Mar 2017 15:55:32 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 6dc8eed88 -> 30c76de21


CXF-7296 - Add support to enable revocation for TLS via configuration

# Conflicts:
#	rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
#	rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
#	rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/97ec59a8
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/97ec59a8
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/97ec59a8

Branch: refs/heads/3.1.x-fixes
Commit: 97ec59a8527a450dbc6b5b8a6f2d5c5967eeb81d
Parents: 6dc8eed
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 23 14:22:37 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 23 15:54:53 2017 +0000

----------------------------------------------------------------------
 .../jsse/TLSClientParametersConfig.java         |  2 +-
 .../jsse/TLSParameterJaxBUtils.java             | 19 +++++-
 .../jsse/TLSServerParametersConfig.java         |  2 +-
 .../schemas/configuration/security.xsd          | 16 +++++
 .../osgi/HTTPJettyTransportActivator.java       |  5 +-
 .../HttpConduitBPBeanDefinitionParser.java      |  5 ++
 .../http/osgi/HttpConduitConfigApplier.java     | 67 +++++++++++---------
 .../spring/HttpConduitBeanDefinitionParser.java |  5 ++
 .../spring/HttpConduitConfigurationTest.java    |  2 +-
 9 files changed, 88 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
index e67571b..d39d526 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
@@ -114,7 +114,7 @@ public final class TLSClientParametersConfig {
         if (params.isSetTrustManagers() && !usingDefaults) {
             ret.setTrustManagers(
                 TLSParameterJaxBUtils.getTrustManagers(
-                        params.getTrustManagers()));
+                        params.getTrustManagers(), params.isEnableRevocation()));
         }
         if (params.isSetCertConstraints()) {
             ret.setCertConstraints(params.getCertConstraints());

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
index a632060..7b61008 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
@@ -30,11 +30,14 @@ import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManager;
@@ -329,9 +332,16 @@ public final class TLSParameterJaxBUtils {
      * This method converts the JAXB TrustManagersType into a list of
      * JSSE TrustManagers.
      */
+    @Deprecated
     public static TrustManager[] getTrustManagers(TrustManagersType tmc)
         throws GeneralSecurityException,
                IOException {
+        return getTrustManagers(tmc, false);
+    }
+
+    public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation)
+        throws GeneralSecurityException,
+               IOException {
 
         final KeyStore keyStore =
             tmc.isSetKeyStore()
@@ -349,7 +359,14 @@ public final class TLSParameterJaxBUtils {
                      ? TrustManagerFactory.getInstance(alg, tmc.getProvider())
                      : TrustManagerFactory.getInstance(alg);
 
-        fac.init(keyStore);
+        if (enableRevocation) {
+            PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
+            param.setRevocationEnabled(true);
+
+            fac.init(new CertPathTrustManagerParameters(param));
+        } else {
+            fac.init(keyStore);
+        }
 
         return fac.getTrustManagers();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index 137e80d..e4c4cad 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -78,7 +78,7 @@ public class TLSServerParametersConfig
         if (params.isSetTrustManagers()) {
             this.setTrustManagers(
                 TLSParameterJaxBUtils.getTrustManagers(
-                        params.getTrustManagers()));
+                        params.getTrustManagers(), params.isEnableRevocation()));
         }
         if (params.isSetCertConstraints()) {
             this.setCertConstraints(params.getCertConstraints());

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index 1a10fe3..5f5c537 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -526,6 +526,14 @@
                 </xs:documentation>
              </xs:annotation>
            </xs:attribute>
+           <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies whether to enable revocation when checking the server
certificate.
+                The default is false.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>
                 <xs:documentation>
@@ -641,5 +649,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:attribute>
+           <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies whether to enable revocation when checking the client
certificate,
+                if client authentication is enabled. The default is false.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
     </xs:complexType>
 </xs:schema>

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
index b37ed4d..2fe013c 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
@@ -177,6 +177,7 @@ public class HTTPJettyTransportActivator
         SecureRandomParameters srp = null;
         KeyManagersType kmt = null;
         TrustManagersType tmt = null;
+        boolean enableRevocation = false;
         while (keys.hasMoreElements()) {
             String k = keys.nextElement();
             if (k.startsWith("tlsServerParameters.")) {
@@ -202,6 +203,8 @@ public class HTTPJettyTransportActivator
                         p.setClientAuthentication(new ClientAuthentication());
                     }
                     p.getClientAuthentication().setRequired(Boolean.parseBoolean(v));
+                } else if ("enableRevocation".equals(k)) {
+                    enableRevocation = Boolean.parseBoolean(v);
                 } else if (k.startsWith("certConstraints.")) {
                     configureCertConstraints(p, k, v);
                 } else if (k.startsWith("secureRandomParameters.")) {
@@ -238,7 +241,7 @@ public class HTTPJettyTransportActivator
                 p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt));
             }
             if (tmt != null) {
-                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt));
+                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation));
             }
         } catch (RuntimeException e) {
             throw e;

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
index 4e51e44..28131b7 100755
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
@@ -101,7 +101,12 @@ public class HttpConduitBPBeanDefinitionParser extends AbstractBPBeanDefinitionP
                 if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname) 
                     || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname)
                     || "disableCNCheck".equals(aname)
+<<<<<<< HEAD
                     || "jsseProvider".equals(aname) 
+=======
+                    || "enableRevocation".equals(aname)
+                    || "jsseProvider".equals(aname)
+>>>>>>> a7d5d52... CXF-7296 - Add support to enable revocation for TLS
via configuration
                     || "secureSocketProtocol".equals(aname)
                     || "sslCacheTimeout".equals(aname)) {
                     paramsbean.addProperty(aname, createValue(ctx, a.getValue()));

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
index f9992c7..b35c978 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
@@ -65,6 +65,7 @@ class HttpConduitConfigApplier {
         SecureRandomParameters srp = null;
         KeyManagersType kmt = null;
         TrustManagersType tmt = null;
+        boolean enableRevocation = false;
         while (keys.hasMoreElements()) {
             String k = keys.nextElement();
             if (k.startsWith("tlsClientParameters.")) {
@@ -87,36 +88,10 @@ class HttpConduitConfigApplier {
                     p.setUseHttpsURLConnectionDefaultHostnameVerifier(Boolean.parseBoolean(v));
                 } else if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(k)) {
                     p.setUseHttpsURLConnectionDefaultSslSocketFactory(Boolean.parseBoolean(v));
+                } else if ("enableRevocation".equals(k)) {
+                    enableRevocation = Boolean.parseBoolean(v);
                 } else if (k.startsWith("certConstraints.")) {
-                    k = k.substring("certConstraints.".length());
-                    CertificateConstraintsType cct = p.getCertConstraints();
-                    if (cct == null) {
-                        cct = new CertificateConstraintsType();
-                        p.setCertConstraints(cct);
-                    }
-                    DNConstraintsType dnct = null;
-                    if (k.startsWith("SubjectDNConstraints.")) {
-                        dnct = cct.getSubjectDNConstraints();
-                        if (dnct == null) {
-                            dnct = new DNConstraintsType();
-                            cct.setSubjectDNConstraints(dnct);
-                        }
-                        k = k.substring("SubjectDNConstraints.".length());
-                    } else if (k.startsWith("IssuerDNConstraints.")) {
-                        dnct = cct.getIssuerDNConstraints();
-                        if (dnct == null) {
-                            dnct = new DNConstraintsType();
-                            cct.setIssuerDNConstraints(dnct);
-                        }
-                        k = k.substring("IssuerDNConstraints.".length());
-                    }
-                    if (dnct != null) {
-                        if ("combinator".equals(k)) {
-                            dnct.setCombinator(CombinatorType.fromValue(v));
-                        } else if ("RegularExpression".equals(k)) {
-                            dnct.getRegularExpression().add(k);
-                        }
-                    }
+                    parseCertConstaints(p, k, v);
                 } else if (k.startsWith("secureRandomParameters.")) {
                     k = k.substring("secureRandomParameters.".length());
                     if (srp == null) {
@@ -164,7 +139,7 @@ class HttpConduitConfigApplier {
                 p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt));
             }
             if (tmt != null) {
-                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt));
+                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation));
             }
         } catch (RuntimeException e) {
             throw e;
@@ -173,6 +148,38 @@ class HttpConduitConfigApplier {
         }
     }
 
+    private void parseCertConstaints(TLSClientParameters p, String k, String v) {
+        k = k.substring("certConstraints.".length());
+        CertificateConstraintsType cct = p.getCertConstraints();
+        if (cct == null) {
+            cct = new CertificateConstraintsType();
+            p.setCertConstraints(cct);
+        }
+        DNConstraintsType dnct = null;
+        if (k.startsWith("SubjectDNConstraints.")) {
+            dnct = cct.getSubjectDNConstraints();
+            if (dnct == null) {
+                dnct = new DNConstraintsType();
+                cct.setSubjectDNConstraints(dnct);
+            }
+            k = k.substring("SubjectDNConstraints.".length());
+        } else if (k.startsWith("IssuerDNConstraints.")) {
+            dnct = cct.getIssuerDNConstraints();
+            if (dnct == null) {
+                dnct = new DNConstraintsType();
+                cct.setIssuerDNConstraints(dnct);
+            }
+            k = k.substring("IssuerDNConstraints.".length());
+        }
+        if (dnct != null) {
+            if ("combinator".equals(k)) {
+                dnct.setCombinator(CombinatorType.fromValue(v));
+            } else if ("RegularExpression".equals(k)) {
+                dnct.getRegularExpression().add(k);
+            }
+        }
+    }
+
     private KeyManagersType getKeyManagers(KeyManagersType keyManagers, String k, String
v) {
         if (keyManagers == null) {
             keyManagers = new KeyManagersType();

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
index 746af67..7b64af5 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
@@ -120,7 +120,12 @@ public class HttpConduitBeanDefinitionParser
                 if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname) 
                     || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname)
                     || "disableCNCheck".equals(aname)
+<<<<<<< HEAD
                     || "jsseProvider".equals(aname) 
+=======
+                    || "enableRevocation".equals(aname)
+                    || "jsseProvider".equals(aname)
+>>>>>>> a7d5d52... CXF-7296 - Add support to enable revocation for TLS
via configuration
                     || "secureSocketProtocol".equals(aname)
                     || "sslCacheTimeout".equals(aname)) {
                     paramsbean.addPropertyValue(aname, a.getValue());

http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
index 1dedaf1..d20e8ff 100644
--- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
@@ -139,7 +139,7 @@ public class HttpConduitConfigurationTest extends Assert {
         
             tmt.setKeyStore(kst);
             try {
-                return TLSParameterJaxBUtils.getTrustManagers(tmt);
+                return TLSParameterJaxBUtils.getTrustManagers(tmt, false);
             } catch (Exception e) {
                 throw new RuntimeException("failed to retrieve trust managers", e);
             }


Mime
View raw message