cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: CXF-7296 - Add support to enable revocation for TLS via configuration
Date Thu, 23 Mar 2017 15:52:30 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 3da566423 -> a7d5d525c


CXF-7296 - Add support to enable revocation for TLS via configuration


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a7d5d525
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a7d5d525
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a7d5d525

Branch: refs/heads/master
Commit: a7d5d525c05cf10a6ae12c25645c248d92dfac1c
Parents: 1d4c40d
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 23 14:22:37 2017 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 23 14:22:46 2017 +0000

----------------------------------------------------------------------
 .../jsse/TLSClientParametersConfig.java         |  2 +-
 .../jsse/TLSParameterJaxBUtils.java             | 19 +++++-
 .../jsse/TLSServerParametersConfig.java         |  2 +-
 .../schemas/configuration/security.xsd          | 16 +++++
 .../osgi/HTTPJettyTransportActivator.java       |  5 +-
 .../osgi/HTTPUndertowTransportActivator.java    |  5 +-
 .../HttpConduitBPBeanDefinitionParser.java      |  1 +
 .../http/osgi/HttpConduitConfigApplier.java     | 67 +++++++++++---------
 .../spring/HttpConduitBeanDefinitionParser.java |  1 +
 .../spring/HttpConduitConfigurationTest.java    |  2 +-
 10 files changed, 84 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
index 4086e10..3d9f89c 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java
@@ -114,7 +114,7 @@ public final class TLSClientParametersConfig {
         if (params.isSetTrustManagers() && !usingDefaults) {
             ret.setTrustManagers(
                 TLSParameterJaxBUtils.getTrustManagers(
-                        params.getTrustManagers()));
+                        params.getTrustManagers(), params.isEnableRevocation()));
         }
         if (params.isSetCertConstraints()) {
             ret.setCertConstraints(params.getCertConstraints());

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
index b826542..8057a68 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java
@@ -30,11 +30,14 @@ import java.security.SecureRandom;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.TrustManager;
@@ -329,9 +332,16 @@ public final class TLSParameterJaxBUtils {
      * This method converts the JAXB TrustManagersType into a list of
      * JSSE TrustManagers.
      */
+    @Deprecated
     public static TrustManager[] getTrustManagers(TrustManagersType tmc)
         throws GeneralSecurityException,
                IOException {
+        return getTrustManagers(tmc, false);
+    }
+
+    public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation)
+        throws GeneralSecurityException,
+               IOException {
 
         final KeyStore keyStore =
             tmc.isSetKeyStore()
@@ -349,7 +359,14 @@ public final class TLSParameterJaxBUtils {
                      ? TrustManagerFactory.getInstance(alg, tmc.getProvider())
                      : TrustManagerFactory.getInstance(alg);
 
-        fac.init(keyStore);
+        if (enableRevocation) {
+            PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector());
+            param.setRevocationEnabled(true);
+
+            fac.init(new CertPathTrustManagerParameters(param));
+        } else {
+            fac.init(keyStore);
+        }
 
         return fac.getTrustManagers();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
index bade93e..cdf35fd 100644
--- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
+++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java
@@ -78,7 +78,7 @@ public class TLSServerParametersConfig
         if (params.isSetTrustManagers()) {
             this.setTrustManagers(
                 TLSParameterJaxBUtils.getTrustManagers(
-                        params.getTrustManagers()));
+                        params.getTrustManagers(), params.isEnableRevocation()));
         }
         if (params.isSetCertConstraints()) {
             this.setCertConstraints(params.getCertConstraints());

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/core/src/main/resources/schemas/configuration/security.xsd
----------------------------------------------------------------------
diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd
index 1a10fe3..5f5c537 100644
--- a/core/src/main/resources/schemas/configuration/security.xsd
+++ b/core/src/main/resources/schemas/configuration/security.xsd
@@ -526,6 +526,14 @@
                 </xs:documentation>
              </xs:annotation>
            </xs:attribute>
+           <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies whether to enable revocation when checking the server
certificate.
+                The default is false.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
            <xs:attribute name="jsseProvider"          type="xs:string">
               <xs:annotation>
                 <xs:documentation>
@@ -641,5 +649,13 @@
                 </xs:documentation>
               </xs:annotation>
            </xs:attribute>
+           <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false">
+             <xs:annotation>
+                <xs:documentation>
+                This attribute specifies whether to enable revocation when checking the client
certificate,
+                if client authentication is enabled. The default is false.
+                </xs:documentation>
+             </xs:annotation>
+           </xs:attribute>
     </xs:complexType>
 </xs:schema>

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
index ef8aa33..b7556bc 100644
--- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
+++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java
@@ -181,6 +181,7 @@ public class HTTPJettyTransportActivator
         SecureRandomParameters srp = null;
         KeyManagersType kmt = null;
         TrustManagersType tmt = null;
+        boolean enableRevocation = false;
         while (keys.hasMoreElements()) {
             String k = keys.nextElement();
             if (k.startsWith("tlsServerParameters.")) {
@@ -206,6 +207,8 @@ public class HTTPJettyTransportActivator
                         p.setClientAuthentication(new ClientAuthentication());
                     }
                     p.getClientAuthentication().setRequired(Boolean.parseBoolean(v));
+                } else if ("enableRevocation".equals(k)) {
+                    enableRevocation = Boolean.parseBoolean(v);
                 } else if (k.startsWith("certConstraints.")) {
                     configureCertConstraints(p, k, v);
                 } else if (k.startsWith("secureRandomParameters.")) {
@@ -242,7 +245,7 @@ public class HTTPJettyTransportActivator
                 p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt));
             }
             if (tmt != null) {
-                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt));
+                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation));
             }
         } catch (RuntimeException e) {
             throw e;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
index 39cf7a7..89c53ee 100644
--- a/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
+++ b/rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java
@@ -177,6 +177,7 @@ public class HTTPUndertowTransportActivator
         SecureRandomParameters srp = null;
         KeyManagersType kmt = null;
         TrustManagersType tmt = null;
+        boolean enableRevocation = false;
         while (keys.hasMoreElements()) {
             String k = keys.nextElement();
             if (k.startsWith("tlsServerParameters.")) {
@@ -192,6 +193,8 @@ public class HTTPUndertowTransportActivator
                     p.setJsseProvider(v);
                 } else if ("certAlias".equals(k)) {
                     p.setCertAlias(v);
+                } else if ("enableRevocation".equals(k)) {
+                    enableRevocation = Boolean.parseBoolean(v);
                 } else if ("clientAuthentication.want".equals(k)) {
                     if (p.getClientAuthentication() == null) {
                         p.setClientAuthentication(new ClientAuthentication());
@@ -238,7 +241,7 @@ public class HTTPUndertowTransportActivator
                 p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt));
             }
             if (tmt != null) {
-                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt));
+                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation));
             }
         } catch (RuntimeException e) {
             throw e;

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
index 892d0d1..0546141 100755
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java
@@ -101,6 +101,7 @@ public class HttpConduitBPBeanDefinitionParser extends AbstractBPBeanDefinitionP
                 if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname)
                     || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname)
                     || "disableCNCheck".equals(aname)
+                    || "enableRevocation".equals(aname)
                     || "jsseProvider".equals(aname)
                     || "secureSocketProtocol".equals(aname)
                     || "sslCacheTimeout".equals(aname)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
index 17b032a..3c5031e 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java
@@ -65,6 +65,7 @@ class HttpConduitConfigApplier {
         SecureRandomParameters srp = null;
         KeyManagersType kmt = null;
         TrustManagersType tmt = null;
+        boolean enableRevocation = false;
         while (keys.hasMoreElements()) {
             String k = keys.nextElement();
             if (k.startsWith("tlsClientParameters.")) {
@@ -87,36 +88,10 @@ class HttpConduitConfigApplier {
                     p.setUseHttpsURLConnectionDefaultHostnameVerifier(Boolean.parseBoolean(v));
                 } else if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(k)) {
                     p.setUseHttpsURLConnectionDefaultSslSocketFactory(Boolean.parseBoolean(v));
+                } else if ("enableRevocation".equals(k)) {
+                    enableRevocation = Boolean.parseBoolean(v);
                 } else if (k.startsWith("certConstraints.")) {
-                    k = k.substring("certConstraints.".length());
-                    CertificateConstraintsType cct = p.getCertConstraints();
-                    if (cct == null) {
-                        cct = new CertificateConstraintsType();
-                        p.setCertConstraints(cct);
-                    }
-                    DNConstraintsType dnct = null;
-                    if (k.startsWith("SubjectDNConstraints.")) {
-                        dnct = cct.getSubjectDNConstraints();
-                        if (dnct == null) {
-                            dnct = new DNConstraintsType();
-                            cct.setSubjectDNConstraints(dnct);
-                        }
-                        k = k.substring("SubjectDNConstraints.".length());
-                    } else if (k.startsWith("IssuerDNConstraints.")) {
-                        dnct = cct.getIssuerDNConstraints();
-                        if (dnct == null) {
-                            dnct = new DNConstraintsType();
-                            cct.setIssuerDNConstraints(dnct);
-                        }
-                        k = k.substring("IssuerDNConstraints.".length());
-                    }
-                    if (dnct != null) {
-                        if ("combinator".equals(k)) {
-                            dnct.setCombinator(CombinatorType.fromValue(v));
-                        } else if ("RegularExpression".equals(k)) {
-                            dnct.getRegularExpression().add(k);
-                        }
-                    }
+                    parseCertConstaints(p, k, v);
                 } else if (k.startsWith("secureRandomParameters.")) {
                     k = k.substring("secureRandomParameters.".length());
                     if (srp == null) {
@@ -164,7 +139,7 @@ class HttpConduitConfigApplier {
                 p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt));
             }
             if (tmt != null) {
-                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt));
+                p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation));
             }
         } catch (RuntimeException e) {
             throw e;
@@ -173,6 +148,38 @@ class HttpConduitConfigApplier {
         }
     }
 
+    private void parseCertConstaints(TLSClientParameters p, String k, String v) {
+        k = k.substring("certConstraints.".length());
+        CertificateConstraintsType cct = p.getCertConstraints();
+        if (cct == null) {
+            cct = new CertificateConstraintsType();
+            p.setCertConstraints(cct);
+        }
+        DNConstraintsType dnct = null;
+        if (k.startsWith("SubjectDNConstraints.")) {
+            dnct = cct.getSubjectDNConstraints();
+            if (dnct == null) {
+                dnct = new DNConstraintsType();
+                cct.setSubjectDNConstraints(dnct);
+            }
+            k = k.substring("SubjectDNConstraints.".length());
+        } else if (k.startsWith("IssuerDNConstraints.")) {
+            dnct = cct.getIssuerDNConstraints();
+            if (dnct == null) {
+                dnct = new DNConstraintsType();
+                cct.setIssuerDNConstraints(dnct);
+            }
+            k = k.substring("IssuerDNConstraints.".length());
+        }
+        if (dnct != null) {
+            if ("combinator".equals(k)) {
+                dnct.setCombinator(CombinatorType.fromValue(v));
+            } else if ("RegularExpression".equals(k)) {
+                dnct.getRegularExpression().add(k);
+            }
+        }
+    }
+
     private KeyManagersType getKeyManagers(KeyManagersType keyManagers, String k, String
v) {
         if (keyManagers == null) {
             keyManagers = new KeyManagersType();

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
index 2c0d813..d098de5 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java
@@ -120,6 +120,7 @@ public class HttpConduitBeanDefinitionParser
                 if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname)
                     || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname)
                     || "disableCNCheck".equals(aname)
+                    || "enableRevocation".equals(aname)
                     || "jsseProvider".equals(aname)
                     || "secureSocketProtocol".equals(aname)
                     || "sslCacheTimeout".equals(aname)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/a7d5d525/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
index 583d487..2bcb81d 100644
--- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
+++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java
@@ -139,7 +139,7 @@ public class HttpConduitConfigurationTest extends Assert {
 
             tmt.setKeyStore(kst);
             try {
-                return TLSParameterJaxBUtils.getTrustManagers(tmt);
+                return TLSParameterJaxBUtils.getTrustManagers(tmt, false);
             } catch (Exception e) {
                 throw new RuntimeException("failed to retrieve trust managers", e);
             }


Mime
View raw message