cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/2] cxf git commit: CXF-7084 - Dynamically load signature validation keys using KeyName. Thanks to Hugo Trippaers for the patch. This closes #177.
Date Wed, 29 Mar 2017 09:25:44 GMT
CXF-7084 - Dynamically load signature validation keys using KeyName.
Thanks to Hugo Trippaers for the patch.
This closes #177.


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2ea81b5f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2ea81b5f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2ea81b5f

Branch: refs/heads/master
Commit: 2ea81b5f7dd84d4d179a2d9ac77c5660a8aeb3c9
Parents: eb55972
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Mar 29 10:25:00 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Mar 29 10:25:00 2017 +0100

----------------------------------------------------------------------
 .../rs/security/xml/SignatureProperties.java    | 16 +++++++++
 .../rs/security/xml/XmlSecInInterceptor.java    | 37 ++++++++++++++++++++
 .../jaxrs/security/xml/JAXRSXmlSecTest.java     |  2 +-
 .../systest/jaxrs/security/xml/stax-server.xml  | 12 ++++++-
 4 files changed, 65 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
index 040cbb0..13cd047 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
@@ -18,6 +18,8 @@
  */
 package org.apache.cxf.rs.security.xml;
 
+import java.util.Map;
+
 public class SignatureProperties {
     private String signatureAlgo;
     private String signatureDigestAlgo;
@@ -25,6 +27,7 @@ public class SignatureProperties {
     private String signatureC14nTransform;
     private String signatureKeyIdType;
     private String signatureKeyName;
+    private Map<String, String> keyNameAliasMap;
 
     public void setSignatureAlgo(String signatureAlgo) {
         this.signatureAlgo = signatureAlgo;
@@ -63,4 +66,17 @@ public class SignatureProperties {
         this.signatureKeyName = signatureKeyName;
     }
 
+    public Map<String, String> getKeyNameAliasMap() {
+        return keyNameAliasMap;
+    }
+
+    /**
+     * Set the Signature KeyName alias lookup map. It is used on the receiving side for signature.
+     * It maps a KeyName to a key alias - so it allows us to associate a (e.g.) key alias
in
+     * a keystore with a given KeyName contained in a KeyInfo structure of the Signature.
+     */
+    public void setKeyNameAliasMap(Map<String, String> keyNameAliasMap) {
+        this.keyNameAliasMap = keyNameAliasMap;
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 4514051..5730381 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -27,6 +27,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 import java.util.regex.PatternSyntaxException;
@@ -66,6 +67,7 @@ import org.apache.xml.security.stax.ext.InboundXMLSec;
 import org.apache.xml.security.stax.ext.XMLSec;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
 import org.apache.xml.security.stax.ext.XMLSecurityProperties;
+import org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken;
 import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -216,7 +218,19 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message>
imple
             if (certs != null && certs.length > 0) {
                 properties.setSignatureVerificationKey(certs[0].getPublicKey());
             }
+        } else if (sigCrypto != null && sigProps != null && sigProps.getKeyNameAliasMap()
!= null) {
+            Map<String, String> keyNameAliasMap = sigProps.getKeyNameAliasMap();
+            for (Map.Entry<String, String> mapping: keyNameAliasMap.entrySet()) {
+                CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+                cryptoType.setAlias(mapping.getValue());
+                X509Certificate[] certs = sigCrypto.getX509Certificates(cryptoType);
+                if (certs != null && certs.length > 0) {
+                    properties.addKeyNameMapping(mapping.getKey(), certs[0].getPublicKey());
+                }
+            }
         }
+
+
     }
 
     protected SecurityEventListener configureSecurityEventListener(
@@ -300,6 +314,10 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message>
imple
         SecurityToken token = event.getSecurityToken();
         if (token != null) {
             X509Certificate[] certs = token.getX509Certificates();
+            if (certs == null && token.getPublicKey() == null && token instanceof
KeyNameSecurityToken) {
+                certs = getX509CertificatesForKeyName(sigCrypto, msg, (KeyNameSecurityToken)token);
+            }
+
             PublicKey publicKey = token.getPublicKey();
             X509Certificate cert = null;
             if (certs != null && certs.length > 0) {
@@ -321,6 +339,25 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message>
imple
         }
     }
 
+    private X509Certificate[] getX509CertificatesForKeyName(Crypto sigCrypto, Message msg,
KeyNameSecurityToken token)
+        throws XMLSecurityException {
+        X509Certificate[] certs;
+        KeyNameSecurityToken keyNameSecurityToken = token;
+        String keyName = keyNameSecurityToken.getKeyName();
+        String alias = null;
+        if (sigProps != null && sigProps.getKeyNameAliasMap() != null) {
+            alias = sigProps.getKeyNameAliasMap().get(keyName);
+        }
+        try {
+            certs = RSSecurityUtils.getCertificates(sigCrypto, alias);
+        } catch (Exception e) {
+            throw new XMLSecurityException("empty", new Object[] {"Error during Signature
Trust "
+                + "validation"});
+        }
+        return certs;
+    }
+
+
     protected void throwFault(String error, Exception ex) {
         LOG.warning(error);
         Response response = JAXRSUtils.toResponseBuilder(400).entity(error).build();

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
index bb08668..1166daa 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
@@ -424,7 +424,7 @@ public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase {
         sigOutInterceptor.setKeyInfoMustBeAvailable(true);
 
         SignatureProperties sigProps = new SignatureProperties();
-        sigProps.setSignatureKeyName("alice");
+        sigProps.setSignatureKeyName("alice-kn");
         sigProps.setSignatureKeyIdType("KeyName");
         sigOutInterceptor.setSignatureProperties(sigProps);
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
index 3ff5b4e..c1c3c0c 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
@@ -148,12 +148,22 @@ under the License.
         </jaxrs:properties>
     </jaxrs:server>
     
+    <util:map id="keyNameMap">
+        <entry key="alice-kn" value="alice" />
+    </util:map>
+    <bean id="keyNameSigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties">
+        <property name="keyNameAliasMap" ref="keyNameMap"/>
+    </bean>
+    <bean id="xmlSecInHandlerKeyName" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+        <property name="signatureProperties" ref="keyNameSigProps"/>
+        <property name="requireSignature" value="true"/>
+    </bean>
     <jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigkeyname">
         <jaxrs:serviceBeans>
             <ref bean="serviceBean"/>
         </jaxrs:serviceBeans>
         <jaxrs:inInterceptors>
-            <ref bean="xmlSigInHandler"/>
+            <ref bean="xmlSecInHandlerKeyName"/>
         </jaxrs:inInterceptors>
         <jaxrs:outInterceptors>
             <ref bean="xmlSigOutHandler"/>


Mime
View raw message