Author: dkulp
Date: Tue Nov 30 02:34:39 2010
New Revision: 1040388
URL: http://svn.apache.org/viewvc?rev=1040388&view=rev
Log:
[CXF-3152] Update to wss4j 1.5.10
Add support for PKI cert chain
Patch from Colm O hEigeartaigh applied but test disabled until the certs
are available.
Added:
cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
(with props)
cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
(with props)
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
(with props)
Modified:
cxf/trunk/rt/ws/security/pom.xml
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Modified: cxf/trunk/rt/ws/security/pom.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/pom.xml?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
--- cxf/trunk/rt/ws/security/pom.xml (original)
+++ cxf/trunk/rt/ws/security/pom.xml Tue Nov 30 02:34:39 2010
@@ -91,7 +91,7 @@
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
- <version>1.5.9</version>
+ <version>1.5.10</version>
<exclusions>
<exclusion>
<groupId>axis</groupId>
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
Tue Nov 30 02:34:39 2010
@@ -315,10 +315,20 @@ public class WSS4JInInterceptor extends
WSSecurityEngineResult result =
(WSSecurityEngineResult) signatureResults.get(i);
+ //
+ // Verify the certificate chain associated with signature
verification if
+ // it exists. If it does not, then try to verify the (single)
certificate
+ // used for signature verification
+ //
X509Certificate returnCert = (X509Certificate)result
.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
- if (returnCert != null && !verifyTrust(returnCert, reqData)) {
+ X509Certificate[] returnCertChain = (X509Certificate[])result
+ .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+
+ if (returnCertChain != null && !verifyTrust(returnCertChain,
reqData)) {
+ LOG.warning("The certificate chain used for the signature
is not trusted");
+ throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
+ } else if (returnCert != null && !verifyTrust(returnCert,
reqData)) {
LOG.warning("The certificate used for the signature is not
trusted");
throw new
WSSecurityException(WSSecurityException.FAILED_CHECK);
}
Added: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties?rev=1040388&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties (added)
+++ cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties Tue
Nov 30 02:34:39 2010
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=alice
+org.apache.ws.security.crypto.merlin.file=META-INF/cxf/alice.jks
\ No newline at end of file
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
svn:keywords = Rev Date
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties?rev=1040388&view=auto
==============================================================================
--- cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties (added)
+++ cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties Tue
Nov 30 02:34:39 2010
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=password
+org.apache.ws.security.crypto.merlin.keystore.alias=cxfca
+org.apache.ws.security.crypto.merlin.file=META-INF/cxf/cxfca.jks
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
svn:keywords = Rev Date
Propchange: cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java?rev=1040388&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
Tue Nov 30 02:34:39 2010
@@ -0,0 +1,69 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.ws.security.wss4j;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import org.apache.ws.security.WSPasswordCallback;
+
+/**
+ */
+
+public class KeystorePasswordCallback implements CallbackHandler {
+
+ private Map<String, String> passwords =
+ new HashMap<String, String>();
+
+ public KeystorePasswordCallback() {
+ passwords.put("Alice", "abcd!1234");
+ passwords.put("alice", "password");
+ passwords.put("Bob", "abcd!1234");
+ passwords.put("bob", "password");
+ passwords.put("abcd", "dcba");
+ }
+
+ /**
+ * It attempts to get the password from the private
+ * alias/passwords map.
+ */
+ public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ WSPasswordCallback pc = (WSPasswordCallback)callbacks[i];
+
+ String pass = passwords.get(pc.getIdentifier());
+ if (pass != null) {
+ pc.setPassword(pass);
+ return;
+ }
+ }
+ }
+
+ /**
+ * Add an alias/password pair to the callback mechanism.
+ */
+ public void setAliasPassword(String alias, String password) {
+ passwords.put(alias, password);
+ }
+}
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1040388&r1=1040387&r2=1040388&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Tue Nov 30 02:34:39 2010
@@ -541,6 +541,75 @@ public class WSS4JInOutTest extends Abst
assertEquals(obj.getClass().getName(),
CustomProcessor.class.getName());
}
+ @Test
+ @org.junit.Ignore
+ public void testPKIPath() throws Exception {
+ Document doc = readDocument("wsse-request-clean.xml");
+
+ WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+ PhaseInterceptor<SoapMessage> handler =
ohandler.createEndingInterceptor();
+
+ SoapMessage msg = new SoapMessage(new MessageImpl());
+ Exchange ex = new ExchangeImpl();
+ ex.setInMessage(msg);
+
+ SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+ SOAPPart part = saajMsg.getSOAPPart();
+ part.setContent(new DOMSource(doc));
+ saajMsg.saveChanges();
+
+ msg.setContent(SOAPMessage.class, saajMsg);
+
+ msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+ msg.put(WSHandlerConstants.SIG_PROP_FILE,
"META-INF/cxf/alice.properties");
+ msg.put(WSHandlerConstants.USER, "alice");
+ msg.put(WSHandlerConstants.PW_CALLBACK_CLASS,
KeystorePasswordCallback.class.getName());
+ msg.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ msg.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
+
+ handler.handleMessage(msg);
+
+ doc = part;
+
+ assertValid("//wsse:Security", doc);
+ assertValid("//wsse:Security/ds:Signature", doc);
+
+ byte[] docbytes = getMessageBytes(doc);
+
+ XMLStreamReader reader = StaxUtils.createXMLStreamReader(new
ByteArrayInputStream(docbytes));
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+ dbf.setValidating(false);
+ dbf.setIgnoringComments(false);
+ dbf.setIgnoringElementContentWhitespace(true);
+ dbf.setNamespaceAware(true);
+
+ DocumentBuilder db = dbf.newDocumentBuilder();
+ db.setEntityResolver(new NullResolver());
+ doc = StaxUtils.read(db, reader, false);
+
+ WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+
+ SoapMessage inmsg = new SoapMessage(new MessageImpl());
+ ex.setInMessage(inmsg);
+ inmsg.setContent(SOAPMessage.class, saajMsg);
+
+ inHandler.setProperty(WSHandlerConstants.ACTION,
WSHandlerConstants.SIGNATURE);
+ inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE,
"META-INF/cxf/cxfca.properties");
+
+ inHandler.handleMessage(inmsg);
+
+ WSSecurityEngineResult result =
+ (WSSecurityEngineResult)
inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+ assertNotNull(result);
+ X509Certificate[] certificates = (X509Certificate[])result
+ .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ assertNotNull(certificates);
+ assertEquals(certificates.length, 2);
+ }
+
+
private byte[] getMessageBytes(Document doc) throws Exception {
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
XMLStreamWriter byteArrayWriter =
StaxUtils.createXMLStreamWriter(outputStream);
