Author: dkulp Date: Tue Nov 30 03:05:13 2010 New Revision: 1040395 URL: http://svn.apache.org/viewvc?rev=1040395&view=rev Log: Merged revisions 1040394 via svnmerge from https://svn.apache.org/repos/asf/cxf/branches/2.3.x-fixes
................ r1040394 | dkulp | 2010-11-29 21:54:09 -0500 (Mon, 29 Nov 2010) | 12 lines Merged revisions 1040388 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r1040388 | dkulp | 2010-11-29 21:34:39 -0500 (Mon, 29 Nov 2010) | 4 lines [CXF-3152] Update to wss4j 1.5.10 Add support for PKI cert chain Patch from Colm O hEigeartaigh applied but test disabled until the certs are available. ........ ................ Added: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/alice.properties - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/alice.properties cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java - copied unchanged from r1040394, cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java Modified: cxf/branches/2.2.x-fixes/ (props changed) cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java Propchange: cxf/branches/2.2.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml?rev=1040395&r1=1040394&r2=1040395&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/pom.xml Tue Nov 30 03:05:13 2010 @@ -94,7 +94,7 @@ <dependency> <groupId>org.apache.ws.security</groupId> <artifactId>wss4j</artifactId> - <version>1.5.9</version> + <version>1.5.10</version> <exclusions> <exclusion> <groupId>axis</groupId> Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1040395&r1=1040394&r2=1040395&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Tue Nov 30 03:05:13 2010 @@ -308,10 +308,20 @@ public class WSS4JInInterceptor extends WSSecurityEngineResult result = (WSSecurityEngineResult) signatureResults.get(i); + // + // Verify the certificate chain associated with signature verification if + // it exists. If it does not, then try to verify the (single) certificate + // used for signature verification + // X509Certificate returnCert = (X509Certificate)result .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE); - - if (returnCert != null && !verifyTrust(returnCert, reqData)) { + X509Certificate[] returnCertChain = (X509Certificate[])result + .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); + + if (returnCertChain != null && !verifyTrust(returnCertChain, reqData)) { + LOG.warning("The certificate chain used for the signature is not trusted"); + throw new WSSecurityException(WSSecurityException.FAILED_CHECK); + } else if (returnCert != null && !verifyTrust(returnCert, reqData)) { LOG.warning("The certificate used for the signature is not trusted"); throw new WSSecurityException(WSSecurityException.FAILED_CHECK); } Modified: cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java URL: http://svn.apache.org/viewvc/cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1040395&r1=1040394&r2=1040395&view=diff ============================================================================== --- cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java (original) +++ cxf/branches/2.2.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java Tue Nov 30 03:05:13 2010 @@ -540,6 +540,75 @@ public class WSS4JInOutTest extends Abst assertEquals(obj.getClass().getName(), CustomProcessor.class.getName()); } + @Test + @org.junit.Ignore + public void testPKIPath() throws Exception { + Document doc = readDocument("wsse-request-clean.xml"); + + WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor(); + PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor(); + + SoapMessage msg = new SoapMessage(new MessageImpl()); + Exchange ex = new ExchangeImpl(); + ex.setInMessage(msg); + + SOAPMessage saajMsg = MessageFactory.newInstance().createMessage(); + SOAPPart part = saajMsg.getSOAPPart(); + part.setContent(new DOMSource(doc)); + saajMsg.saveChanges(); + + msg.setContent(SOAPMessage.class, saajMsg); + + msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE); + msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/alice.properties"); + msg.put(WSHandlerConstants.USER, "alice"); + msg.put(WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName()); + msg.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference"); + msg.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false"); + + handler.handleMessage(msg); + + doc = part; + + assertValid("//wsse:Security", doc); + assertValid("//wsse:Security/ds:Signature", doc); + + byte[] docbytes = getMessageBytes(doc); + + XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes)); + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + + dbf.setValidating(false); + dbf.setIgnoringComments(false); + dbf.setIgnoringElementContentWhitespace(true); + dbf.setNamespaceAware(true); + + DocumentBuilder db = dbf.newDocumentBuilder(); + db.setEntityResolver(new NullResolver()); + doc = StaxUtils.read(db, reader, false); + + WSS4JInInterceptor inHandler = new WSS4JInInterceptor(); + + SoapMessage inmsg = new SoapMessage(new MessageImpl()); + ex.setInMessage(inmsg); + inmsg.setContent(SOAPMessage.class, saajMsg); + + inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE); + inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/cxfca.properties"); + + inHandler.handleMessage(inmsg); + + WSSecurityEngineResult result = + (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT); + assertNotNull(result); + X509Certificate[] certificates = (X509Certificate[])result + .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES); + assertNotNull(certificates); + assertEquals(certificates.length, 2); + } + + private byte[] getMessageBytes(Document doc) throws Exception { ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); XMLStreamWriter byteArrayWriter = StaxUtils.createXMLStreamWriter(outputStream);
