Author: gmazza
Date: Thu Apr 7 19:34:55 2011
New Revision: 1089952
URL: http://svn.apache.org/viewvc?rev=1089952&view=rev
Log:
simplified key names and handling
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
(with props)
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
(with props)
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
(with props)
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
(with props)
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
Removed:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/bin/
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/cherry.jks
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/truststore.jks
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/wibble.jks
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/README.txt
Thu Apr 7 19:34:55 2011
@@ -52,7 +52,7 @@ Using either UNIX or Windows:
mvn -Pclient (from a second command line window)
-To remove the target dir, run mvn clean".
+To remove the target dir, run "mvn clean".
@@ -60,9 +60,9 @@ To remove the target dir, run mvn clean"
Certificates
------------
-If the certificates are expired for some reason, a shell script in
-bin/gencerts.sh will generate the set of certificates needed for
-this sample. Just do the following:
+If the certificates are expired or unusable for some reason, a shell
+script in the certs folder will generate a new set of certificates
+needed for this sample. Just do the following:
- cd certs
- sh ../bin/gencerts.sh
+ cd certs
+ sh gencerts.sh
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/clientKeystore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/commonTruststore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh?rev=1089952&view=auto
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
(added)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
Thu Apr 7 19:34:55 2011
@@ -0,0 +1,166 @@
+#!/bin/sh
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+#
+# This file uses openssl and keytool to generate 2 chains of 3 certificates
+# CN=Wibble (client) CN=Cherry (service)
+# CN=TheRA
+# CN=TheCA
+# and generates a CRL to revoke the "CN=TheRA" certificate.
+#
+# These keys are not for production use (they're not signed by a reputable
+# 3rd-party CA), for testing/code samples only.
+#
+# This file also serves as a specification on what needs to be done to
+# get the underlying CXF to work correctly.
+# For the most part, you need to use only JKS (Java Key Store) formatted
+# keystores and truststores.
+
+
+# Initialize the default openssl DataBase.
+# According to a default /usr/lib/ssl/openssl.cnf file it is ./demoCA
+# Depending on the Openssl version, comment out "crlnumber" in config file.
+# We echo 1345 to start the certificate serial number counter.
+
+ rm -rf demoCA
+ mkdir -p demoCA/newcerts
+ cp /dev/null demoCA/index.txt
+ echo "1345" > demoCA/serial
+
+# This file makes sure that the certificate for CN=TheRA can be a Certificate
+# Authority, i.e. can sign the user certificates, e.g. "CN=Wibble".
+
+cat <<EOF > exts
+[x509_extensions]
+basicConstraints=CA:TRUE
+EOF
+
+# Create the CA's keypair and self-signed certificate
+# -x509 means create self-sign cert
+# -keyout means generate keypair
+# -nodes means do not encrypt private key.
+# -set_serial sets the serial number of the certificate
+
+ openssl req -verbose -x509 -new -nodes -set_serial 1234 \
+ -subj "/CN=TheCA/OU=NOT FOR PRODUCTION/O=Apache/ST=NY/C=US" \
+ -days 7300 -out cacert.pem -keyout caprivkey.pem
+
+# Create the RA's keypair and Certificate Request
+# without -x509, we generate an x509 cert request.
+# -keyout means generate keypair
+# -nodes means do not encrypt private key.
+
+ openssl req -verbose -new -nodes \
+ -subj "/CN=TheRA/OU=NOT FOR PRODUCTION/O=Apache/ST=NY/C=US" \
+ -days 7300 -out csrra.pem -keyout raprivkey.pem
+
+# Have the CN=TheCA issue a certificate for the CN=TheRA
+# We need -extfile exts -extenstions x509_extensions to make sure
+# CN=TheRA can be a Certificate Authority.
+
+ openssl ca -batch -days 7300 -cert cacert.pem -keyfile caprivkey.pem \
+ -in csrra.pem -out ra-ca-cert.pem -extfile exts -extensions x509_extensions
+
+# Create keypairs and Cert Request for a certificate for CN=Wibble and
CN=Cherry
+# This procedure must be done in JKS, because we need to use a JKS keystore.
+# The current version of CXF using PCKS12 will not work for a number of
+# internal CXF reasons.
+
+ rm -f clientKeystore.jks
+
+ keytool -genkey \
+ -dname "CN=Wibble, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US" \
+ -keystore clientKeystore.jks -storetype jks -storepass password -keypass
password
+
+ keytool -certreq -keystore clientKeystore.jks -storetype jks -storepass
password \
+ -keypass password -file csrwibble.pem
+
+
+ rm -f serverKeystore.jks
+
+ keytool -genkey \
+ -dname "CN=Cherry, OU=NOT FOR PRODUCTION, O=Apache, ST=NY, C=US" \
+ -keystore serverKeystore.jks -storetype jks -storepass password -keypass
password
+
+ keytool -certreq -keystore serverKeystore.jks -storetype jks -storepass
password \
+ -keypass password -file csrcherry.pem
+
+
+# Have the CN=TheRA issue a certificate for CN=Wibble and CN=Cherry via
+# their Certificate Requests.
+
+ openssl ca -batch -days 7300 -cert ra-ca-cert.pem -keyfile raprivkey.pem \
+ -in csrwibble.pem -out wibble-ra-cert.pem
+
+ openssl ca -batch -days 7300 -cert ra-ca-cert.pem -keyfile raprivkey.pem \
+ -in csrcherry.pem -out cherry-ra-cert.pem
+
+
+# Rewrite the certificates in PEM only format. This allows us to concatenate
+# them into chains.
+
+ openssl x509 -in cacert.pem -out cacert.pem -outform PEM
+ openssl x509 -in ra-ca-cert.pem -out ra-ca-cert.pem -outform PEM
+ openssl x509 -in wibble-ra-cert.pem -out wibble-ra-cert.pem -outform PEM
+ openssl x509 -in cherry-ra-cert.pem -out cherry-ra-cert.pem -outform PEM
+
+# Create a chain readable by CertificateFactory.getCertificates.
+
+ cat wibble-ra-cert.pem ra-ca-cert.pem cacert.pem > wibble.chain
+ cat cherry-ra-cert.pem ra-ca-cert.pem cacert.pem > cherry.chain
+
+# Replace the certificate in the Wibble keystore with their respective
+# full chains.
+
+ keytool -import -file wibble.chain -keystore clientKeystore.jks -storetype
jks \
+ -storepass password -keypass password -noprompt
+
+ keytool -import -file cherry.chain -keystore serverKeystore.jks -storetype
jks \
+ -storepass password -keypass password -noprompt
+
+# Revoke the CN=TheRA certificate (happens in the Openssl DB)
+
+ openssl ca -verbose -cert cacert.pem -keyfile caprivkey.pem \
+ -revoke ra-ca-cert.pem -crl_reason keyCompromise
+
+# Create the CRL from that revocation (from the Openssl DB)
+
+ openssl ca -verbose -gencrl -out ca.crl -cert cacert.pem \
+ -keyfile caprivkey.pem
+
+# Create the Truststore file containing the CA cert.
+
+ rm -f commonTruststore.jks
+
+ keytool -import -file cacert.pem -alias TheCA -keystore
commonTruststore.jks \
+ -storepass password -noprompt
+
+# Uncomment to see what's in the Keystores and CRL
+
+ keytool -v -list -keystore clientKeystore.jks -storepass password
+
+ keytool -v -list -keystore serverKeystore.jks -storepass password
+
+ keytool -v -list -keystore commonTruststore.jks -storepass password
+
+ openssl crl -in ca.crl -text -noout
+
+# Get rid of everything but wibble.chain and ra.crl
+#rm -rf *.pem exts demoCA *pk12
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/gencerts.sh
------------------------------------------------------------------------------
svn:executable = *
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks?rev=1089952&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/certs/serverKeystore.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
--- cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
(original)
+++ cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/pom.xml
Thu Apr 7 19:34:55 2011
@@ -86,10 +86,6 @@
</goals>
<configuration>
<mainClass>demo.jaxrs.client.Client</mainClass>
- <arguments>
-
<argument>${basedir}/certs/wibble.jks</argument>
-
<argument>${basedir}/certs/truststore.jks</argument>
- </arguments>
</configuration>
</execution>
</executions>
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/java/jaxrs/client/Client.java
Thu Apr 7 19:34:55 2011
@@ -32,27 +32,29 @@ import org.apache.commons.httpclient.pro
public final class Client {
+ private static final String CLIENT_CONFIG_FILE = "ClientConfig.xml";
+
private Client() {
}
public static void main(String args[]) throws Exception {
- File wibble = new File(args[0]);
- File truststore = new File(args[1]);
+
+ File clientKeystore = new File("certs/clientKeystore.jks");
+ File truststore = new File("certs/commonTruststore.jks");
+ // Send HTTP GET request to query customer info - using portable
HttpClient method
Protocol authhttps = new Protocol("https",
- new AuthSSLProtocolSocketFactory(wibble.toURL(), "password",
- truststore.toURL(), "password"),
+ new
AuthSSLProtocolSocketFactory(clientKeystore.toURI().toURL(), "password",
+ truststore.toURI().toURL(), "password"),
9000);
Protocol.registerProtocol("https", authhttps);
- // Sent HTTP GET request to query customer info
System.out.println("Sent HTTPS GET request to query customer info");
HttpClient httpclient = new HttpClient();
GetMethod httpget = new
GetMethod("https://localhost:9000/customerservice/customers/123";);
httpget.addRequestHeader("Accept" , "text/xml");
- // If Basic Authentication required (not needed in this sample) could
- // do so via the following:
+ // If Basic Authentication required (not needed in this sample) could
use:
/*
String authorizationHeader = "Basic "
+
org.apache.cxf.common.util.Base64Utility.encode("username:password".getBytes());
@@ -65,10 +67,9 @@ public final class Client {
httpget.releaseConnection();
}
- // Sent HTTP PUT request to update customer info
+ // Send HTTP PUT request to update customer info
System.out.println("\n");
System.out.println("Sent HTTPS PUT request to update customer info");
- Client client = new Client();
String inputFile =
Client.class.getClassLoader().getResource("update_customer.xml").getFile();
File input = new File(inputFile);
PutMethod put = new
PutMethod("https://localhost:9000/customerservice/customers";);
@@ -84,7 +85,7 @@ public final class Client {
put.releaseConnection();
}
- // Sent HTTP POST request to add customer
+ // Send HTTP POST request to add customer
System.out.println("\n");
System.out.println("Sent HTTPS POST request to add customer");
inputFile =
Client.class.getClassLoader().getResource("add_customer.xml").getFile();
Added:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml?rev=1089952&view=auto
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
(added)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ClientConfig.xml
Thu Apr 7 19:34:55 2011
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<beans xmlns="http://www.springframework.org/schema/beans";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xmlns:http="http://cxf.apache.org/transports/http/configuration";
+ xmlns:httpj="http://cxf.apache.org/transports/http-jetty/configuration";
+ xmlns:sec="http://cxf.apache.org/configuration/security";
+ xsi:schemaLocation="
+ http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
+ http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
+ http://cxf.apache.org/transports/http-jetty/configuration
http://cxf.apache.org/schemas/configuration/http-jetty.xsd
+ http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
+ ">
+ <bean
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
+
+ <!-- -->
+ <!-- HTTP/S configuration for proxy & web clients -->
+ <!-- -->
+ <http:conduit name="https://localhost:.*/customerservice/.*";>
+ <http:client ConnectionTimeout="3000000" ReceiveTimeout="3000000"/>
+ <http:tlsClientParameters disableCNCheck="true">
+ <sec:keyManagers keyPassword="password">
+ <sec:keyStore type="JKS" password="password"
+ file="certs/clientKeystore.jks"/>
+ </sec:keyManagers>
+ <sec:trustManagers>
+ <sec:keyStore type="JKS" password="password"
+ file="certs/commonTruststore.jks"/>
+ </sec:trustManagers>
+ </http:tlsClientParameters>
+ </http:conduit>
+
+</beans>
Modified:
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml?rev=1089952&r1=1089951&r2=1089952&view=diff
==============================================================================
---
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
(original)
+++
cxf/trunk/distribution/src/main/release/samples/jax_rs/basic_https/src/main/resources/ServerConfig.xml
Thu Apr 7 19:34:55 2011
@@ -41,11 +41,11 @@
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="JKS" password="password"
- file="certs/cherry.jks"/>
+ file="certs/serverKeystore.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="JKS" password="password"
- file="certs/truststore.jks"/>
+ file="certs/commonTruststore.jks"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
