Author: ashakirin
Date: Tue Dec 31 10:48:22 2013
New Revision: 1554397
URL: http://svn.apache.org/r1554397
Log:
[CXF-5443] STS Symmetric HOK: using server endpoint (AppliesTo) as certificate
identifier to encrypt symmetric key
Added:
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer
(with props)
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer.cer
- copied unchanged from r1554225,
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer
Removed:
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/resources/store1/CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer
Modified:
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java
cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
cxf/trunk/services/xkms/xkms-war/pom.xml
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
Modified:
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
(original)
+++
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
Tue Dec 31 10:48:22 2013
@@ -73,7 +73,7 @@ class XKMSInvoker {
}
public X509Certificate getServiceCertificate(QName serviceName) {
- return getCertificateForId(Applications.SERVICE_SOAP,
serviceName.toString());
+ return getCertificateForId(Applications.SERVICE_NAME,
serviceName.toString());
}
public X509Certificate getCertificateForId(Applications application,
String id) {
@@ -88,6 +88,12 @@ class XKMSInvoker {
return getCertificate(ids);
}
+ public X509Certificate getCertificateForEndpoint(String endpoint) {
+ List<X509AppId> ids = new ArrayList<X509AppId>();
+ ids.add(new X509AppId(Applications.SERVICE_ENDPOINT, endpoint));
+ return getCertificate(ids);
+ }
+
public X509Certificate getCertificate(List<X509AppId> ids) {
try {
LocateRequestType locateRequestType =
prepareLocateXKMSRequest(ids);
Modified:
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
(original)
+++
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
Tue Dec 31 10:48:22 2013
@@ -159,7 +159,7 @@ public class XkmsCryptoProvider extends
private X509Certificate[] getX509(CryptoType cryptoType) {
// Try to get X509 certificate from local keystore if it is configured
if (allowX509FromJKS && (fallbackCrypto != null)) {
- X509Certificate[] localCerts = getCertificateLocally(cryptoType);
+ X509Certificate[] localCerts = getCertificateLocaly(cryptoType);
if ((localCerts != null) && localCerts.length > 0) {
return localCerts;
}
@@ -167,14 +167,15 @@ public class XkmsCryptoProvider extends
CryptoType.TYPE type = cryptoType.getType();
if (type == TYPE.SUBJECT_DN) {
return getX509FromXKMSByID(Applications.PKIX,
cryptoType.getSubjectDN());
-
+ } else if (type == TYPE.ENDPOINT) {
+ return getX509FromXKMSByEndpoint(cryptoType.getEndpoint());
} else if (type == TYPE.ALIAS) {
Applications appId = null;
boolean isServiceName = isServiceName(cryptoType);
if (!isServiceName) {
appId = Applications.PKIX;
} else {
- appId = Applications.SERVICE_SOAP;
+ appId = Applications.SERVICE_NAME;
}
return getX509FromXKMSByID(appId, cryptoType.getAlias());
@@ -220,6 +221,22 @@ public class XkmsCryptoProvider extends
return buildX509GetResult(key, cert);
}
+ private X509Certificate[] getX509FromXKMSByEndpoint(String endpoint) {
+ LOG.fine(String.format("Getting public certificate from XKMS for
endpoint:%s",
+ endpoint));
+
+ // Try local cache first
+ X509Certificate[] certs = checkX509Cache(endpoint);
+ if (certs != null) {
+ return certs;
+ }
+
+ // Now ask the XKMS Service
+ X509Certificate cert = xkmsInvoker.getCertificateForEndpoint(endpoint);
+
+ return buildX509GetResult(endpoint, cert);
+ }
+
private X509Certificate[] checkX509Cache(String key) {
if (xkmsClientCache == null) {
return null;
@@ -257,7 +274,7 @@ public class XkmsCryptoProvider extends
* @param cryptoType
* @return if found certificate otherwise null returned
*/
- private X509Certificate[] getCertificateLocally(CryptoType cryptoType) {
+ private X509Certificate[] getCertificateLocaly(CryptoType cryptoType) {
// This only applies if we've configured a local Crypto instance...
if (fallbackCrypto == null) {
return null;
Modified:
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java
(original)
+++
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/Applications.java
Tue Dec 31 10:48:22 2013
@@ -28,9 +28,13 @@ public enum Applications {
*/
TLS_HTTPS("urn:ietf:rfc:2818"),
/**
- * Service Endpoint Name
+ * Service Name
*/
- SERVICE_SOAP("urn:apache:cxf:service:soap"),
+ SERVICE_NAME("urn:apache:cxf:service:name"),
+ /**
+ * Service Endpoint
+ */
+ SERVICE_ENDPOINT("urn:apache:cxf:service:endpoint"),
/**
* Certificate Issuer
*/
Modified:
cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg
(original)
+++
cxf/trunk/services/xkms/xkms-features/src/main/resources/org.apache.cxf.xkms.cfg
Tue Dec 31 10:48:22 2013
@@ -39,6 +39,7 @@ xkms.ldap.schema.certObjectClass=inetOrg
xkms.ldap.schema.attrUID=uid
xkms.ldap.schema.attrIssuerID=manager
xkms.ldap.schema.attrSerialNumber=employeeNumber
+xkms.ldap.schema.attrEndpoint=labeledURI
xkms.ldap.schema.attrCrtBinary=userCertificate;binary
xkms.ldap.schema.constAttrNamesCSV=sn
xkms.ldap.schema.constAttrValuesCSV=X509 certificate
Modified:
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
(original)
+++
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
Tue Dec 31 10:48:22 2013
@@ -78,6 +78,9 @@ public class BasicIntegrationTest {
new
File("src/test/resources/data/xkms/certificates/cas/alice.cer")),
replaceConfigurationFile("data/xkms/certificates/dave.cer",
new
File("src/test/resources/data/xkms/certificates/dave.cer")),
+
replaceConfigurationFile("data/xkms/certificates/http___localhost_8080_services_TestService.cer",
+ new
File("src/test/resources/data/xkms/certificates/"
+ +
"http___localhost_8080_services_TestService.cer")),
replaceConfigurationFile("data/xkms/certificates/crls/wss40CACRL.cer",
new
File("src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer")),
replaceConfigurationFile("etc/org.apache.cxf.xkms.cfg",
getConfigFile()),
Modified:
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java
(original)
+++
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/service/XKMSServiceTest.java
Tue Dec 31 10:48:22 2013
@@ -49,7 +49,7 @@ public class XKMSServiceTest extends Bas
new org.apache.cxf.xkms.model.xkms.ObjectFactory();
@Test
- public void testLocate() throws URISyntaxException, Exception {
+ public void testLocatePKIX() throws URISyntaxException, Exception {
LocateRequestType request = XKMS_OF.createLocateRequestType();
setGenericRequestParams(request);
QueryKeyBindingType queryKeyBindingType =
XKMS_OF.createQueryKeyBindingType();
@@ -58,6 +58,25 @@ public class XKMSServiceTest extends Bas
useKeyWithType.setIdentifier("CN=Dave, OU=Apache, O=CXF, L=CGN,
ST=NRW, C=DE");
useKeyWithType.setApplication(Applications.PKIX.getUri());
+ locateCertificate(request, queryKeyBindingType, useKeyWithType);
+ }
+
+ @Test
+ public void testLocateByEndpoint() throws URISyntaxException, Exception {
+ LocateRequestType request = XKMS_OF.createLocateRequestType();
+ setGenericRequestParams(request);
+ QueryKeyBindingType queryKeyBindingType =
XKMS_OF.createQueryKeyBindingType();
+
+ UseKeyWithType useKeyWithType = XKMS_OF.createUseKeyWithType();
+
useKeyWithType.setIdentifier("http://localhost:8080/services/TestService";);
+ useKeyWithType.setApplication(Applications.SERVICE_ENDPOINT.getUri());
+
+ locateCertificate(request, queryKeyBindingType, useKeyWithType);
+ }
+
+ private void locateCertificate(LocateRequestType request,
+ QueryKeyBindingType queryKeyBindingType,
+ UseKeyWithType useKeyWithType) {
queryKeyBindingType.getUseKeyWith().add(useKeyWithType);
request.setQueryKeyBinding(queryKeyBindingType);
@@ -101,8 +120,6 @@ public class XKMSServiceTest extends Bas
result.getResultMajor());
Assert.assertEquals(ResultMinorEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_FAILURE.value(),
result.getResultMinor());
- ResultDetails message =
(ResultDetails)result.getMessageExtension().get(0);
- Assert.assertEquals("Exactly one useKeyWith element needed",
message.getDetails());
}
}
Added:
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer?rev=1554397&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/http___localhost_8080_services_TestService.cer
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified:
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
(original)
+++
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
Tue Dec 31 10:48:22 2013
@@ -35,6 +35,7 @@
<property name="attrUID" value="${xkms.ldap.schema.attrUID}"/>
<property name="attrIssuerID"
value="${xkms.ldap.schema.attrIssuerID}"/>
<property name="attrSerialNumber"
value="${xkms.ldap.schema.attrSerialNumber}"/>
+ <property name="attrEndpoint"
value="${xkms.ldap.schema.attrEndpoint}"/>
<property name="attrCrtBinary"
value="${xkms.ldap.schema.attrCrtBinary}"/>
<property name="attrCrlBinary"
value="${xkms.ldap.schema.attrCrlBinary}"/>
<property name="constAttrNamesCSV"
value="${xkms.ldap.schema.constAttrNamesCSV}"/>
Modified: cxf/trunk/services/xkms/xkms-war/pom.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/pom.xml?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-war/pom.xml (original)
+++ cxf/trunk/services/xkms/xkms-war/pom.xml Tue Dec 31 10:48:22 2013
@@ -42,6 +42,11 @@
<scope>runtime</scope>
</dependency>
<dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</dependency>
Modified:
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
(original)
+++
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
Tue Dec 31 10:48:22 2013
@@ -37,6 +37,7 @@
<property name="attrUID" value="uid"/>
<property name="attrIssuerID" value="manager"/>
<property name="attrSerialNumber" value="employeeNumber"/>
+ <property name="attrEndpoint" value="labeledURI"/>
<property name="attrCrtBinary" value="userCertificate;binary"/>
<property name="constAttrNamesCSV" value="sn"/>
<property name="constAttrValuesCSV" value="X509 certificate"/>
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Locator.java
Tue Dec 31 10:48:22 2013
@@ -80,8 +80,10 @@ public class X509Locator implements Loca
String id = ids.get(0).getIdentifier();
if (application == Applications.PKIX) {
cert = certRepo.findBySubjectDn(id);
- } else if (application == Applications.SERVICE_SOAP) {
+ } else if (application == Applications.SERVICE_NAME) {
cert = certRepo.findByServiceName(id);
+ } else if (application == Applications.SERVICE_ENDPOINT) {
+ cert = certRepo.findByEndpoint(id);
}
}
String issuer = getIdForApplication(Applications.ISSUER, ids);
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/handlers/X509Register.java
Tue Dec 31 10:48:22 2013
@@ -81,7 +81,7 @@ public class X509Register implements Reg
X509Utils.assertElementNotNull(binding, KeyInfoType.class);
List<UseKeyWithType> useKeyWithList = binding.getUseKeyWith();
if (useKeyWithList == null || useKeyWithList.size() != 1) {
- throw new IllegalArgumentException("Exactly one useKeyWith
element needed");
+ throw new IllegalArgumentException("Exactly one useKeyWith
element is supported");
//TODO standard requires support for multiple useKeyWith
attributes
}
UseKeyWithType useKeyWith = useKeyWithList.get(0);
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/CertificateRepo.java
Tue Dec 31 10:48:22 2013
@@ -31,5 +31,6 @@ public interface CertificateRepo {
void saveCertificate(X509Certificate cert, UseKeyWithType key);
X509Certificate findBySubjectDn(String dn);
X509Certificate findByServiceName(String serviceName);
+ X509Certificate findByEndpoint(String endpoint);
X509Certificate findByIssuerSerial(String issuer, String serial);
}
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepo.java
Tue Dec 31 10:48:22 2013
@@ -36,6 +36,7 @@ import java.util.List;
import java.util.regex.Pattern;
import org.apache.cxf.xkms.exception.XKMSConfigurationException;
+import org.apache.cxf.xkms.handlers.Applications;
import org.apache.cxf.xkms.model.xkms.ResultMajorEnum;
import org.apache.cxf.xkms.model.xkms.ResultMinorEnum;
import org.apache.cxf.xkms.model.xkms.UseKeyWithType;
@@ -76,7 +77,7 @@ public class FileCertificateRepo impleme
public void saveCRL(X509CRL crl, UseKeyWithType id) {
String name = crl.getIssuerX500Principal().getName();
try {
- String path = convertDnForFileSystem(name) + ".cer";
+ String path = convertIdForFileSystem(name) + ".cer";
Pattern p = Pattern.compile("[a-zA-Z_0-9-_]");
if (!p.matcher(path).find()) {
throw new URISyntaxException(path, "Input did not match
[a-zA-Z_0-9-_].");
@@ -96,7 +97,6 @@ public class FileCertificateRepo impleme
private boolean saveCategorizedCertificate(X509Certificate cert,
UseKeyWithType id, boolean isTrustedCA,
boolean isCA) {
- String name = cert.getSubjectX500Principal().getName();
String category = "";
if (isTrustedCA) {
category = TRUSTED_CAS_PATH;
@@ -106,7 +106,7 @@ public class FileCertificateRepo impleme
}
try {
File certFile = new File(storageDir + "/" + category,
- getRelativePathForSubjectDn(cert));
+ getCertPath(cert, id));
certFile.getParentFile().mkdirs();
FileOutputStream fos = new FileOutputStream(certFile);
BufferedOutputStream bos = new BufferedOutputStream(fos);
@@ -114,12 +114,12 @@ public class FileCertificateRepo impleme
bos.close();
fos.close();
} catch (Exception e) {
- throw new RuntimeException("Error saving certificate " + name + ":
" + e.getMessage(), e);
+ throw new RuntimeException("Error saving certificate " +
cert.getSubjectDN() + ": " + e.getMessage(), e);
}
return true;
}
-
- public String convertDnForFileSystem(String dn) {
+
+ public String convertIdForFileSystem(String dn) {
String result = dn.replace("=", "-");
result = result.replace(", ", "_");
result = result.replace(",", "_");
@@ -131,15 +131,26 @@ public class FileCertificateRepo impleme
return result;
}
- public String getRelativePathForSubjectDn(X509Certificate cert)
+ public String getCertPath(X509Certificate cert, UseKeyWithType id)
throws URISyntaxException {
- BigInteger serialNumber = cert.getSerialNumber();
- String issuer = cert.getIssuerX500Principal().getName();
- String path = convertDnForFileSystem(issuer) + "-" +
serialNumber.toString() + ".cer";
- Pattern p = Pattern.compile("[a-zA-Z_0-9-_]");
- if (p.matcher(path).find()) {
- return path;
+ Applications application = null;
+ String path = null;
+ if (id != null) {
+ application = Applications.fromUri(id.getApplication());
+ }
+ if (application == Applications.SERVICE_ENDPOINT) {
+ path = id.getIdentifier();
} else {
+ path = cert.getSubjectDN().getName();
+ }
+ path = convertIdForFileSystem(path) + ".cer";
+ validateCertificatePath(path);
+ return path;
+ }
+
+ private void validateCertificatePath(String path) throws
URISyntaxException {
+ Pattern p = Pattern.compile("[a-zA-Z_0-9-_]");
+ if (!p.matcher(path).find()) {
throw new URISyntaxException(path, "Input did not match
[a-zA-Z_0-9-_].");
}
}
@@ -246,6 +257,25 @@ public class FileCertificateRepo impleme
}
@Override
+ public X509Certificate findByEndpoint(String endpoint) {
+ try {
+ String path = convertIdForFileSystem(endpoint) + ".cer";
+ validateCertificatePath(path);
+ File certFile = new File(storageDir.getAbsolutePath() + "/" +
path);
+ if (!certFile.exists()) {
+ LOG.warn(String.format("Certificate not found for endpoint %s,
path %s", endpoint,
+ certFile.getAbsolutePath()));
+ return null;
+ }
+ return (X509Certificate)certFactory.generateCertificate(new
FileInputStream(certFile));
+ } catch (Exception e) {
+ LOG.warn(String.format("Cannot load certificate by endpoint: %s.
Error: %s", endpoint,
+ e.getMessage()), e);
+ return null;
+ }
+ }
+
+ @Override
public X509Certificate findBySubjectDn(String subjectDn) {
List<X509Certificate> result = new ArrayList<X509Certificate>();
File[] list = getX509Files();
@@ -299,4 +329,5 @@ public class FileCertificateRepo impleme
}
return null;
}
+
}
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
Tue Dec 31 10:48:22 2013
@@ -25,7 +25,9 @@ import java.security.cert.CertificateFac
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
+import java.util.HashMap;
import java.util.List;
+import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
@@ -140,13 +142,18 @@ public class LdapCertificateRepo impleme
}
}
- private void saveCertificate(X509Certificate cert, String dn) {
+ private void saveCertificate(X509Certificate cert, String dn, Map<String,
String> appAttrs) {
Attributes attribs = new BasicAttributes();
attribs.put(new BasicAttribute(ATTR_OBJECT_CLASS,
ldapConfig.getCertObjectClass()));
attribs.put(new BasicAttribute(ldapConfig.getAttrUID(),
cert.getSubjectX500Principal().getName()));
attribs.put(new BasicAttribute(ldapConfig.getAttrIssuerID(),
cert.getIssuerX500Principal().getName()));
attribs.put(new BasicAttribute(ldapConfig.getAttrSerialNumber(),
cert.getSerialNumber().toString(16)));
addConstantAttributes(ldapConfig.getConstAttrNamesCSV(),
ldapConfig.getConstAttrValuesCSV(), attribs);
+ if ((appAttrs != null) && (!appAttrs.isEmpty())) {
+ for (String attrName : appAttrs.keySet()) {
+ attribs.put(new BasicAttribute(attrName,
appAttrs.get(attrName)));
+ }
+ }
try {
attribs.put(new BasicAttribute(ldapConfig.getAttrCrtBinary(),
cert.getEncoded()));
ldapSearch.bind(dn, attribs);
@@ -192,7 +199,7 @@ public class LdapCertificateRepo impleme
public X509Certificate findByServiceName(String serviceName) {
X509Certificate cert = null;
try {
- String dn = getDnForServiceName(serviceName);
+ String dn = getDnForIdentifier(serviceName);
cert = getCertificateForDn(dn);
} catch (NamingException e) {
// Not found
@@ -207,8 +214,22 @@ public class LdapCertificateRepo impleme
return cert;
}
- private String getDnForServiceName(String serviceName) {
- String escapedIdentifier = serviceName.replaceAll("\\/",
Matcher.quoteReplacement("\\/"));
+ @Override
+ public X509Certificate findByEndpoint(String endpoint) {
+ X509Certificate cert = null;
+ String filter = String.format("(%s=%s)", ldapConfig.getAttrEndpoint(),
endpoint);
+ try {
+ Attribute attr = ldapSearch.findAttribute(rootDN, filter,
ldapConfig.getAttrCrtBinary());
+ cert = getCert(attr);
+ } catch (NamingException e) {
+ // Not found
+ }
+ return cert;
+ }
+
+
+ private String getDnForIdentifier(String id) {
+ String escapedIdentifier = id.replaceAll("\\/",
Matcher.quoteReplacement("\\/"));
return String.format(ldapConfig.getServiceCertRDNTemplate(),
escapedIdentifier) + "," + rootDN;
}
@@ -260,15 +281,19 @@ public class LdapCertificateRepo impleme
@Override
public void saveCertificate(X509Certificate cert, UseKeyWithType key) {
Applications application = Applications.fromUri(key.getApplication());
- String dn;
+ String dn = null;
+ Map<String, String> attrs = new HashMap<String, String>();
if (application == Applications.PKIX) {
dn = key.getIdentifier() + "," + rootDN;
- } else if (application == Applications.SERVICE_SOAP) {
- dn = getDnForServiceName(key.getIdentifier());
+ } else if (application == Applications.SERVICE_NAME) {
+ dn = getDnForIdentifier(key.getIdentifier());
+ } else if (application == Applications.SERVICE_ENDPOINT) {
+ attrs.put(ldapConfig.getAttrEndpoint(), key.getIdentifier());
+ dn = getDnForIdentifier(key.getIdentifier());
} else {
throw new IllegalArgumentException("Unsupported Application " +
application);
}
- saveCertificate(cert, dn);
+ saveCertificate(cert, dn, attrs);
}
}
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
Tue Dec 31 10:48:22 2013
@@ -23,6 +23,7 @@ public class LdapSchemaConfig {
private String attrUID = "uid";
private String attrIssuerID = "manager";
private String attrSerialNumber = "employeeNumber";
+ private String attrEndpoint = "labeledURI";
private String attrCrtBinary = "userCertificate;binary";
private String attrCrlBinary = "certificateRevocationList;binary";
private String constAttrNamesCSV = "sn";
@@ -137,4 +138,12 @@ public class LdapSchemaConfig {
this.attrCrlBinary = attrCrlBinary;
}
+ public String getAttrEndpoint() {
+ return attrEndpoint;
+ }
+
+ public void setAttrEndpoint(String attrEndpoint) {
+ this.attrEndpoint = attrEndpoint;
+ }
+
}
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/file/FileCertificateRepoTest.java
Tue Dec 31 10:48:22 2013
@@ -39,8 +39,7 @@ import org.junit.Test;
public class FileCertificateRepoTest {
private static final String EXAMPLE_SUBJECT_DN = "CN=www.issuer.com,
L=CGN, ST=NRW, C=DE, O=Issuer";
- private static final String EXPECTED_CERT_FILE_NAME =
-
"CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer-11688544847478700689.cer";
+ private static final String EXPECTED_CERT_FILE_NAME =
"CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer.cer";
@Test
public void testSaveAndFind() throws CertificateException, IOException {
@@ -113,7 +112,7 @@ public class FileCertificateRepoTest {
@Test
public void testConvertDnForFileSystem() throws CertificateException {
String convertedName = new
FileCertificateRepo("src/test/resources/store1")
- .convertDnForFileSystem(EXAMPLE_SUBJECT_DN);
+ .convertIdForFileSystem(EXAMPLE_SUBJECT_DN);
Assert.assertEquals("CN-www.issuer.com_L-CGN_ST-NRW_C-DE_O-Issuer",
convertedName);
}
Modified:
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java?rev=1554397&r1=1554396&r2=1554397&view=diff
==============================================================================
---
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
(original)
+++
cxf/trunk/services/xkms/xkms-x509-handlers/src/test/java/org/apache/cxf/xkms/x509/repo/ldap/LDAPCertificateRepoTest.java
Tue Dec 31 10:48:22 2013
@@ -130,7 +130,7 @@ public class LDAPCertificateRepoTest {
c.replay();
UseKeyWithType key = new UseKeyWithType();
- key.setApplication(Applications.SERVICE_SOAP.getUri());
+ key.setApplication(Applications.SERVICE_NAME.getUri());
key.setIdentifier(EXPECTED_SERVICE_URI);
ldapCertRepo.saveCertificate(cert, key);
c.verify();
