Repository: cxf Updated Branches: refs/heads/master f66dea949 -> a5df4ba24
Adding WS-Security tests for SHA-512 Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a5df4ba2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a5df4ba2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a5df4ba2 Branch: refs/heads/master Commit: a5df4ba24a2f967a0434b9eaa7363f90838f9343 Parents: f66dea9 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Sep 22 11:52:54 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Sep 22 11:52:54 2016 +0100 ---------------------------------------------------------------------- .../cxf/systest/ws/x509/SHA512PolicyLoader.java | 117 +++++++++++++++++++ .../cxf/systest/ws/x509/X509TokenTest.java | 28 ++++- .../cxf/systest/ws/x509/DoubleItX509.wsdl | 63 ++++++++++ .../org/apache/cxf/systest/ws/x509/client.xml | 14 +++ .../org/apache/cxf/systest/ws/x509/server.xml | 13 +++ .../apache/cxf/systest/ws/x509/stax-server.xml | 14 +++ 6 files changed, 248 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java new file mode 100644 index 0000000..09872d5 --- /dev/null +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java @@ -0,0 +1,117 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.systest.ws.x509; + +import java.util.HashMap; +import java.util.Map; + +import javax.xml.namespace.QName; + +import org.w3c.dom.Element; +import org.apache.cxf.Bus; +import org.apache.cxf.ws.policy.AssertionBuilderRegistry; +import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertion; +import org.apache.cxf.ws.policy.builder.primitive.PrimitiveAssertionBuilder; +import org.apache.cxf.ws.security.policy.custom.AlgorithmSuiteLoader; +import org.apache.neethi.Assertion; +import org.apache.neethi.AssertionBuilderFactory; +import org.apache.neethi.Policy; +import org.apache.neethi.builders.xml.XMLPrimitiveAssertionBuilder; +import org.apache.wss4j.dom.WSConstants; +import org.apache.wss4j.policy.SPConstants; +import org.apache.wss4j.policy.model.AbstractSecurityAssertion; +import org.apache.wss4j.policy.model.AlgorithmSuite; + +/** + * This class retrieves the default AlgorithmSuites plus a custom AlgorithmSuite with the RSA SHA-512 + * signature + */ +public class SHA512PolicyLoader implements AlgorithmSuiteLoader { + + public SHA512PolicyLoader(Bus bus) { + bus.setExtension(this, AlgorithmSuiteLoader.class); + } + + public AlgorithmSuite getAlgorithmSuite(Bus bus, SPConstants.SPVersion version, Policy nestedPolicy) { + AssertionBuilderRegistry reg = bus.getExtension(AssertionBuilderRegistry.class); + if (reg != null) { + String ns = "http://cxf.apache.org/custom/security-policy";; + final Map<QName, Assertion> assertions = new HashMap<QName, Assertion>(); + QName qName = new QName(ns, "Basic128RsaSha512"); + assertions.put(qName, new PrimitiveAssertion(qName)); + + reg.registerBuilder(new PrimitiveAssertionBuilder(assertions.keySet()) { + public Assertion build(Element element, AssertionBuilderFactory fact) { + if (XMLPrimitiveAssertionBuilder.isOptional(element) + || XMLPrimitiveAssertionBuilder.isIgnorable(element)) { + return super.build(element, fact); + } + QName q = new QName(element.getNamespaceURI(), element.getLocalName()); + return assertions.get(q); + } + }); + } + return new SHA512AlgorithmSuite(version, nestedPolicy); + } + + public static class SHA512AlgorithmSuite extends AlgorithmSuite { + + static { + ALGORITHM_SUITE_TYPES.put( + "Basic128RsaSha512", + new AlgorithmSuiteType( + "Basic128RsaSha512", + "http://www.w3.org/2001/04/xmlenc#sha512";, + WSConstants.AES_128, + SPConstants.KW_AES128, + SPConstants.KW_RSA_OAEP, + SPConstants.P_SHA1_L128, + SPConstants.P_SHA1_L128, + 128, 128, 128, 512, 1024, 4096 + ) + ); + } + + SHA512AlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) { + super(version, nestedPolicy); + setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";); + } + + @Override + protected AbstractSecurityAssertion cloneAssertion(Policy nestedPolicy) { + return new SHA512AlgorithmSuite(getVersion(), nestedPolicy); + } + + @Override + protected void parseCustomAssertion(Assertion assertion) { + String assertionName = assertion.getName().getLocalPart(); + String assertionNamespace = assertion.getName().getNamespaceURI(); + if (!"http://cxf.apache.org/custom/security-policy".equals(assertionNamespace)) { + return; + } + + if ("Basic128RsaSha512".equals(assertionName)) { + setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic128RsaSha512")); + getAlgorithmSuiteType().setNamespace(assertionNamespace); + } + } + } + + +} http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java index 7e250e9..55b8298 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/X509TokenTest.java @@ -523,6 +523,33 @@ public class X509TokenTest extends AbstractBusClientServerTestBase { } @org.junit.Test + public void testAsymmetricSHA512() throws Exception { + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = X509TokenTest.class.getResource("client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = X509TokenTest.class.getResource("DoubleItX509.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricSHA512Port"); + DoubleItPortType x509Port = + service.getPort(portQName, DoubleItPortType.class); + updateAddressPort(x509Port, test.getPort()); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(x509Port); + } + + x509Port.doubleIt(25); + + ((java.io.Closeable)x509Port).close(); + bus.shutdown(true); + } + + @org.junit.Test public void testAsymmetricOldConfig() throws Exception { SpringBusFactory bf = new SpringBusFactory(); @@ -1543,5 +1570,4 @@ public class X509TokenTest extends AbstractBusClientServerTestBase { ((java.io.Closeable)x509Port).close(); bus.shutdown(true); } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl index dcf01b2..7760e5d 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl @@ -235,6 +235,24 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItAsymmetricSHA512Binding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItAsymmetricSHA512Policy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault"/> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:binding name="DoubleItAsymmetricNoInitiatorReferenceBinding" type="tns:DoubleItPortType"> <wsp:PolicyReference URI="#DoubleItAsymmetricNoInitiatorReferencePolicy"/> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> @@ -662,6 +680,9 @@ <wsdl:port name="DoubleItAsymmetricIssuerSerialPort" binding="tns:DoubleItAsymmetricIssuerSerialBinding"> <soap:address location="http://localhost:9001/DoubleItX509Asymmetric"/> </wsdl:port> + <wsdl:port name="DoubleItAsymmetricSHA512Port" binding="tns:DoubleItAsymmetricSHA512Binding"> + <soap:address location="http://localhost:9001/DoubleItX509AsymmetricSHA512"/> + </wsdl:port> <wsdl:port name="DoubleItAsymmetricOldConfigPort" binding="tns:DoubleItAsymmetricIssuerSerialBinding"> <soap:address location="http://localhost:9001/DoubleItX509AsymmetricOldConfig"/> </wsdl:port> @@ -1109,6 +1130,48 @@ </wsp:All> </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItAsymmetricSHA512Policy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:AsymmetricBinding> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:WssX509V3Token10/> + <sp:RequireIssuerSerialReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + <sp:RequireIssuerSerialReference/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <cxf:Basic128RsaSha512 xmlns:cxf="http://cxf.apache.org/custom/security-policy"/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:AsymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> <wsp:Policy wsu:Id="DoubleItAsymmetricNoInitiatorReferencePolicy"> <wsp:ExactlyOne> <wsp:All> http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml index 58fd8b9..09ef2df 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/client.xml @@ -24,6 +24,11 @@ <cxf:logging/> </cxf:features> </cxf:bus> + + <bean id="policyLoader" class="org.apache.cxf.systest.ws.x509.SHA512PolicyLoader" > + <constructor-arg ref="cxf"/> + </bean> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItSymmetricErrorMessagePort"; createdFromAPI="true"> <jaxws:properties> <entry key="security.encryption.properties" value="bob.properties"/> @@ -112,6 +117,15 @@ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> </jaxws:properties> </jaxws:client> + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSHA512Port"; createdFromAPI="true"> + <jaxws:properties> + <entry key="security.encryption.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="bob"/> + <entry key="security.signature.properties" value="alice.properties"/> + <entry key="security.signature.username" value="alice"/> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricOldConfigPort"; createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.encryption.properties" value="bob.properties"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml index 3839ebd..0a00f13 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/server.xml @@ -39,6 +39,11 @@ </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory> + + <bean id="policyLoader" class="org.apache.cxf.systest.ws.x509.SHA512PolicyLoader" > + <constructor-arg ref="cxf"/> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SymmetricErrorMessage" address="http://localhost:${testutil.ports.x509.Server}/DoubleItX509SymmetricErrorMessage"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricErrorMessagePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> <jaxws:properties> <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> @@ -126,6 +131,14 @@ <entry key="security.encryption.username" value="alice"/> </jaxws:properties> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="AsymmetricSHA512" address="http://localhost:${testutil.ports.x509.Server}/DoubleItX509AsymmetricSHA512"; serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSHA512Port" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.properties" value="alice.properties"/> + <entry key="security.encryption.username" value="alice"/> + </jaxws:properties> + </jaxws:endpoint> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="AsymmetricOldConfig" address="http://localhost:${testutil.ports.x509.Server}/DoubleItX509AsymmetricOldConfig"; serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricOldConfigPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> http://git-wip-us.apache.org/repos/asf/cxf/blob/a5df4ba2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml index 53e6f2e..ad10a10 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/x509/stax-server.xml @@ -39,6 +39,11 @@ </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory> + + <bean id="policyLoader" class="org.apache.cxf.systest.ws.x509.SHA512PolicyLoader" > + <constructor-arg ref="cxf"/> + </bean> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="SymmetricErrorMessage" address="http://localhost:${testutil.ports.x509.StaxServer}/DoubleItX509SymmetricErrorMessage"; serviceName="s:DoubleItService" endpointName="s:DoubleItSymmetricErrorMessagePort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> <jaxws:properties> <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> @@ -139,6 +144,15 @@ <entry key="ws-security.enable.streaming" value="true"/> </jaxws:properties> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="AsymmetricSHA512" address="http://localhost:${testutil.ports.x509.StaxServer}/DoubleItX509AsymmetricSHA512"; serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricSHA512Port" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.properties" value="alice.properties"/> + <entry key="security.encryption.username" value="alice"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="AsymmetricOldConfig" address="http://localhost:${testutil.ports.x509.StaxServer}/DoubleItX509AsymmetricOldConfig"; serviceName="s:DoubleItService" endpointName="s:DoubleItAsymmetricOldConfigPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/x509/DoubleItX509.wsdl"> <jaxws:properties> <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
