Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 6dc8eed88 -> 30c76de21
CXF-7296 - Add support to enable revocation for TLS via configuration # Conflicts: # rt/transports/http-undertow/src/main/java/org/apache/cxf/transport/http_undertow/osgi/HTTPUndertowTransportActivator.java # rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java # rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/97ec59a8 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/97ec59a8 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/97ec59a8 Branch: refs/heads/3.1.x-fixes Commit: 97ec59a8527a450dbc6b5b8a6f2d5c5967eeb81d Parents: 6dc8eed Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Mar 23 14:22:37 2017 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Mar 23 15:54:53 2017 +0000 ---------------------------------------------------------------------- .../jsse/TLSClientParametersConfig.java | 2 +- .../jsse/TLSParameterJaxBUtils.java | 19 +++++- .../jsse/TLSServerParametersConfig.java | 2 +- .../schemas/configuration/security.xsd | 16 +++++ .../osgi/HTTPJettyTransportActivator.java | 5 +- .../HttpConduitBPBeanDefinitionParser.java | 5 ++ .../http/osgi/HttpConduitConfigApplier.java | 67 +++++++++++--------- .../spring/HttpConduitBeanDefinitionParser.java | 5 ++ .../spring/HttpConduitConfigurationTest.java | 2 +- 9 files changed, 88 insertions(+), 35 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java index e67571b..d39d526 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSClientParametersConfig.java @@ -114,7 +114,7 @@ public final class TLSClientParametersConfig { if (params.isSetTrustManagers() && !usingDefaults) { ret.setTrustManagers( TLSParameterJaxBUtils.getTrustManagers( - params.getTrustManagers())); + params.getTrustManagers(), params.isEnableRevocation())); } if (params.isSetCertConstraints()) { ret.setCertConstraints(params.getCertConstraints()); http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java index a632060..7b61008 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSParameterJaxBUtils.java @@ -30,11 +30,14 @@ import java.security.SecureRandom; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.X509CertSelector; import java.security.cert.X509Certificate; import java.util.Collection; import java.util.logging.Level; import java.util.logging.Logger; +import javax.net.ssl.CertPathTrustManagerParameters; import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManager; @@ -329,9 +332,16 @@ public final class TLSParameterJaxBUtils { * This method converts the JAXB TrustManagersType into a list of * JSSE TrustManagers. */ + @Deprecated public static TrustManager[] getTrustManagers(TrustManagersType tmc) throws GeneralSecurityException, IOException { + return getTrustManagers(tmc, false); + } + + public static TrustManager[] getTrustManagers(TrustManagersType tmc, boolean enableRevocation) + throws GeneralSecurityException, + IOException { final KeyStore keyStore = tmc.isSetKeyStore() @@ -349,7 +359,14 @@ public final class TLSParameterJaxBUtils { ? TrustManagerFactory.getInstance(alg, tmc.getProvider()) : TrustManagerFactory.getInstance(alg); - fac.init(keyStore); + if (enableRevocation) { + PKIXBuilderParameters param = new PKIXBuilderParameters(keyStore, new X509CertSelector()); + param.setRevocationEnabled(true); + + fac.init(new CertPathTrustManagerParameters(param)); + } else { + fac.init(keyStore); + } return fac.getTrustManagers(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java index 137e80d..e4c4cad 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/TLSServerParametersConfig.java @@ -78,7 +78,7 @@ public class TLSServerParametersConfig if (params.isSetTrustManagers()) { this.setTrustManagers( TLSParameterJaxBUtils.getTrustManagers( - params.getTrustManagers())); + params.getTrustManagers(), params.isEnableRevocation())); } if (params.isSetCertConstraints()) { this.setCertConstraints(params.getCertConstraints()); http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/core/src/main/resources/schemas/configuration/security.xsd ---------------------------------------------------------------------- diff --git a/core/src/main/resources/schemas/configuration/security.xsd b/core/src/main/resources/schemas/configuration/security.xsd index 1a10fe3..5f5c537 100644 --- a/core/src/main/resources/schemas/configuration/security.xsd +++ b/core/src/main/resources/schemas/configuration/security.xsd @@ -526,6 +526,14 @@ </xs:documentation> </xs:annotation> </xs:attribute> + <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false"> + <xs:annotation> + <xs:documentation> + This attribute specifies whether to enable revocation when checking the server certificate. + The default is false. + </xs:documentation> + </xs:annotation> + </xs:attribute> <xs:attribute name="jsseProvider" type="xs:string"> <xs:annotation> <xs:documentation> @@ -641,5 +649,13 @@ </xs:documentation> </xs:annotation> </xs:attribute> + <xs:attribute name="enableRevocation" type="pt:ParameterizedBoolean" default="false"> + <xs:annotation> + <xs:documentation> + This attribute specifies whether to enable revocation when checking the client certificate, + if client authentication is enabled. The default is false. + </xs:documentation> + </xs:annotation> + </xs:attribute> </xs:complexType> </xs:schema> http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java index b37ed4d..2fe013c 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/osgi/HTTPJettyTransportActivator.java @@ -177,6 +177,7 @@ public class HTTPJettyTransportActivator SecureRandomParameters srp = null; KeyManagersType kmt = null; TrustManagersType tmt = null; + boolean enableRevocation = false; while (keys.hasMoreElements()) { String k = keys.nextElement(); if (k.startsWith("tlsServerParameters.")) { @@ -202,6 +203,8 @@ public class HTTPJettyTransportActivator p.setClientAuthentication(new ClientAuthentication()); } p.getClientAuthentication().setRequired(Boolean.parseBoolean(v)); + } else if ("enableRevocation".equals(k)) { + enableRevocation = Boolean.parseBoolean(v); } else if (k.startsWith("certConstraints.")) { configureCertConstraints(p, k, v); } else if (k.startsWith("secureRandomParameters.")) { @@ -238,7 +241,7 @@ public class HTTPJettyTransportActivator p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt)); } if (tmt != null) { - p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt)); + p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation)); } } catch (RuntimeException e) { throw e; http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java index 4e51e44..28131b7 100755 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/blueprint/HttpConduitBPBeanDefinitionParser.java @@ -101,7 +101,12 @@ public class HttpConduitBPBeanDefinitionParser extends AbstractBPBeanDefinitionP if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname) || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname) || "disableCNCheck".equals(aname) +<<<<<<< HEAD || "jsseProvider".equals(aname) +======= + || "enableRevocation".equals(aname) + || "jsseProvider".equals(aname) +>>>>>>> a7d5d52... CXF-7296 - Add support to enable revocation for TLS via configuration || "secureSocketProtocol".equals(aname) || "sslCacheTimeout".equals(aname)) { paramsbean.addProperty(aname, createValue(ctx, a.getValue())); http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java index f9992c7..b35c978 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/osgi/HttpConduitConfigApplier.java @@ -65,6 +65,7 @@ class HttpConduitConfigApplier { SecureRandomParameters srp = null; KeyManagersType kmt = null; TrustManagersType tmt = null; + boolean enableRevocation = false; while (keys.hasMoreElements()) { String k = keys.nextElement(); if (k.startsWith("tlsClientParameters.")) { @@ -87,36 +88,10 @@ class HttpConduitConfigApplier { p.setUseHttpsURLConnectionDefaultHostnameVerifier(Boolean.parseBoolean(v)); } else if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(k)) { p.setUseHttpsURLConnectionDefaultSslSocketFactory(Boolean.parseBoolean(v)); + } else if ("enableRevocation".equals(k)) { + enableRevocation = Boolean.parseBoolean(v); } else if (k.startsWith("certConstraints.")) { - k = k.substring("certConstraints.".length()); - CertificateConstraintsType cct = p.getCertConstraints(); - if (cct == null) { - cct = new CertificateConstraintsType(); - p.setCertConstraints(cct); - } - DNConstraintsType dnct = null; - if (k.startsWith("SubjectDNConstraints.")) { - dnct = cct.getSubjectDNConstraints(); - if (dnct == null) { - dnct = new DNConstraintsType(); - cct.setSubjectDNConstraints(dnct); - } - k = k.substring("SubjectDNConstraints.".length()); - } else if (k.startsWith("IssuerDNConstraints.")) { - dnct = cct.getIssuerDNConstraints(); - if (dnct == null) { - dnct = new DNConstraintsType(); - cct.setIssuerDNConstraints(dnct); - } - k = k.substring("IssuerDNConstraints.".length()); - } - if (dnct != null) { - if ("combinator".equals(k)) { - dnct.setCombinator(CombinatorType.fromValue(v)); - } else if ("RegularExpression".equals(k)) { - dnct.getRegularExpression().add(k); - } - } + parseCertConstaints(p, k, v); } else if (k.startsWith("secureRandomParameters.")) { k = k.substring("secureRandomParameters.".length()); if (srp == null) { @@ -164,7 +139,7 @@ class HttpConduitConfigApplier { p.setKeyManagers(TLSParameterJaxBUtils.getKeyManagers(kmt)); } if (tmt != null) { - p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt)); + p.setTrustManagers(TLSParameterJaxBUtils.getTrustManagers(tmt, enableRevocation)); } } catch (RuntimeException e) { throw e; @@ -173,6 +148,38 @@ class HttpConduitConfigApplier { } } + private void parseCertConstaints(TLSClientParameters p, String k, String v) { + k = k.substring("certConstraints.".length()); + CertificateConstraintsType cct = p.getCertConstraints(); + if (cct == null) { + cct = new CertificateConstraintsType(); + p.setCertConstraints(cct); + } + DNConstraintsType dnct = null; + if (k.startsWith("SubjectDNConstraints.")) { + dnct = cct.getSubjectDNConstraints(); + if (dnct == null) { + dnct = new DNConstraintsType(); + cct.setSubjectDNConstraints(dnct); + } + k = k.substring("SubjectDNConstraints.".length()); + } else if (k.startsWith("IssuerDNConstraints.")) { + dnct = cct.getIssuerDNConstraints(); + if (dnct == null) { + dnct = new DNConstraintsType(); + cct.setIssuerDNConstraints(dnct); + } + k = k.substring("IssuerDNConstraints.".length()); + } + if (dnct != null) { + if ("combinator".equals(k)) { + dnct.setCombinator(CombinatorType.fromValue(v)); + } else if ("RegularExpression".equals(k)) { + dnct.getRegularExpression().add(k); + } + } + } + private KeyManagersType getKeyManagers(KeyManagersType keyManagers, String k, String v) { if (keyManagers == null) { keyManagers = new KeyManagersType(); http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java index 746af67..7b64af5 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/spring/HttpConduitBeanDefinitionParser.java @@ -120,7 +120,12 @@ public class HttpConduitBeanDefinitionParser if ("useHttpsURLConnectionDefaultSslSocketFactory".equals(aname) || "useHttpsURLConnectionDefaultHostnameVerifier".equals(aname) || "disableCNCheck".equals(aname) +<<<<<<< HEAD || "jsseProvider".equals(aname) +======= + || "enableRevocation".equals(aname) + || "jsseProvider".equals(aname) +>>>>>>> a7d5d52... CXF-7296 - Add support to enable revocation for TLS via configuration || "secureSocketProtocol".equals(aname) || "sslCacheTimeout".equals(aname)) { paramsbean.addPropertyValue(aname, a.getValue()); http://git-wip-us.apache.org/repos/asf/cxf/blob/97ec59a8/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java index 1dedaf1..d20e8ff 100644 --- a/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java +++ b/rt/transports/http/src/test/java/org/apache/cxf/transport/http/spring/HttpConduitConfigurationTest.java @@ -139,7 +139,7 @@ public class HttpConduitConfigurationTest extends Assert { tmt.setKeyStore(kst); try { - return TLSParameterJaxBUtils.getTrustManagers(tmt); + return TLSParameterJaxBUtils.getTrustManagers(tmt, false); } catch (Exception e) { throw new RuntimeException("failed to retrieve trust managers", e); }
