keystore.jks

alexoree Fri, 07 Jun 2013 15:51:40 -0700

Author: alexoree
Date: Fri Jun  7 22:50:39 2013
New Revision: 1490860

URL: http://svn.apache.org/r1490860
Log:
JUDDI-578 Client side digital signature enhancements for using just DNs, Issuer 
and Serial number and full x509 certificate inclusion.


Added:
    
juddi/trunk/juddi-client/src/test/java/org/apache/juddi/v3/client/DigSigUtilTest.java
    juddi/trunk/juddi-client/src/test/resources/keystore.jks   (with props)
Modified:
    
juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java

Modified: 
juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java
URL: 
http://svn.apache.org/viewvc/juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java?rev=1490860&r1=1490859&r2=1490860&view=diff
==============================================================================
--- 
juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java
 (original)
+++ 
juddi/trunk/juddi-client/src/main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java
 Fri Jun  7 22:50:39 2013
@@ -35,7 +35,6 @@ import java.security.cert.CertPathValida
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
-import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathValidatorResult;
 import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
@@ -65,6 +64,7 @@ import javax.xml.crypto.dsig.dom.DOMVali
 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
 import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
 import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.keyinfo.X509IssuerSerial;
 import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
 import javax.xml.crypto.dsig.spec.TransformParameterSpec;
 import javax.xml.transform.dom.DOMResult;
@@ -160,7 +160,7 @@ public final class DigSigUtil {
      * any value can be used.
      *@see SIGNATURE_OPTION_CERT_INCLUSION_BASE64
      */
-    public final static String SIGNATURE_OPTION_CERT_INCLUSION_THUMBPRINT = 
"THUMBPRINT";
+    //public final static String SIGNATURE_OPTION_CERT_INCLUSION_THUMBPRINT = 
"THUMBPRINT";
     /*
      * Include the signer's serial of the public key.
      * 
@@ -205,7 +205,8 @@ public final class DigSigUtil {
      * any value can be used.
      *@see SIGNATURE_OPTION_CERT_INCLUSION_BASE64
      */
-    public final static String SIGNATURE_OPTION_CERT_INCLUSION_X500_PRINICPAL 
= "X500";
+    
+    //public final static String 
SIGNATURE_OPTION_CERT_INCLUSION_X500_PRINICPAL = "X500";
     public final static String XML_DIGSIG_NS = 
"http://www.w3.org/2000/09/xmldsig#";;
     /**
      * Default value DigestMethod.SHA1 =
@@ -403,14 +404,21 @@ public final class DigSigUtil {
                                                 + "\n-----END 
CERTIFICATE-----";
                                         //System.out.println("X509 Public key: 
" + c);
                                         InputStream is = new 
ByteArrayInputStream(c.getBytes());
-                                        return (X509Certificate) 
cf.generateCertificate(is);
+                                        X509Certificate cert = 
(X509Certificate) cf.generateCertificate(is);
+
+                                        logger.info("embedded certificate 
found, X509 public key " + cert.getSubjectDN().toString());
+                                        return cert;
 
                                     }
 
                                     //if we have a 
                                     //TODO other parsing items, lots of other 
potentials here
                                 }
-                                return FindCert(X509Data.getChildNodes());
+                                X509Certificate cert = 
FindCert(X509Data.getChildNodes());
+                                if (cert != null) {
+                                    logger.info("certificate loaded from local 
trust store, X509 public key " + cert.getSubjectDN().toString());
+                                    return cert;
+                                }
                             }
 
                         }
@@ -459,7 +467,7 @@ public final class DigSigUtil {
             X509Certificate signingcert = getSigningCertificatePublicKey(obj, 
docElement);
 
             if (signingcert != null && signingcert instanceof X509Certificate) 
{
-                logger.info("verifying signature based on embedded X509 public 
key " + signingcert.getSubjectDN().toString());
+                logger.info("verifying signature based on X509 public key " + 
signingcert.getSubjectDN().toString());
                 if (map.containsKey(CHECK_TIMESTAMPS)) {
                     signingcert.checkValidity();
                 }
@@ -711,34 +719,36 @@ public final class DigSigUtil {
 
         List<Object> x509Content = null;//new ArrayList<Object>();
         List<X509Data> data = new ArrayList<X509Data>();
-        /*if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN)) {
-         * x509Content = new ArrayList<Object>();
-         * //    x509Content.add(cert.getSubjectDN().getName());
-         * //  x509Content.add(cert);
-         * x509Content.add(cert.getSubjectDN().getName());
-         * X509Data xd = kif.newX509Data(x509Content);
-         * data.add(xd);
-         * }
-         * if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SERIAL)) {
-         * x509Content = new ArrayList<Object>();
-         * x509Content.add(cert.getSerialNumber());
-         * X509Data xd = kif.newX509Data(x509Content);
-         * data.add(xd);
-         * }
-         * if 
(map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_X500_PRINICPAL)) {
-         * x509Content = new ArrayList<Object>();
-         * x509Content.add(cert.getSubjectX500Principal().getName());
-         * X509Data xd = kif.newX509Data(x509Content);
-         * data.add(xd);
-         * }*/
-        if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_BASE64))//just 
include it
-        {
+        if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN)) {
+            x509Content = new ArrayList<Object>();
+
+            x509Content.add(cert.getSubjectDN().getName());
+            //  x509Content.add(cert);
+            //x509Content.add(cert.getSubjectDN().getName());
+            X509Data xd = kif.newX509Data(x509Content);
+            data.add(xd);
+        }
+
+      //  if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_X500_PRINICPAL)) 
{
+       // }
+        if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_BASE64)) {
             x509Content = new ArrayList<Object>();
             x509Content.add(cert);
             //x509Content.add(cert.getSubjectX500Principal().getName());
             X509Data xd = kif.newX509Data(x509Content);
             data.add(xd);
         }
+        if (map.containsKey(SIGNATURE_OPTION_CERT_INCLUSION_SERIAL)) {
+            x509Content = new ArrayList<Object>();
+
+            X509IssuerSerial issuer = 
kif.newX509IssuerSerial(cert.getIssuerX500Principal().getName(), 
cert.getSerialNumber());
+
+            x509Content.add(issuer);
+            X509Data xd = kif.newX509Data(x509Content);
+            data.add(xd);
+        }
+
+        //  
         //x509Content.add(cert);
 
 
@@ -768,8 +778,36 @@ public final class DigSigUtil {
      * @return null or the public key of a signing certificate
      */
     private X509Certificate FindCert(NodeList childNodes) {
+        try {
+            for (int x = 0; x < childNodes.getLength(); x++) {
+                if 
(childNodes.item(x).getLocalName().equalsIgnoreCase("X509SubjectName")) {
+
+                    String dn = childNodes.item(x).getTextContent().trim();
+                    return FindCertByDN(new X500Principal(dn));
+
+                }
+                if 
(childNodes.item(x).getLocalName().equalsIgnoreCase("X509IssuerSerial")) {
+                    String X509IssuerName = null;
+                    String X509SerialNumber = null;
+                    for (int k = 0; k < 
childNodes.item(x).getChildNodes().getLength(); k++) {
+                        if 
(childNodes.item(x).getChildNodes().item(x).getLocalName().equalsIgnoreCase("X509IssuerName"))
 {
+                            X509IssuerName = 
childNodes.item(x).getTextContent().trim();
+                        }
+                        if 
(childNodes.item(x).getChildNodes().item(x).getLocalName().equalsIgnoreCase("X509SerialNumber"))
 {
+                            X509SerialNumber = 
childNodes.item(x).getTextContent().trim();
+                        }
+
+                    }
+                    if (X509IssuerName != null && X509SerialNumber != null) {
+                        return FindCertByIssuer(X509IssuerName, 
X509SerialNumber);
+                    }
+
 
-        //TODO implement
+                }
+            }
+        } catch (Exception ex) {
+            logger.warn("error caught searching for a certificate", ex);
+        }
         return null;
     }
 
@@ -804,4 +842,19 @@ public final class DigSigUtil {
             crlStream.close();
         }
     }
+
+    private X509Certificate FindCertByIssuer(String X509IssuerName, String 
X509SerialNumber) throws Exception {
+        KeyStore ks = GetTrustStore();
+        Enumeration<String> aliases = ks.aliases();
+        while (aliases.hasMoreElements()) {
+            String nextElement = aliases.nextElement();
+            Certificate certificate = ks.getCertificate(nextElement);
+            X509Certificate x = (X509Certificate) certificate;
+            if (x.getIssuerDN().getName().equals(X509IssuerName)
+                    && 
x.getSerialNumber().toString().equalsIgnoreCase(X509SerialNumber)) {
+                return x;
+            }
+        }
+        return null;
+    }
 }

Added: 
juddi/trunk/juddi-client/src/test/java/org/apache/juddi/v3/client/DigSigUtilTest.java
URL: 
http://svn.apache.org/viewvc/juddi/trunk/juddi-client/src/test/java/org/apache/juddi/v3/client/DigSigUtilTest.java?rev=1490860&view=auto
==============================================================================
--- 
juddi/trunk/juddi-client/src/test/java/org/apache/juddi/v3/client/DigSigUtilTest.java
 (added)
+++ 
juddi/trunk/juddi-client/src/test/java/org/apache/juddi/v3/client/DigSigUtilTest.java
 Fri Jun  7 22:50:39 2013
@@ -0,0 +1,258 @@
+/*
+ * Copyright 2013 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.juddi.v3.client;
+
+import java.security.cert.CertificateException;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import org.apache.juddi.v3.client.crypto.DigSigUtil;
+import org.junit.Assert;
+import org.junit.Test;
+import org.uddi.api_v3.BindingTemplate;
+import org.uddi.api_v3.BusinessEntity;
+import org.uddi.api_v3.BusinessService;
+import org.uddi.api_v3.Description;
+import org.uddi.api_v3.DiscoveryURL;
+import org.uddi.api_v3.DiscoveryURLs;
+import org.uddi.api_v3.Name;
+import org.uddi.api_v3.PublisherAssertion;
+import org.uddi.api_v3.TModel;
+import org.w3._2000._09.xmldsig_.SignatureType;
+
+/**
+ *
+ * @author Alex O'Ree
+ */
+public class DigSigUtilTest {
+
+    org.apache.juddi.v3.client.crypto.DigSigUtil ds = null;
+
+    public DigSigUtilTest() throws Exception {
+        Default();
+    }
+
+    void Default() throws CertificateException {
+        ds = new DigSigUtil();
+        SetCertStoreSettigns();
+        ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_BASE64, "t");
+    }
+    
+    void SetCertStoreSettigns(){
+        ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE, 
"./src/test/resources/keystore.jks");
+        ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILETYPE, "JKS");
+        ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE_PASSWORD, "Test");
+        ds.put(DigSigUtil.SIGNATURE_KEYSTORE_KEY_ALIAS, "Test");
+    }
+
+    void SubjectDNOnly() throws CertificateException {
+        ds = new DigSigUtil();
+        SetCertStoreSettigns();
+        ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN, "t");
+    }
+
+    void SerialAndIssuerOnly() throws CertificateException {
+        ds = new DigSigUtil();
+        SetCertStoreSettigns();
+        ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SERIAL, "t");
+    }
+
+    @Test
+    public void testSignBusinessSubjectDNOnly() throws CertificateException {
+        SubjectDNOnly();
+        System.out.println("signing");
+        BusinessEntity be = new BusinessEntity();
+        be.setBusinessKey("uddi:juddi.apache.org:testkey");
+        be.setDiscoveryURLs(new DiscoveryURLs());
+        be.getDiscoveryURLs().getDiscoveryURL().add(new 
DiscoveryURL("website", "http://localhost";));
+        be.getDescription().add(new Description("a description", "en"));
+        be.getName().add(new Name("My biz", "en"));
+
+        BusinessEntity signUDDI_JAXBObject = ds.signUddiEntity(be);
+        DigSigUtil.JAXB_ToStdOut(signUDDI_JAXBObject);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignBusinessSerialAndIssuerOnly() throws 
CertificateException {
+        SerialAndIssuerOnly();
+        System.out.println("signing");
+        BusinessEntity be = new BusinessEntity();
+        be.setBusinessKey("uddi:juddi.apache.org:testkey");
+        be.setDiscoveryURLs(new DiscoveryURLs());
+        be.getDiscoveryURLs().getDiscoveryURL().add(new 
DiscoveryURL("website", "http://localhost";));
+        be.getDescription().add(new Description("a description", "en"));
+        be.getName().add(new Name("My biz", "en"));
+
+        BusinessEntity signUDDI_JAXBObject = ds.signUddiEntity(be);
+        DigSigUtil.JAXB_ToStdOut(signUDDI_JAXBObject);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignBusiness() throws CertificateException {
+        Default();
+
+
+        System.out.println("signing");
+        BusinessEntity be = new BusinessEntity();
+        be.setBusinessKey("uddi:juddi.apache.org:testkey");
+        be.setDiscoveryURLs(new DiscoveryURLs());
+        be.getDiscoveryURLs().getDiscoveryURL().add(new 
DiscoveryURL("website", "http://localhost";));
+        be.getDescription().add(new Description("a description", "en"));
+        be.getName().add(new Name("My biz", "en"));
+
+        BusinessEntity signUDDI_JAXBObject = ds.signUddiEntity(be);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignService() throws CertificateException {
+        Default();
+        System.out.println("signing");
+        BusinessService be = new BusinessService();
+        be.setBusinessKey("uddi:juddi.apache.org:testkey");
+
+        be.getDescription().add(new Description("a description", "en"));
+        be.getName().add(new Name("My biz", "en"));
+
+        BusinessService signUDDI_JAXBObject = ds.signUddiEntity(be);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignTmodel() throws CertificateException {
+        Default();
+        System.out.println("signing");
+        TModel be = new TModel();
+        be.setTModelKey("uddi:juddi.apache.org:testkey");
+
+        be.getDescription().add(new Description("a description", "en"));
+        be.setName(new Name("My biz", "en"));
+
+        TModel signUDDI_JAXBObject = ds.signUddiEntity(be);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignBinding() throws CertificateException {
+        Default();
+        System.out.println("signing");
+        BindingTemplate be = new BindingTemplate();
+        be.setBindingKey("uddi:juddi.apache.org:testkey");
+
+        be.getDescription().add(new Description("a description", "en"));
+
+
+        BindingTemplate signUDDI_JAXBObject = ds.signUddiEntity(be);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+    }
+
+    @Test
+    public void testSignPublisherAssertion() throws CertificateException {
+        Default();
+        System.out.println("signing");
+        PublisherAssertion be = new PublisherAssertion();
+        be.setFromKey("uddi:juddi.apache.org:testkey");
+        be.setToKey("uddi:juddi.apache.org:testkey");
+
+        PublisherAssertion signUDDI_JAXBObject = ds.signUddiEntity(be);
+        Assert.assertNotSame("items are the same", be, signUDDI_JAXBObject);
+        //System.out.println("verifing");
+        AtomicReference<String> msg = new AtomicReference<String>();
+        boolean verifySigned_UDDI_JAXB_Object = 
ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg);
+        if (verifySigned_UDDI_JAXB_Object) {
+            //System.out.println("signature validation passed (expected)");
+        } else {
+            System.out.println("signature validation failed (not expected)");
+            Assert.fail(msg.get());
+        }
+        
validAllSignatureElementsArePresent(signUDDI_JAXBObject.getSignature());
+
+
+    }
+
+    static void validAllSignatureElementsArePresent(List<SignatureType> sigs) {
+        Assert.assertNotNull(sigs);
+        Assert.assertFalse(sigs.isEmpty());
+        for (int i = 0; i < sigs.size(); i++) {
+            
Assert.assertFalse(sigs.get(i).getKeyInfo().getContent().isEmpty());
+            for (int k = 0; k < 
sigs.get(i).getSignedInfo().getCanonicalizationMethod().getContent().size(); 
k++) {
+                
Assert.assertTrue(sigs.get(i).getSignedInfo().getCanonicalizationMethod().getContent().get(k).equals(CanonicalizationMethod.EXCLUSIVE));
+            }
+        }
+    }
+}

Added: juddi/trunk/juddi-client/src/test/resources/keystore.jks
URL: 
http://svn.apache.org/viewvc/juddi/trunk/juddi-client/src/test/resources/keystore.jks?rev=1490860&view=auto
==============================================================================
Binary file - no diff available.

Propchange: juddi/trunk/juddi-client/src/test/resources/keystore.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r1490860 - in /juddi/trunk/juddi-client/src: main/java/org/apache/juddi/v3/client/crypto/DigSigUtil.java test/java/org/apache/juddi/v3/client/DigSigUtilTest.java test/resources/keystore.jks

Reply via email to