Repository: juddi Updated Branches: refs/heads/master 75f1a2b7d -> 6e03b8244
JUDDI-862 added and documented Project: http://git-wip-us.apache.org/repos/asf/juddi/repo Commit: http://git-wip-us.apache.org/repos/asf/juddi/commit/6e03b824 Tree: http://git-wip-us.apache.org/repos/asf/juddi/tree/6e03b824 Diff: http://git-wip-us.apache.org/repos/asf/juddi/diff/6e03b824 Branch: refs/heads/master Commit: 6e03b82446f162a3cb3b6ac4c27acdf847afefd9 Parents: 75f1a2b Author: Alex <[email protected]> Authored: Mon Jan 19 17:14:02 2015 -0500 Committer: Alex <[email protected]> Committed: Mon Jan 19 17:14:02 2015 -0500 ---------------------------------------------------------------------- .../en-US/GuideConfigurationServer.asciidoc | 9 + .../juddi/v3/client/cryptor/DigSigUtil.java | 147 +++++-- .../java/org/apache/juddi/config/Property.java | 401 ++++++++++--------- .../juddi/validation/ValidatePublish.java | 127 +++++- .../src/main/resources/messages.properties | 3 +- .../src/test/resources/juddiv3-enc-3des.xml | 13 + .../src/test/resources/juddiv3-enc-aes128.xml | 13 + .../src/test/resources/juddiv3-enc-aes256.xml | 13 + .../src/test/resources/juddiv3-enc-default.xml | 13 + juddi-core/src/test/resources/juddiv3.xml | 13 + .../resources/juddiv3DisabledTModelKeybag.xml | 13 + .../org/apache/juddi/samples/EntryPoint.java | 6 + .../juddi/samples/UddiDigitalSignatureFile.java | 160 ++++++++ juddi-tomcat/juddiv3Node2.xml | 13 + .../src/main/webapp/WEB-INF/classes/juddiv3.xml | 13 + .../org/apache/juddi/v3/tck/TckBusiness.java | 8 +- 16 files changed, 732 insertions(+), 233 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc ---------------------------------------------------------------------- diff --git a/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc b/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc index cb746ed..598e5f5 100644 --- a/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc +++ b/docs/asciidoc/Guide/en-US/GuideConfigurationServer.asciidoc @@ -143,6 +143,15 @@ RMI Proxy properties that can be referenced in the _juddiv3.xml_ file and is onl |=========================================================================================== |Property Name |Description |Required |Default Value or [Example Value] |_juddi/validation/enforceReferentialIntegrity_|As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelInstanceParms and anything else that references a KeyName default value is true. Set to false for backwards compatibility or for a more lax registry.|N|[_true_] +|_juddi/validation/rejectInvalidSignatures/enable | Enables or Disables the validation of signatures when a publisher attempts to save an entity | N | false +|_juddi/validation/rejectInvalidSignatures/enable/trustStorePath | Path to the trust store. Can be overridden via system properties. If not specified, the Windows trust store will be used, else the default JRE trust store will be used. | N | [truststore.jks] +|_juddi/validation/rejectInvalidSignatures/trustStoreType | The type of store to use | N | JKS +|_juddi/validation/rejectInvalidSignatures/trustStorePassword | The clear text or encrypted password to the trust store | N | +|_juddi/validation/rejectInvalidSignatures/trustStorePassword@isPasswordEncrypted | True/False | N | false +|_juddi/validation/rejectInvalidSignatures/trustStorePassword@cryptoProvider | A cryptographic provider, representing the one that was used to encrypt | +|_juddi/validation/rejectInvalidSignatures/checkTimestamps | If true, certificates are checked against the time validity | N | false +|_juddi/validation/rejectInvalidSignatures/checkTrust | If true, the certificates trust chain is validated against the trust store | N | false +|_juddi/validation/rejectInvalidSignatures/checkRevocationCRL | If true, the certificate will attempted to be validated using online certificate revocation protocols | N | false |=========================================================================================== http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java ---------------------------------------------------------------------- diff --git a/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java b/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java index 80f317b..fd8628d 100644 --- a/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java +++ b/juddi-client/src/main/java/org/apache/juddi/v3/client/cryptor/DigSigUtil.java @@ -17,6 +17,7 @@ package org.apache.juddi.v3.client.cryptor; import java.io.ByteArrayInputStream; import java.io.File; +import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; import java.io.StringWriter; @@ -149,8 +150,38 @@ public class DigSigUtil { public final static String SIGNATURE_KEYSTORE_FILE_PASSWORD = "filePassword"; public final static String SIGNATURE_KEYSTORE_KEY_PASSWORD = "keyPassword"; public final static String SIGNATURE_KEYSTORE_KEY_ALIAS = "keyAlias"; + /** + * + * trust loaded as follows + * system property via file + * programmatically specified map via file + * programmatically specified map thread classloader lookup + * programmatically specified map this class's classloader lookup + * windows trust store + * JDK provided trust store + */ public final static String TRUSTSTORE_FILE = "trustStorePath"; + /** + * + * trust loaded as follows + * system property via file + * programmatically specified map via file + * programmatically specified map thread classloader lookup + * programmatically specified map this class's classloader lookup + * windows trust store + * JDK provided trust store + */ public final static String TRUSTSTORE_FILETYPE = "trustStoreType"; + /** + * + * trust loaded as follows + * system property via file + * programmatically specified map via file + * programmatically specified map thread classloader lookup + * programmatically specified map this class's classloader lookup + * windows trust store + * JDK provided trust store + */ public final static String TRUSTSTORE_FILE_PASSWORD = "trustStorePassword"; /** * default is CanonicalizationMethod.EXCLUSIVE @@ -618,6 +649,17 @@ public class DigSigUtil { } } + /** + * trust loaded as follows + * system property via file + * programmatically specified map via file + * programmatically specified map thread classloader lookup + * programmatically specified map this class's classloader lookup + * windows trust store + * JDK provided trust store + * @return + * @throws Exception + */ private KeyStore GetTrustStore() throws Exception { String type = map.getProperty(TRUSTSTORE_FILETYPE); if (type == null) { @@ -626,17 +668,61 @@ public class DigSigUtil { KeyStore ks = KeyStore.getInstance(type); boolean ksLoaded = false; - //try windows trust store first - try { - if (map.getProperty(TRUSTSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-ROOT")) { - ks.load(null, null); + if (!ksLoaded) { + String truststore = System.getProperty("javax.net.ssl.keyStore"); + try { + + String pwd = System.getProperty("javax.net.ssl.keyStorePassword"); + if (truststore != null && pwd != null) { + ks.load(new File(truststore).toURI().toURL().openStream(), pwd.toCharArray()); + ksLoaded = true; + logger.info("trust store loaded from sysprop " + truststore); + } + } catch (Exception ex) { + logger.warn("unable to load truststore from sysprop " + truststore + " " + ex.getMessage()); + logger.debug("unable to load truststore from sysprop " + ex.getMessage(),ex); + } + } + + File f=new File(map.getProperty(TRUSTSTORE_FILE)); + //load as a file + if (!ksLoaded) { + try { + if (f.exists()){ + URL url = f.toURI().toURL(); + ks.load(url.openStream(), (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray()); ksLoaded = true; - logger.info("trust store loaded from windows"); + logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE)); + } + } catch (Exception x) { + logger.warn("unable to load truststore from file "+map.getProperty(TRUSTSTORE_FILE)+" "+ x.getMessage()); + logger.debug("unable to load truststore from file "+ x.getMessage(), x); + + } + } + + if (!ksLoaded) { + try { + //File f = new File(map.getProperty(TRUSTSTORE_FILE)); + if (f.exists()) + { + FileInputStream fis = new FileInputStream(f); + ks.load(fis, (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray()); + fis.close(); + ksLoaded = true; + logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE)); + } + } catch (Exception x) { + logger.warn("unable to load truststore from file "+map.getProperty(TRUSTSTORE_FILE)+" "+ x.getMessage()); + logger.debug("unable to load truststore from file "+ x.getMessage(), x); + } - } catch (Exception ex) { - logger.debug("unable to load truststore from windows", ex); } + + + + //load from thread classloader if (!ksLoaded) { try { @@ -645,6 +731,7 @@ public class DigSigUtil { ksLoaded = true; logger.info("trust store loaded from classpath(1) " + map.getProperty(TRUSTSTORE_FILE)); } catch (Exception x) { + logger.warn("unable to load truststore from classpath" + map.getProperty(TRUSTSTORE_FILE) + " " +x.getMessage()); logger.debug("unable to load truststore from classpath", x); } } @@ -657,36 +744,11 @@ public class DigSigUtil { ksLoaded = true; logger.info("trust store loaded from classpath(2) " + map.getProperty(TRUSTSTORE_FILE)); } catch (Exception x) { + logger.warn("unable to load truststore from classpath "+ map.getProperty(TRUSTSTORE_FILE) + " " +x.getMessage()); logger.debug("unable to load truststore from classpath", x); } } - //load as a file - if (!ksLoaded) { - try { - URL url = new File(map.getProperty(TRUSTSTORE_FILE)).toURI().toURL(); - ks.load(url.openStream(), (map.getProperty(TRUSTSTORE_FILE_PASSWORD)).toCharArray()); - ksLoaded = true; - logger.info("trust store loaded from file " + map.getProperty(TRUSTSTORE_FILE)); - } catch (Exception x) { - logger.debug("unable to load truststore from file", x); - } - } - - // logger.error("Unable to load user specified trust store! attempting to load the default", ex); - //load from system property - if (!ksLoaded) { - try { - String truststore = System.getProperty("javax.net.ssl.keyStore"); - String pwd = System.getProperty("javax.net.ssl.keyStorePassword"); - if (truststore != null && pwd != null) { - ks.load(new File(truststore).toURI().toURL().openStream(), pwd.toCharArray()); - ksLoaded = true; - logger.info("trust store loaded from sysprop " + truststore); - } - } catch (Exception ex) { - logger.debug("unable to load truststore from sysprop", ex); - } - } + if (!ksLoaded) { try { @@ -695,9 +757,23 @@ public class DigSigUtil { logger.info("trust store loaded from JRE " + cacerts.toExternalForm()); ksLoaded = true; } catch (Exception c) { - logger.debug("unable to load default JDK truststore", c); + logger.warn("unable to load default JDK truststore "+ c.getMessage()); + logger.debug("unable to load default JDK truststore",c); + } + } + + //try windows trust store first + try { + if (map.getProperty(TRUSTSTORE_FILETYPE).equalsIgnoreCase("WINDOWS-ROOT")) { + ks.load(null, null); + ksLoaded = true; + logger.info("trust store loaded from windows"); } + } catch (Exception ex) { + logger.warn("unable to load truststore from windows " +ex.getMessage()); + logger.debug("unable to load truststore from windows", ex); } + if (!ksLoaded) { try { URL cacerts = new File(System.getenv("JAVA_HOME") + File.separator + "jre" + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts").toURI().toURL(); @@ -705,6 +781,7 @@ public class DigSigUtil { logger.info("trust store loaded from JRE " + cacerts.toExternalForm()); ksLoaded = true; } catch (Exception c) { + logger.warn("unable to load default jdk/jre truststore " +c.getMessage()); logger.debug("unable to load default jdk/jre truststore", c); } } http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/java/org/apache/juddi/config/Property.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/config/Property.java b/juddi-core/src/main/java/org/apache/juddi/config/Property.java index e855a46..e2c1641 100644 --- a/juddi-core/src/main/java/org/apache/juddi/config/Property.java +++ b/juddi-core/src/main/java/org/apache/juddi/config/Property.java @@ -23,198 +23,223 @@ import org.apache.juddi.v3.auth.LdapSimpleAuthenticator; import org.apache.juddi.v3.auth.MD5XMLDocAuthenticator; /** - * This defines constants used for accessing information from jUDDI's juddiv3.properties file + * This defines constants used for accessing information from jUDDI's + * juddiv3.xml file + * * @author various */ public interface Property { - - public final static String JUDDI_BASE_URL="juddi.server.baseurl"; - public final static String JUDDI_BASE_URL_SECURE="juddi.server.baseurlsecure"; - - public final static String JUDDI_ROOT_PUBLISHER = "juddi.root.publisher"; - public final static String JUDDI_LOAD_INSTALL_DATA = "juddi.load.install.data"; - public final static String JUDDI_PERSISTENCEUNIT_NAME = "juddi.persistenceunit.name"; - public final static String JUDDI_CONFIGURATION_RELOAD_DELAY = "juddi.configuration.reload.delay"; - - /** - * This is not used in the code base - */ + + public final static String JUDDI_BASE_URL = "juddi.server.baseurl"; + public final static String JUDDI_BASE_URL_SECURE = "juddi.server.baseurlsecure"; + + public final static String JUDDI_ROOT_PUBLISHER = "juddi.root.publisher"; + public final static String JUDDI_LOAD_INSTALL_DATA = "juddi.load.install.data"; + public final static String JUDDI_PERSISTENCEUNIT_NAME = "juddi.persistenceunit.name"; + public final static String JUDDI_CONFIGURATION_RELOAD_DELAY = "juddi.configuration.reload.delay"; + + /** + * This is not used in the code base + */ //public final static String JUDDI_LOCALE = "juddi.locale"; - //public final static String JUDDI_OPERATOR_EMAIL_ADDRESS = "juddi.operatorEmailAddress"; - //public final static String JUDDI_MAX_LENGTH = "juddi.maxNameLength"; - //public final static String JUDDI_MAX_NAME_ELEMENTS = "juddi.maxNameElementsAllowed"; - public final static String JUDDI_MAX_BUSINESSES_PER_PUBLISHER = "juddi.maxBusinessesPerPublisher"; - public final static String JUDDI_MAX_SERVICES_PER_BUSINESS = "juddi.maxServicesPerBusiness"; - public final static String JUDDI_MAX_BINDINGS_PER_SERVICE = "juddi.maxBindingsPerService"; - public final static String JUDDI_MAX_TMODELS_PER_PUBLISHER = "juddi.maxTModelsPerPublisher"; - public final static String JUDDI_CRYPTOR = "juddi.cryptor"; - public final static String JUDDI_KEYGENERATOR = "juddi.keygenerator"; - /** - * used by the Jboss authenticator - */ - public final static String JUDDI_SECURITY_DOMAIN = "juddi.auth.securityDomain"; - public final static String JUDDI_USERSFILE = "juddi.auth.usersfile"; - public final static String JUDDI_MAX_ROWS = "juddi.maxRows"; - public final static String JUDDI_MAX_IN_CLAUSE = "juddi.maxInClause"; - public final static String JUDDI_ROOT_PARTITION = "juddi.root.partition"; - /** - * This is the business id that all of the UDDI services on this node will be attached too - * (generally as defined in the install_data) - * JUDDI-645 - */ - public final static String JUDDI_NODE_ROOT_BUSINESS = "juddi.root.businessId"; - /** - * this is the unique identifier of this uddi service provider, primarily used for clustered setups with the replication api - * JUDDI-645 - */ - public final static String JUDDI_NODE_ID = "juddi.nodeId"; - public final static String JUDDI_TRANSFER_EXPIRATION_DAYS = "juddi.transfer.expiration.days"; - /** - * identifies whether or not authentication is required for the Inquiry endpoint - */ - public final static String JUDDI_AUTHENTICATE_INQUIRY = "juddi.auth.Inquiry"; - public final static String JUDDI_AUTH_TOKEN_EXPIRATION = "juddi.auth.token.Expiration"; - public final static String JUDDI_AUTH_TOKEN_TIMEOUT = "juddi.auth.token.Timeout"; - - /** - * when set, auth tokens can only be used from the IP address they were issued to. - * - */ - public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule"; - - /** - * Whether not the token is used with each transition, default should be true - */ - public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]"; - - /** - * This points to the class of the authenticator - */ - public final static String JUDDI_AUTHENTICATOR = "juddi.auth.authenticator.class"; - /** - * @see LdapSimpleAuthenticator - */ - public final static String JUDDI_AUTHENTICATOR_URL = "juddi.auth.authenticator.url"; - /** - * @see LdapSimpleAuthenticator - */ - public final static String JUDDI_AUTHENTICATOR_INITIAL_CONTEXT = "juddi.auth.authenticator.initialcontext"; - /** - * @see LdapSimpleAuthenticator - */ - public final static String JUDDI_AUTHENTICATOR_STYLE = "juddi.auth.authenticator.style"; - /** - * @see LdapExpandedAuthenticator - */ - public final static String JUDDI_AUTHENTICATOR_LDAP_EXPANDED_STR= "juddi.auth.authenticator.ldapexp"; - - - /** - * if enabled, tmodels must exist before using them - * binding templates must exist before a subscription can be made - * access point hosting redirector/binding template must exist before it can be made - * @since 3.1.5 - */ - public final static String JUDDI_ENFORCE_REFERENTIAL_INTEGRITY = "juddi.validation.enforceReferentialIntegrity"; - public final static String JUDDI_SUBSCRIPTION_EXPIRATION_DAYS = "juddi.subscription.expiration.days"; - public final static String JUDDI_SUBSCRIPTION_NOTIFICATION = "juddi.subscription.notification"; - public final static String JUDDI_SUBSCRIPTION_CHUNKEXPIRATION_MINUTES = "juddi.subscription.chunkexpiration.minutes"; - public final static String JUDDI_SUBSCRIPTION_MAXENTITIES="juddi.subscription.maxentities"; - - /* - * These are not yet used - public final static Strin g JUDDI_SUBSCRIPTION_TRUSTSTORE_TYPE="juddi.subscription.truststore.type"; - public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_FILE="juddi.subscription.truststore.filename"; - public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_PASSWORD="juddi.subscription.truststore.password"; - public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_ENCRYPTED="juddi.subscription.truststore.password[@isPasswordEncrypted]"; - public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_CRYPTOPROVIDER="juddi.subscription.truststore.password[@cryptoProvider]"; - - - public final static String JUDDI_SUBSCRIPTION_KEYSTORE_TYPE="juddi.subscription.keystore.type"; - public final static String JUDDI_SUBSCRIPTION_KEYSTORE_FILE="juddi.subscription.keystore.filename"; - public final static String JUDDI_SUBSCRIPTION_KEYSTORE_PASSWORD="juddi.subscription.keystore.password"; - public final static String JUDDI_SUBSCRIPTION_KEYALIAS="juddi.subscription.keystore.alias"; - public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD="juddi.subscription.keystore.keypassword"; - public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_ENCRYPTED="juddi.subscription.keystore.keypassword[@isPasswordEncrypted]"; - public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_CRYPTOPROVIDER="juddi.subscription.keypassword.password[@cryptoProvider]"; - public final static String JUDDI_SUBSCRIPTION_KEYSTORE_ENCRYPTED="juddi.subscription.keystore.password[@isPasswordEncrypted]"; - public final static String JUDDI_SUBSCRIPTION_KEYSTORE_CRYPTOPROVIDER="juddi.subscription.keystore.password[@cryptoProvider]"; - */ - - public final static String JUDDI_NOTIFICATION_START_BUFFER = "juddi.notification.start.buffer"; - public final static String JUDDI_NOTIFICATION_INTERVAL = "juddi.notification.interval"; - /** - * default value = 1000 - * @see SubscriptionNotifier - */ - public final static String JUDDI_NOTIFICATION_ACCEPTABLE_LAGTIME = "juddi.notification.acceptableLagtime"; - /** - * maximum delivery count - * @see SubscriptionNotifier - */ - public final static String JUDDI_NOTIFICATION_MAX_TRIES = "juddi.notification.maxTries"; - public final static String JUDDI_NOTIFICATION_LIST_RESET_INTERVAL = "juddi.notification.maxTriesResetInterval"; - /** - * send an auth token with the result set? default is false - * @see SubscriptionNotifier - * @since 3.2 - */ - public final static String JUDDI_NOTIFICATION_SENDAUTHTOKEN="juddi.notification.sendAuthTokenWithResultList"; - public final static String JUDDI_JNDI_REGISTRATION = "juddi.jndi.registration"; - public final static String JUDDI_RMI_PORT = "juddi.rmi.port"; - public final static String JUDDI_RMI_REGISTRATION = "juddi.rmi.registration"; - public final static String JUDDI_RMI_REGISTRY_PORT = "juddi.rmi.registry.port"; - - public final static String JUDDI_EMAIL_PREFIX = "juddi.mail.smtp.prefix"; - public final static String JUDDI_EMAIL_FROM = "juddi.mail.smtp.from"; - public final static String DEFAULT_JUDDI_EMAIL_PREFIX = "juddi."; - public final static String DEFAULT_CRYPTOR = "org.apache.juddi.v3.client.cryptor.DefaultCryptor"; - public final static String DEFAULT_USERSFILE = "juddi-users.properties"; - public final static String DEFAULT_XML_USERSFILE = "juddi-users.xml"; - /** - * @see CryptedXMLDocAuthenticator - */ - public final static String DEFAULT_ENCRYPTED_XML_USERSFILE = "juddi-users-encrypted.xml"; - /** - * @see MD5XMLDocAuthenticator - */ - public final static String DEFAULT_HASHED_XML_USERSFILE = "juddi-users-hashed.xml"; - public final static String DEFAULT_SECURITY_DOMAIN = "java:/jaas/other"; - public final static boolean DEFAULT_LOAD_INSTALL_DATA = true; - public final static String DEFAULT_BASE_URL = "http://localhost:8080/juddiv3";; - public final static String DEFAULT_BASE_URL_SECURE = "https://localhost:8443/juddiv3";; - /* Allowing the the user to override jpa persistence properties in the juddi.properties file */ - public final static String PERSISTENCE_PROVIDER = "persistenceProvider"; - public final static String DATASOURCE = "hibernate.connection.datasource"; - public final static String HBM_DDL_AUTO = "hibernate.hbm2ddl.auto"; - public final static String DEFAULT_SCHEMA = "hibernate.default_schema"; - public final static String HIBERNATE_DIALECT = "hibernate.dialect"; - /** - * @since 3.3 FUTURE USE - */ - public final static String JUDDI_ACCESS_CONTROL_PROVIDER = "juddi.accessControlProvider"; - /** - * @since 3.2, used for Apache Commons Configuration XML config file - */ - public static final String ENCRYPTED_ATTRIBUTE="[@encrypted]"; - - /** - * Used for HTTP Header based authentication for web proxies - * @since 3.2.1 - */ - public static final String JUDDI_AUTHENTICATOR_HTTP_HEADER_NAME="juddi.auth.authenticator.header"; - - /** - * Records inquiry find* requests to disk, sans auth token - * @since 3.2.1 - */ - public final static String JUDDI_LOGGING_FindApiCalls = "juddi.logging.logInquirySearchPayloads"; - /** - * The UDDI v3 spec specifically calls for supporting this, however it creates significant performance problems in jUDDI when there - * are a large number of business and services. Defaults to true if not defined - * @since 3.3 - */ - public static String JUDDI_ENABLE_FIND_BUSINESS_TMODEL_BAG_FILTERING="juddi.preformance.enableFindBusinessTModelBagFiltering"; + //public final static String JUDDI_MAX_NAME_ELEMENTS = "juddi.maxNameElementsAllowed"; + public final static String JUDDI_MAX_BUSINESSES_PER_PUBLISHER = "juddi.maxBusinessesPerPublisher"; + public final static String JUDDI_MAX_SERVICES_PER_BUSINESS = "juddi.maxServicesPerBusiness"; + public final static String JUDDI_MAX_BINDINGS_PER_SERVICE = "juddi.maxBindingsPerService"; + public final static String JUDDI_MAX_TMODELS_PER_PUBLISHER = "juddi.maxTModelsPerPublisher"; + public final static String JUDDI_CRYPTOR = "juddi.cryptor"; + public final static String JUDDI_KEYGENERATOR = "juddi.keygenerator"; + /** + * used by the Jboss authenticator + */ + public final static String JUDDI_SECURITY_DOMAIN = "juddi.auth.securityDomain"; + public final static String JUDDI_USERSFILE = "juddi.auth.usersfile"; + public final static String JUDDI_MAX_ROWS = "juddi.maxRows"; + public final static String JUDDI_MAX_IN_CLAUSE = "juddi.maxInClause"; + public final static String JUDDI_ROOT_PARTITION = "juddi.root.partition"; + /** + * This is the business id that all of the UDDI services on this node + * will be attached too (generally as defined in the install_data) + * JUDDI-645 + */ + public final static String JUDDI_NODE_ROOT_BUSINESS = "juddi.root.businessId"; + /** + * this is the unique identifier of this uddi service provider, + * primarily used for clustered setups with the replication api + * JUDDI-645 + */ + public final static String JUDDI_NODE_ID = "juddi.nodeId"; + public final static String JUDDI_TRANSFER_EXPIRATION_DAYS = "juddi.transfer.expiration.days"; + /** + * identifies whether or not authentication is required for the Inquiry + * endpoint + */ + public final static String JUDDI_AUTHENTICATE_INQUIRY = "juddi.auth.Inquiry"; + public final static String JUDDI_AUTH_TOKEN_EXPIRATION = "juddi.auth.token.Expiration"; + public final static String JUDDI_AUTH_TOKEN_TIMEOUT = "juddi.auth.token.Timeout"; + + /** + * when set, auth tokens can only be used from the IP address they were + * issued to. + * + */ + public final static String JUDDI_AUTH_TOKEN_ENFORCE_SAME_IP = "juddi.auth.token.enforceSameIPRule"; + + /** + * Whether not the token is used with each transition, default should be + * true + */ + public final static String JUDDI_AUTHENTICATOR_USE_TOKEN = "juddi.auth.authenticator[@useAuthToken]"; + + /** + * This points to the class of the authenticator + */ + public final static String JUDDI_AUTHENTICATOR = "juddi.auth.authenticator.class"; + /** + * @see LdapSimpleAuthenticator + */ + public final static String JUDDI_AUTHENTICATOR_URL = "juddi.auth.authenticator.url"; + /** + * @see LdapSimpleAuthenticator + */ + public final static String JUDDI_AUTHENTICATOR_INITIAL_CONTEXT = "juddi.auth.authenticator.initialcontext"; + /** + * @see LdapSimpleAuthenticator + */ + public final static String JUDDI_AUTHENTICATOR_STYLE = "juddi.auth.authenticator.style"; + /** + * @see LdapExpandedAuthenticator + */ + public final static String JUDDI_AUTHENTICATOR_LDAP_EXPANDED_STR = "juddi.auth.authenticator.ldapexp"; + + /** + * if enabled, tmodels must exist before using them binding templates + * must exist before a subscription can be made access point hosting + * redirector/binding template must exist before it can be made + * + * @since 3.1.5 + */ + public final static String JUDDI_ENFORCE_REFERENTIAL_INTEGRITY = "juddi.validation.enforceReferentialIntegrity"; + public final static String JUDDI_SUBSCRIPTION_EXPIRATION_DAYS = "juddi.subscription.expiration.days"; + public final static String JUDDI_SUBSCRIPTION_NOTIFICATION = "juddi.subscription.notification"; + public final static String JUDDI_SUBSCRIPTION_CHUNKEXPIRATION_MINUTES = "juddi.subscription.chunkexpiration.minutes"; + public final static String JUDDI_SUBSCRIPTION_MAXENTITIES = "juddi.subscription.maxentities"; + + /* + * These are not yet used + public final static Strin g JUDDI_SUBSCRIPTION_TRUSTSTORE_TYPE="juddi.subscription.truststore.type"; + public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_FILE="juddi.subscription.truststore.filename"; + public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_PASSWORD="juddi.subscription.truststore.password"; + public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_ENCRYPTED="juddi.subscription.truststore.password[@isPasswordEncrypted]"; + public final static String JUDDI_SUBSCRIPTION_TRUSTSTORE_CRYPTOPROVIDER="juddi.subscription.truststore.password[@cryptoProvider]"; + + + public final static String JUDDI_SUBSCRIPTION_KEYSTORE_TYPE="juddi.subscription.keystore.type"; + public final static String JUDDI_SUBSCRIPTION_KEYSTORE_FILE="juddi.subscription.keystore.filename"; + public final static String JUDDI_SUBSCRIPTION_KEYSTORE_PASSWORD="juddi.subscription.keystore.password"; + public final static String JUDDI_SUBSCRIPTION_KEYALIAS="juddi.subscription.keystore.alias"; + public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD="juddi.subscription.keystore.keypassword"; + public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_ENCRYPTED="juddi.subscription.keystore.keypassword[@isPasswordEncrypted]"; + public final static String JUDDI_SUBSCRIPTION_KEYPASSWORD_CRYPTOPROVIDER="juddi.subscription.keypassword.password[@cryptoProvider]"; + public final static String JUDDI_SUBSCRIPTION_KEYSTORE_ENCRYPTED="juddi.subscription.keystore.password[@isPasswordEncrypted]"; + public final static String JUDDI_SUBSCRIPTION_KEYSTORE_CRYPTOPROVIDER="juddi.subscription.keystore.password[@cryptoProvider]"; + */ + public final static String JUDDI_NOTIFICATION_START_BUFFER = "juddi.notification.start.buffer"; + public final static String JUDDI_NOTIFICATION_INTERVAL = "juddi.notification.interval"; + /** + * default value = 1000 + * + * @see SubscriptionNotifier + */ + public final static String JUDDI_NOTIFICATION_ACCEPTABLE_LAGTIME = "juddi.notification.acceptableLagtime"; + /** + * maximum delivery count + * + * @see SubscriptionNotifier + */ + public final static String JUDDI_NOTIFICATION_MAX_TRIES = "juddi.notification.maxTries"; + public final static String JUDDI_NOTIFICATION_LIST_RESET_INTERVAL = "juddi.notification.maxTriesResetInterval"; + /** + * send an auth token with the result set? default is false + * + * @see SubscriptionNotifier + * @since 3.2 + */ + public final static String JUDDI_NOTIFICATION_SENDAUTHTOKEN = "juddi.notification.sendAuthTokenWithResultList"; + public final static String JUDDI_JNDI_REGISTRATION = "juddi.jndi.registration"; + public final static String JUDDI_RMI_PORT = "juddi.rmi.port"; + public final static String JUDDI_RMI_REGISTRATION = "juddi.rmi.registration"; + public final static String JUDDI_RMI_REGISTRY_PORT = "juddi.rmi.registry.port"; + + public final static String JUDDI_EMAIL_PREFIX = "juddi.mail.smtp.prefix"; + public final static String JUDDI_EMAIL_FROM = "juddi.mail.smtp.from"; + public final static String DEFAULT_JUDDI_EMAIL_PREFIX = "juddi."; + public final static String DEFAULT_CRYPTOR = "org.apache.juddi.v3.client.cryptor.DefaultCryptor"; + public final static String DEFAULT_USERSFILE = "juddi-users.properties"; + public final static String DEFAULT_XML_USERSFILE = "juddi-users.xml"; + /** + * @see CryptedXMLDocAuthenticator + */ + public final static String DEFAULT_ENCRYPTED_XML_USERSFILE = "juddi-users-encrypted.xml"; + /** + * @see MD5XMLDocAuthenticator + */ + public final static String DEFAULT_HASHED_XML_USERSFILE = "juddi-users-hashed.xml"; + public final static String DEFAULT_SECURITY_DOMAIN = "java:/jaas/other"; + public final static boolean DEFAULT_LOAD_INSTALL_DATA = true; + public final static String DEFAULT_BASE_URL = "http://localhost:8080/juddiv3";; + public final static String DEFAULT_BASE_URL_SECURE = "https://localhost:8443/juddiv3";; + /* Allowing the the user to override jpa persistence properties in the juddi.properties file */ + public final static String PERSISTENCE_PROVIDER = "persistenceProvider"; + public final static String DATASOURCE = "hibernate.connection.datasource"; + public final static String HBM_DDL_AUTO = "hibernate.hbm2ddl.auto"; + public final static String DEFAULT_SCHEMA = "hibernate.default_schema"; + public final static String HIBERNATE_DIALECT = "hibernate.dialect"; + /** + * @since 3.3 FUTURE USE + */ + public final static String JUDDI_ACCESS_CONTROL_PROVIDER = "juddi.accessControlProvider"; + /** + * @since 3.2, used for Apache Commons Configuration XML config file + */ + public static final String ENCRYPTED_ATTRIBUTE = "[@encrypted]"; + + /** + * Used for HTTP Header based authentication for web proxies + * + * @since 3.2.1 + */ + public static final String JUDDI_AUTHENTICATOR_HTTP_HEADER_NAME = "juddi.auth.authenticator.header"; + + /** + * Records inquiry find* requests to disk, sans auth token + * + * @since 3.2.1 + */ + public final static String JUDDI_LOGGING_FindApiCalls = "juddi.logging.logInquirySearchPayloads"; + /** + * The UDDI v3 spec specifically calls for supporting this, however it + * creates significant performance problems in jUDDI when there are a + * large number of business and services. Defaults to true if not + * defined + * + * @since 3.3 + */ + public static String JUDDI_ENABLE_FIND_BUSINESS_TMODEL_BAG_FILTERING = "juddi.preformance.enableFindBusinessTModelBagFiltering"; + /** + * When set to true, juddi with reject publish requests when at least + * one digitally signed entity cannot be cryptographically validated + * JUDDI-862 + * + * Note: this is a prefix + * + * @since 3.3 + */ + public static String JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX = "juddi.validation.rejectInvalidSignatures."; + /** + * @since 3.3. + */ + public static String JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE = "juddi.validation.rejectInvalidSignatures.enable"; } http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java b/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java index 8b3eafa..3bf5b54 100644 --- a/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java +++ b/juddi-core/src/main/java/org/apache/juddi/validation/ValidatePublish.java @@ -18,12 +18,16 @@ package org.apache.juddi.validation; import java.net.MalformedURLException; import java.net.URL; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Properties; +import java.util.concurrent.atomic.AtomicReference; +import java.util.logging.Level; +import java.util.logging.Logger; import javax.persistence.EntityManager; import javax.persistence.EntityTransaction; @@ -55,6 +59,8 @@ import org.apache.juddi.query.FindTModelByPublisherQuery; import org.apache.juddi.v3.client.UDDIConstants; import org.apache.juddi.v3.client.UDDIConstantsV2; import org.apache.juddi.v3.client.config.TokenResolver; +import org.apache.juddi.v3.client.cryptor.CryptorFactory; +import org.apache.juddi.v3.client.cryptor.DigSigUtil; import org.apache.juddi.v3.error.AssertionNotFoundException; import org.apache.juddi.v3.error.ErrorMessage; import org.apache.juddi.v3.error.FatalErrorException; @@ -288,8 +294,8 @@ public class ValidatePublish extends ValidateUDDIApi { if (!((UddiEntity) obj).getNodeId().equals(nodeID)) { //prevent changes to data owned by another node in a replicated environment //even if you're the boss - throw new UserMismatchException(new ErrorMessage("errors.usermismatch.InvalidNode", entityKey + " Owning Node: " +((UddiEntity) obj).getNodeId() - + ", this node: " + nodeID)); + throw new UserMismatchException(new ErrorMessage("errors.usermismatch.InvalidNode", entityKey + " Owning Node: " + ((UddiEntity) obj).getNodeId() + + ", this node: " + nodeID)); } if (publisher.isOwner((UddiEntity) obj) && nodeID.equals(((UddiEntity) obj).getNodeId())) { @@ -343,12 +349,10 @@ public class ValidatePublish extends ValidateUDDIApi { throw new AssertionNotFoundException(new ErrorMessage("errors.pubassertion.AssertionNotFound", entity.getFromKey() + ", " + entity.getToKey())); } //JUDDI-908 - if (!publisher.isOwner(pubAssertion.getBusinessEntityByToKey()) && - !publisher.isOwner(pubAssertion.getBusinessEntityByFromKey())) - { - throw new UserMismatchException(new ErrorMessage("errors.usermismatch.assertion")); + if (!publisher.isOwner(pubAssertion.getBusinessEntityByToKey()) + && !publisher.isOwner(pubAssertion.getBusinessEntityByFromKey())) { + throw new UserMismatchException(new ErrorMessage("errors.usermismatch.assertion")); } - } @@ -734,6 +738,7 @@ public class ValidatePublish extends ValidateUDDIApi { validateIdentifierBag(businessEntity.getIdentifierBag(), config, false); validateDescriptions(businessEntity.getDescription()); validateBusinessServices(em, businessEntity.getBusinessServices(), businessEntity, config, publisher); + validateSignaturesBusiness(businessEntity, config); } @@ -903,6 +908,7 @@ public class ValidatePublish extends ValidateUDDIApi { validateCategoryBag(businessService.getCategoryBag(), config, false); validateDescriptions(businessService.getDescription()); validateBindingTemplates(em, businessService.getBindingTemplates(), businessService, config, publisher); + validateSignaturesService(businessService, config); } } @@ -1061,6 +1067,7 @@ public class ValidatePublish extends ValidateUDDIApi { validateDescriptions(bindingTemplate.getDescription()); validateHostingRedirector(em, bindingTemplate.getHostingRedirector(), config); + validateSignaturesBinding(bindingTemplate, config); //validateCheckedTModels(bindingTemplate, config); } @@ -1153,6 +1160,7 @@ public class ValidatePublish extends ValidateUDDIApi { validateOverviewDoc(overviewDoc); } } + validateSignaturesTModel(tModel, config); } @@ -1671,7 +1679,7 @@ public class ValidatePublish extends ValidateUDDIApi { if (!inserted) { throw new InvalidKeyPassedException(new ErrorMessage("errors.invalidkey.DuplicateKey", entityKey)); } - + //removed a check for checking if the entity exists which was moved to the juddi api class //why? because we were looking up the same object twice in the database and its just not efficient } @@ -2433,4 +2441,107 @@ public class ValidatePublish extends ValidateUDDIApi { } } + private org.apache.juddi.v3.client.cryptor.DigSigUtil ds = null; + + private synchronized void initDigSig(Configuration config) { + if (ds == null) { + + Properties p = new Properties(); + /** + * <trustStorePath>truststore.jks</trustStorePath> + * <trustStoreType>JKS</trustStoreType> + * <trustStorePassword + * isPasswordEncrypted="false" + * cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword> + * + * <checkTimestamps>true</checkTimestamps> + * <checkTrust>true</checkTrust> + * <checkRevocationCRL>true</checkRevocationCRL> + */ + p.put(DigSigUtil.TRUSTSTORE_FILE, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePath", "")); + p.put(DigSigUtil.TRUSTSTORE_FILETYPE, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStoreType", "")); + + String enc = config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword", ""); + if (config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword[@isPasswordEncrypted]", false)) { + log.info("trust password is encrypted, decrypting..."); + + String prov = config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "trustStorePassword[@cryptoProvider]", ""); + try { + p.setProperty(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, CryptorFactory.getCryptor(prov).decrypt(enc)); + } catch (Exception ex) { + log.warn("unable to decrypt trust store password " + ex.getMessage()); + log.debug("unable to decrypt trust store password " + ex.getMessage(), ex); + } + + } else if (!"".equals(enc)){ + log.warn("Hey, you should consider encrypting your trust store password!"); + p.setProperty(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, enc); + } + + p.put(DigSigUtil.CHECK_REVOCATION_STATUS_CRL, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkRevocationCRL", "true")); + p.put(DigSigUtil.CHECK_TRUST_CHAIN, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkTrust", "true")); + p.put(DigSigUtil.CHECK_TIMESTAMPS, config.getString(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_PREFIX + "checkTimestamps", "true")); + + try { + ds = new DigSigUtil(p); + } catch (CertificateException ex) { + log.error("", ex); + } + //System.out.println("loaded from " + AppConfig.getConfigFileURL()); + //p.list(System.out); + } + } + + private void validateSignaturesBinding(BindingTemplate bindingTemplate, Configuration config) throws FatalErrorException { + boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false); + initDigSig(config); + if (shouldcheck && !bindingTemplate.getSignature().isEmpty() && ds != null) { + AtomicReference<String> outmsg = new AtomicReference<String>(); + boolean ok = ds.verifySignedUddiEntity(bindingTemplate, outmsg); + if (!ok) { + throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", bindingTemplate.getBindingKey() + " " + outmsg.get())); + } + + } + } + + private void validateSignaturesService(BusinessService businessService, Configuration config) throws FatalErrorException { + boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false); + initDigSig(config); + if (shouldcheck && !businessService.getSignature().isEmpty() && ds != null) { + AtomicReference<String> outmsg = new AtomicReference<String>(); + boolean ok = ds.verifySignedUddiEntity(businessService, outmsg); + if (!ok) { + throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", businessService.getServiceKey() + " " + outmsg.get())); + } + + } + } + + private void validateSignaturesTModel(TModel tModel, Configuration config) throws FatalErrorException { + boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false); + initDigSig(config); + if (shouldcheck && !tModel.getSignature().isEmpty() && ds != null) { + AtomicReference<String> outmsg = new AtomicReference<String>(); + boolean ok = ds.verifySignedUddiEntity(tModel, outmsg); + if (!ok) { + throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", tModel.getTModelKey() + " " + outmsg.get())); + } + + } + } + + private void validateSignaturesBusiness(BusinessEntity businessEntity, Configuration config) throws FatalErrorException { + boolean shouldcheck = config.getBoolean(Property.JUDDI_REJECT_ENTITIES_WITH_INVALID_SIG_ENABLE, false); + initDigSig(config); + if (shouldcheck && !businessEntity.getSignature().isEmpty() && ds != null) { + AtomicReference<String> outmsg = new AtomicReference<String>(); + boolean ok = ds.verifySignedUddiEntity(businessEntity, outmsg); + if (!ok) { + throw new FatalErrorException(new ErrorMessage("errors.digitalsignature.validationfailure", businessEntity.getBusinessKey() + " " + outmsg.get())); + } + + } + } + } http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/main/resources/messages.properties ---------------------------------------------------------------------- diff --git a/juddi-core/src/main/resources/messages.properties b/juddi-core/src/main/resources/messages.properties index 04b94cd..5b52e16 100644 --- a/juddi-core/src/main/resources/messages.properties +++ b/juddi-core/src/main/resources/messages.properties @@ -302,4 +302,5 @@ errors.deleteNode.InReplicationConfig=The node to be deleted is currently refere errors.usermismatch.InvalidNode=The user is not authorized to alter the given entity. It is not owned by this jUDDI node. Try your request again on the authoritative node. errors.usermismatch.assertion=You have to be either the owner of the 'from' or 'to' business in order to delete a publisher assertion. -errors.assertionNotFound=The referenced publisher assertion isn't in the database! \ No newline at end of file +errors.assertionNotFound=The referenced publisher assertion isn't in the database! +errors.digitalsignature.validationfailure=The digital signature the following element failed to validate. Because of this, the request was rejected. Key and validation error as follows. \ No newline at end of file http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-3des.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3-enc-3des.xml b/juddi-core/src/test/resources/juddiv3-enc-3des.xml index b4bf2be..163dbc4 100644 --- a/juddi-core/src/test/resources/juddiv3-enc-3des.xml +++ b/juddi-core/src/test/resources/juddiv3-enc-3des.xml @@ -167,6 +167,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-aes128.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3-enc-aes128.xml b/juddi-core/src/test/resources/juddiv3-enc-aes128.xml index 1b3fadb..6f89433 100644 --- a/juddi-core/src/test/resources/juddiv3-enc-aes128.xml +++ b/juddi-core/src/test/resources/juddiv3-enc-aes128.xml @@ -163,6 +163,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-aes256.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3-enc-aes256.xml b/juddi-core/src/test/resources/juddiv3-enc-aes256.xml index 582c4bd..1b6999a 100644 --- a/juddi-core/src/test/resources/juddiv3-enc-aes256.xml +++ b/juddi-core/src/test/resources/juddiv3-enc-aes256.xml @@ -170,6 +170,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3-enc-default.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3-enc-default.xml b/juddi-core/src/test/resources/juddiv3-enc-default.xml index b44358b..2519e9d 100644 --- a/juddi-core/src/test/resources/juddiv3-enc-default.xml +++ b/juddi-core/src/test/resources/juddiv3-enc-default.xml @@ -167,6 +167,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3.xml b/juddi-core/src/test/resources/juddiv3.xml index e0b23dd..72e21f1 100644 --- a/juddi-core/src/test/resources/juddiv3.xml +++ b/juddi-core/src/test/resources/juddiv3.xml @@ -170,6 +170,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml ---------------------------------------------------------------------- diff --git a/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml b/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml index 88dddd9..66e3914 100644 --- a/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml +++ b/juddi-core/src/test/resources/juddiv3DisabledTModelKeybag.xml @@ -170,6 +170,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>./src/test/resources/truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">Test</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>false</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java ---------------------------------------------------------------------- diff --git a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java index 20d0579..fb7700b 100644 --- a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java +++ b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/EntryPoint.java @@ -76,6 +76,9 @@ public class EntryPoint { System.out.println("36) UnRegister a node on a jUDDI server"); System.out.println("37) Fetch the replication config from a jUDDI server"); System.out.println("38) Set the replication config on a remote jUDDI server"); + System.out.println("magic) Sets the replication between two instances of jUDDI on 8080 and 8090"); + System.out.println("rep) Prints the current replication status of a given node"); + System.out.println("39) Digitally sign a UDDI entity from a file."); System.out.println("q) quit"); System.out.print("Selection: "); @@ -466,6 +469,9 @@ public class EntryPoint { if (input.equals("rep")) { new JuddiAdminService().printStatus(); } + if (input.equals("39")) { + new UddiDigitalSignatureFile().Fire(null, null, null); + } } } http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java ---------------------------------------------------------------------- diff --git a/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java new file mode 100644 index 0000000..ac1a06f --- /dev/null +++ b/juddi-examples/more-uddi-samples/src/main/java/org/apache/juddi/samples/UddiDigitalSignatureFile.java @@ -0,0 +1,160 @@ +/* + * Copyright 2001-2013 The Apache Software Foundation. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +package org.apache.juddi.samples; + +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.util.Scanner; +import java.util.concurrent.atomic.AtomicReference; +import javax.xml.bind.JAXB; + +import org.apache.juddi.v3.client.config.UDDIClient; +import org.apache.juddi.v3.client.cryptor.DigSigUtil; +import org.apache.juddi.v3.client.transport.Transport; +import org.uddi.api_v3.*; +import org.uddi.v3_service.UDDIInquiryPortType; +import org.uddi.v3_service.UDDIPublicationPortType; +import org.uddi.v3_service.UDDISecurityPortType; + +/** + * This class shows you how to digital sign a business and save to file + * + * @author <a href="mailto:[email protected]";>Alex O'Ree</a> + */ +public class UddiDigitalSignatureFile { + + private static UDDIClient clerkManager = null; + + /** + * This sets up the ws proxies using uddi.xml in META-INF + */ + public UddiDigitalSignatureFile() { + try { + // create a manager and read the config in the archive; + // you can use your config file name + clerkManager = new UDDIClient("META-INF/simple-publish-uddi.xml"); + + } catch (Exception e) { + e.printStackTrace(); + } + } + + public enum UddiType { + + Business, Service, Binding, TModel, PublisherAssertion + } + + public void Fire(String fileIn, String fileOut, UddiType type) { + try { + System.out.println("WARN - All previous signatures will be removed!"); + if (fileIn == null || fileOut == null || type == null) { + System.out.print("Input file: "); + fileIn = System.console().readLine(); + System.out.print("Out file: "); + fileOut = System.console().readLine(); + System.out.println(); + for (int i = 0; i < UddiType.values().length; i++) { + System.out.println("[" + i + "] " + UddiType.values()[i].toString()); + } + System.out.print("UDDI Type: "); + String t = System.console().readLine(); + type = UddiType.values()[Integer.parseInt(t)]; + } + + DigSigUtil ds = null; + + //option 1), set everything manually + ds = new DigSigUtil(); + ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE, "keystore.jks"); + ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILETYPE, "JKS"); + ds.put(DigSigUtil.SIGNATURE_KEYSTORE_FILE_PASSWORD, "Test"); + ds.put(DigSigUtil.SIGNATURE_KEYSTORE_KEY_ALIAS, "Test"); + ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_BASE64, "true"); + + ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SERIAL, "true"); + ds.put(DigSigUtil.SIGNATURE_OPTION_CERT_INCLUSION_SUBJECTDN, "true"); + ds.put(DigSigUtil.TRUSTSTORE_FILE, "truststore.jks"); + ds.put(DigSigUtil.TRUSTSTORE_FILETYPE, "JKS"); + ds.put(DigSigUtil.TRUSTSTORE_FILE_PASSWORD, "Test"); + + FileInputStream fis = new FileInputStream(fileIn); + Class expectedType = null; + switch (type) { + case Binding: + expectedType = BindingTemplate.class; + break; + case Business: + expectedType = BusinessEntity.class; + break; + case PublisherAssertion: + expectedType = PublisherAssertion.class; + break; + case Service: + expectedType = BusinessService.class; + break; + case TModel: + expectedType = TModel.class; + break; + } + Object be = JAXB.unmarshal(fis, expectedType); + fis.close(); + fis = null; + + switch (type) { + case Binding: + ((BindingTemplate)be).getSignature().clear(); + break; + case Business: + ((BusinessEntity)be).getSignature().clear(); + break; + case PublisherAssertion: + ((PublisherAssertion)be).getSignature().clear(); + break; + case Service: + ((BusinessService)be).getSignature().clear(); + break; + case TModel: + ((TModel)be).getSignature().clear(); + break; + } + + System.out.println("signing"); + Object signUDDI_JAXBObject = ds.signUddiEntity(be); + System.out.println("signed"); + DigSigUtil.JAXB_ToStdOut(signUDDI_JAXBObject); + + + System.out.println("verifing"); + AtomicReference<String> msg = new AtomicReference<String>(); + boolean verifySigned_UDDI_JAXB_Object = ds.verifySignedUddiEntity(signUDDI_JAXBObject, msg); + if (verifySigned_UDDI_JAXB_Object) { + System.out.println("signature validation passed (expected)"); + FileOutputStream fos = new FileOutputStream(fileOut); + JAXB.marshal(signUDDI_JAXBObject, fos); + fos.close(); + } else { + System.out.println("signature validation failed (not expected)"); + } + System.out.println(msg.get()); + + } catch (Exception e) { + e.printStackTrace(); + } + } + + +} http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddi-tomcat/juddiv3Node2.xml ---------------------------------------------------------------------- diff --git a/juddi-tomcat/juddiv3Node2.xml b/juddi-tomcat/juddiv3Node2.xml index 1efb830..0b193a4 100644 --- a/juddi-tomcat/juddiv3Node2.xml +++ b/juddi-tomcat/juddiv3Node2.xml @@ -171,6 +171,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>true</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml ---------------------------------------------------------------------- diff --git a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml index c27f730..39279b0 100644 --- a/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml +++ b/juddiv3-war/src/main/webapp/WEB-INF/classes/juddiv3.xml @@ -171,6 +171,19 @@ <validation> <!-- As of 3.1.5 This setting will force referential integrity for all tModels (except keyGenerators), category bags, bindingTemplate/AccessPoint/hostingRedirector (referencing another host), tModelinstanceparms and anything else that references a KeyName default value is true. set to false for backwards compatibility or for a more lax registry--> <enforceReferentialIntegrity>true</enforceReferentialIntegrity> + <!-- as of 3.3, reject digitally signed items that are invalid--> + <rejectInvalidSignatures> + <enable>false</enable> + <trustStorePath>truststore.jks</trustStorePath> + <trustStoreType>JKS</trustStoreType> + <trustStorePassword + isPasswordEncrypted="false" + cryptoProvider="org.apache.juddi.v3.client.crypto.AES128Cryptor">password</trustStorePassword> + + <checkTimestamps>true</checkTimestamps> + <checkTrust>true</checkTrust> + <checkRevocationCRL>true</checkRevocationCRL> + </rejectInvalidSignatures> </validation> <!--As of 3.1.5 Email delivery options for subscription API functions--> http://git-wip-us.apache.org/repos/asf/juddi/blob/6e03b824/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java ---------------------------------------------------------------------- diff --git a/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java b/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java index 8710558..4fc25e1 100644 --- a/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java +++ b/uddi-tck-base/src/main/java/org/apache/juddi/v3/tck/TckBusiness.java @@ -15,6 +15,7 @@ package org.apache.juddi.v3.tck; import java.io.File; +import java.io.FileInputStream; import java.net.URL; import static junit.framework.Assert.assertEquals; import static junit.framework.Assert.assertNotNull; @@ -297,15 +298,20 @@ public class TckBusiness { try { SaveBusiness sb = new SaveBusiness(); sb.setAuthInfo(authInfo); - + BusinessEntity beIn = (BusinessEntity) EntityCreator.buildFromDoc(businessXML, "org.uddi.api_v3"); if (beIn == null) { throw new Exception("Unload to load source xml document from " + businessXML); } + if (serialize) { + System.out.println("before saving"); + JAXB.marshal(beIn, System.out); + } sb.getBusinessEntity().add(beIn); BusinessDetail saveBusiness = publication.saveBusiness(sb); logger.info("Business saved with key " + saveBusiness.getBusinessEntity().get(0).getBusinessKey()); if (serialize) { + System.out.println("after saving"); JAXB.marshal(saveBusiness, System.out); } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
