This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/master by this push:
new b04424d WSS-676 - Disallow setting alias in the CertificateStore
b04424d is described below
commit b04424de82997a89df13ae2207351e2d800cbe81
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Thu Jul 16 08:21:06 2020 +0100
WSS-676 - Disallow setting alias in the CertificateStore
---
.../java/org/apache/wss4j/common/crypto/CertificateStore.java | 9 ++++++---
.../wss4j/dom/components/crypto/CertificateStoreTest.java | 10 ++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
index c3f139e..9806e8e 100644
---
a/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
@@ -68,8 +68,7 @@ public class CertificateStore extends CryptoBase {
* TYPE.THUMBPRINT_SHA1 - A certificate (chain) is located by the SHA1 of
the (root) cert
* TYPE.SKI_BYTES - A certificate (chain) is located by the SKI bytes of
the (root) cert
* TYPE.SUBJECT_DN - A certificate (chain) is located by the Subject DN of
the (root) cert
- * TYPE.ALIAS - A certificate (chain) is located by an alias. In this
case, it duplicates the
- * TYPE.SUBJECT_DN functionality.
+ * Note that TYPE.ALIAS is not allowed, as it doesn't have any meaning
with a CertificateStore
*/
public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws
WSSecurityException {
if (cryptoType == null) {
@@ -87,10 +86,14 @@ public class CertificateStore extends CryptoBase {
case SKI_BYTES:
certs = getX509CertificatesSKI(cryptoType.getBytes());
break;
- case ALIAS:
case SUBJECT_DN:
certs = getX509CertificatesSubjectDN(cryptoType.getSubjectDN());
break;
+ case ALIAS:
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILURE,
"generic.EmptyMessage",
+ new Object[] {"The alias CryptoType is not allowed for
CertificateStore"}
+ );
case ENDPOINT:
break;
}
diff --git
a/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CertificateStoreTest.java
b/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CertificateStoreTest.java
index feba7dc..878851f 100644
---
a/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CertificateStoreTest.java
+++
b/ws-security-dom/src/test/java/org/apache/wss4j/dom/components/crypto/CertificateStoreTest.java
@@ -48,6 +48,7 @@ import java.util.List;
import javax.security.auth.callback.CallbackHandler;
import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
@@ -275,6 +276,15 @@ public class CertificateStoreTest {
}
}
+ @Test
+ public void testAliasNotAllowed() throws Exception {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias("wss40");
+ assertThrows(WSSecurityException.class, () -> {
+ receiverCrypto.getX509Certificates(cryptoType);
+ });
+ }
+
/**
* Verifies the soap envelope
* <p/>
