coheigea commented on a change in pull request #41: URL: https://github.com/apache/ws-wss4j/pull/41#discussion_r717319663
########## File path: ws-security-common/src/main/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253Name.java ########## @@ -0,0 +1,106 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.wss4j.common.util; + +import javax.naming.InvalidNameException; +import javax.naming.ldap.LdapName; +import javax.naming.ldap.Rdn; +import java.util.List; + +/** + * Convert a RFC 2253 String using \ to escape unicode characters into one that is compatible + * with Microsoft's WFC and Java.<p><br> + * + * <strong>Detail:</strong> + * Converts a string in RFC2253 format and replaces \ escaped characters with a string quoted representation. + * It also places a space before the next RDN. <p> <br> + * There are two alternate ways an RFC 2253 RDN can escape unicode characters, either with '\' + * or by using quotes. Java seems to recognize both formats but Microsoft's WFC only seems to recognize quotes. + * Since implementations may escape any characters and string is already in valid format no knowledge is + * required of escapable characters. + */ +public class CommaDelimiterRfc2253Name { + + /** + * Return rfs2253String that delimits using quotes + * + * @param rfs2253String a string in rfc 2253 format using a \ as delimiter. + * @return Rdn in quoted form if required. + */ + public String execute(String rfs2253String) { + StringBuilder commaDNBuilder = new StringBuilder(); + try { + LdapName ldapname = new LdapName(rfs2253String); + List<Rdn> rdns = ldapname.getRdns(); + + for (int i = rdns.size() - 1; i >= 0; i--) { + Rdn rdn = rdns.get(i); + String rdnString = rdn.toString(); + String appendString; + if (requiresDoubleQuoting(rdnString)) { + appendString = convertToDoubleQuotes(rdnString); + } else { + appendString = rdnString; + } + if (i == rdns.size() - 1) { + commaDNBuilder.append(appendString); + } else { + commaDNBuilder.append(", ").append(appendString); + } + } + } catch (InvalidNameException e) { + throw new IllegalArgumentException(" The distinguished name cannot be parsed : " + rfs2253String); Review comment: We need to make sure this runtime exception is caught and handled properly in the calling code. ########## File path: ws-security-common/src/test/java/org/apache/wss4j/common/util/CommaDelimiterRfc2253NameTest.java ########## @@ -0,0 +1,151 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.wss4j.common.util; + +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; + +import javax.security.auth.x500.X500Principal; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.security.cert.X509Certificate; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +class CommaDelimiterRfc2253NameTest { + + private static final String TYPICAL_CA ="CN=Entrust Certification Authority - L1K,OU=(c) 2012 Entrust\\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\\, Inc.,C=US"; + private static final String QUOTES_TYPICAL_CA ="CN=Entrust Certification Authority - L1K, OU=\"(c) 2012 Entrust, Inc. - for authorized use only\", OU=See www.entrust.net/legal-terms, O=\"Entrust, Inc.\", C=US"; + + private CommaDelimiterRfc2253Name subject = new CommaDelimiterRfc2253Name(); + + + @Test + void whenMultipleAttributesArePresentThenSpaceIsPlacedAfterComma() { + String actual = new CommaDelimiterRfc2253Name().execute("CN=EOIR,OU=Some Unit,DC=Another place"); + assertEquals("CN=EOIR, OU=Some Unit, DC=Another place",actual); + } + @Test + void whenRdnContainsACommaThenTheRdnIsSurroundedByDoubleQuotes() { + String actual = new CommaDelimiterRfc2253Name().execute(TYPICAL_CA); + assertEquals(QUOTES_TYPICAL_CA,actual); + } + + @Test + void whenRdnIsInvalidThenExpectException() { + Assertions.assertThrows(IllegalArgumentException.class, () -> { + subject.execute("invalid"); + }); + } + + + @Test + void whenCallingUnescapeWithStringNoEscapesThenNoChangesAreMade() throws Exception { + String input = "This is a string with (c) no escaped! sStrings $"; + String actual = subject.unEscapeRfc2253RdnSubPart(input); + assertEquals(input,actual,"Expect that string is unchanged"); + } + + + @Test + void whenCallingUnescapeWithStringThenItUnescapesAppropiateCharacters() throws Exception { + String input = "This is a string with escapes \\,\\; \\\\ and \\< then \\> \\\"Copyright Apache\\\" "; + String expected = "This is a string with escapes ,; \\ and < then > \"Copyright Apache\" "; + String actual = subject.unEscapeRfc2253RdnSubPart(input); + assertEquals(expected,actual,"Expect that string is unescaped"); + } + + + @Test + void whenCallingUnescapeWithStringWithMultiValueRdnThenItUnescapesAppropriateCharacters() throws Exception { + String input = "OU=Sales\\+CN=J. Smith\\,O=Widget Inc.\\,C=US"; + String expected = "OU=Sales+CN=J. Smith,O=Widget Inc.,C=US"; + String actual = subject.unEscapeRfc2253RdnSubPart(input); + assertEquals(expected,actual,"Expect that string is unescaped"); + } + + @Test + public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509PrincipalUsingDefaultTruststore() + throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException { + KeyStore keystore = loadDefaultKeyStore(); + assertAllCaTransformsAreEquivalent(keystore); + } + + @Test + public void testThatACommaDelimitedDnStringAndABackSlashEscapedDnProducesTheSameX509Principal() + throws KeyStoreException, InvalidAlgorithmParameterException, CertificateException, NoSuchAlgorithmException, IOException { + KeyStore keystore = loadKeyStore("keys/cacerts-openjdk.jks", "changeit"); Review comment: Can we remove this test? We can't put the cacerts into source control due to licensing issues. ########## File path: ws-security-policy-stax/pom.xml ########## @@ -52,6 +52,13 @@ <scope>compile</scope> <optional>true</optional> </dependency> + <dependency> + <groupId>org.apache.wss4j</groupId> + <artifactId>wss4j-ws-security-common</artifactId> + <version>${project.version}</version> + <classifier>tests</classifier> + <scope>test</scope> + </dependency> Review comment: This change is not needed. ########## File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java ########## @@ -191,17 +191,21 @@ /** * Sets the {@link - * org.apache.wss4j.dom.message.WSSecSignature#build(Document, Crypto, WSSecHeader) - * } or the {@link - * org.apache.wss4j.dom.message.WSSecEncrypt#build(Document, Crypto, WSSecHeader) + *org.apache.wss4j.dom.message.WSSecSignature#build(Crypto) + *} or the {@link + *org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey) * } method to send the issuer name and the serial number of a certificate to * the receiver. * <p/> * In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name * and the serial number of the signing certificate are sent to the * receiver. This reduces the amount of data being sent. The encryption * method uses the public key associated with this certificate to encrypt - * the symmetric key used to encrypt data. + * the symmetric key used to encrypt data. + * The name format will + * delimit unicode characters with a '\' which is not compatible with Microsoft's WCF stack. Review comment: Can we merge these two lines? ########## File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java ########## @@ -87,6 +87,8 @@ private WSHandlerConstants() { * </li> * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL} * </li> + * <li><code>IssuerSerial</code> for {@link WSConstants#ISSUER_SERIAL_QUOTE_FORMAT} Review comment: Should be IssuerSerialQuoteFormat here ########## File path: ws-security-dom/src/main/java/org/apache/wss4j/dom/WSConstants.java ########## @@ -319,9 +323,31 @@ */ public static final int ENDPOINT_KEY_IDENTIFIER = 14; + + /** + *Sets the {@link org.apache.wss4j.dom.message.WSSecSignature#build(Crypto)} + * or the {@link org.apache.wss4j.dom.message.WSSecEncrypt#build(Crypto, SecretKey)} + * method to send the issuer name and the serial number of a certificate to + *the receiver. Review comment: Merge this with the previous line -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
