You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/01/17 16:59:44 UTC
svn commit: r1059964 - in /webservices/wss4j/trunk: ./
src/main/java/org/apache/ws/security/components/crypto/
src/test/java/org/apache/ws/security/components/crypto/
Author: coheigea
Date: Mon Jan 17 15:59:44 2011
New Revision: 1059964
URL: http://svn.apache.org/viewvc?rev=1059964&view=rev
Log:
Added the ability to set Keystores etc. on the Crypto instance, so that it can be loaded dynamically, rather than from a properties file.
Modified:
webservices/wss4j/trunk/ChangeLog.txt
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/AbstractCrypto.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/components/crypto/CryptoTest.java
Modified: webservices/wss4j/trunk/ChangeLog.txt
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ChangeLog.txt?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/ChangeLog.txt (original)
+++ webservices/wss4j/trunk/ChangeLog.txt Mon Jan 17 15:59:44 2011
@@ -5,6 +5,21 @@ for a given release.
Portions of this report were generated using the ReleaseNotes facility
in Jira.
+Release 1.5.11
+=============
+
+Bug
+
+ * [WSS-258] - Newer version of SecureConversation not recognised for derived key algorithm
+ * [WSS-260] - WSS4J can't process a STR to a SAML Assertion that is not in the SOAP message
+ * [WSS-261] - Rampart failing to extract keyinfo from SAML assertion
+ * [WSS-262] - WSS4J accepts Timestamps that are "Created" in the future
+
+Improvement
+
+ * [WSS-263] - Store secret key from signature processor
+
+
Release 1.5.10
=============
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/AbstractCrypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/AbstractCrypto.java?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/AbstractCrypto.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/AbstractCrypto.java Mon Jan 17 15:59:44 2011
@@ -31,13 +31,6 @@ import java.security.KeyStore;
import java.security.cert.CertificateFactory;
import java.util.Properties;
-/**
- * Created by IntelliJ IDEA.
- * User: dims
- * Date: Sep 15, 2005
- * Time: 9:50:40 AM
- * To change this template use File | Settings | File Templates.
- */
public abstract class AbstractCrypto extends CryptoBase {
/*
@@ -86,24 +79,27 @@ public abstract class AbstractCrypto ext
protected static CertificateFactory certFact;
protected Properties properties = null;
- /**
- * Constructor
- *
- * @param properties
- */
- public AbstractCrypto(Properties properties) throws CredentialException, IOException {
+ public AbstractCrypto() {
+ // default constructor
+ }
+
+ public AbstractCrypto(Properties properties)
+ throws CredentialException, IOException {
this(properties, Loader.getClassLoader(AbstractCrypto.class));
}
- /**
- * This allows providing a custom class loader to load the resources, etc
- * @param properties
- * @param loader
- * @throws CredentialException
- * @throws IOException
- */
public AbstractCrypto(Properties properties, ClassLoader loader)
throws CredentialException, IOException {
+ loadProperties(properties, loader);
+ }
+
+ public void loadProperties(Properties properties)
+ throws CredentialException, IOException {
+ loadProperties(properties, Loader.getClassLoader(AbstractCrypto.class));
+ }
+
+ public void loadProperties(Properties properties, ClassLoader loader)
+ throws CredentialException, IOException {
if (properties == null) {
return;
}
@@ -283,20 +279,23 @@ public abstract class AbstractCrypto ext
return ks;
}
-
- protected String
+ public String
getCryptoProvider() {
- if (properties == null) {
- return null;
- }
- String provider = properties.getProperty(CRYPTO_PROVIDER);
- if (provider == null) {
- provider = properties.getProperty(OLD_CRYPTO_CERT_PROVIDER);
- }
- if (provider != null) {
- provider = provider.trim();
+ if (cryptoProvider != null) {
+ return cryptoProvider;
+ } else {
+ if (properties == null) {
+ return null;
+ }
+ String provider = properties.getProperty(CRYPTO_PROVIDER);
+ if (provider == null) {
+ provider = properties.getProperty(OLD_CRYPTO_CERT_PROVIDER);
+ }
+ if (provider != null) {
+ provider = provider.trim();
+ }
+ return provider;
}
- return provider;
}
/**
@@ -309,13 +308,17 @@ public abstract class AbstractCrypto ext
* @return alias name of the default X509 certificate
*/
public String getDefaultX509Alias() {
- if (properties == null) {
- return null;
- }
- String alias = properties.getProperty(KEYSTORE_ALIAS);
- if (alias != null) {
- alias = alias.trim();
+ if (defaultAlias != null) {
+ return defaultAlias;
+ } else {
+ if (properties == null) {
+ return null;
+ }
+ String alias = properties.getProperty(KEYSTORE_ALIAS);
+ if (alias != null) {
+ alias = alias.trim();
+ }
+ return alias;
}
- return alias;
}
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java Mon Jan 17 15:59:44 2011
@@ -28,13 +28,94 @@ import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
-/**
- * Crypto.
- * <p/>
- *
- * @author Davanum Srinivas (dims@yahoo.com).
- */
public interface Crypto {
+
+ //
+ // Accessor methods
+ //
+
+ /**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not present in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate.
+ */
+ public String getDefaultX509Alias();
+
+ /**
+ * Sets the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not present in a signed or
+ * an encrypted message.
+ *
+ * @param alias name of the default X509 certificate.
+ */
+ public void setDefaultX509Alias(String alias);
+
+ /**
+ * Get the crypto provider associated with this implementation
+ * @return the crypto provider
+ */
+ public String getCryptoProvider();
+
+ /**
+ * Set the crypto provider associated with this implementation
+ * @param provider the crypto provider to set
+ */
+ public void setCryptoProvider(String provider);
+
+ /**
+ * Gets the Keystore that was loaded by the underlying implementation
+ *
+ * @return the Keystore
+ */
+ public KeyStore getKeyStore();
+
+ /**
+ * Set the Keystore on this Crypto instance
+ *
+ * @param keyStore the Keystore to set
+ */
+ public void setKeyStore(KeyStore keyStore);
+
+ /**
+ * Gets the trust store that was loaded by the underlying implementation
+ *
+ * @return the trust store
+ */
+ public KeyStore getTrustStore();
+
+ /**
+ * Set the trust store on this Crypto instance
+ *
+ * @param trustStore the trust store to set
+ */
+ public void setTrustStore(KeyStore trustStore);
+
+ /**
+ * Gets the CertificateFactory instantiated by the underlying implementation
+ *
+ * @return the CertificateFactory
+ * @throws WSSecurityException
+ */
+ public CertificateFactory getCertificateFactory() throws WSSecurityException;
+
+ /**
+ * Sets the CertificateFactory instance on this Crypto instance
+ *
+ * @param provider the CertificateFactory provider name
+ * @param the CertificateFactory the CertificateFactory instance to set
+ */
+ public void setCertificateFactory(String provider, CertificateFactory certFactory);
+
+ //
+ // Crypto functionality methods
+ //
+
/**
* load a X509Certificate from the input stream.
* <p/>
@@ -154,17 +235,6 @@ public interface Crypto {
public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException;
/**
- * Retrieves the alias name of the default certificate which has been
- * specified as a property. This should be the certificate that is used for
- * signature and encryption. This alias corresponds to the certificate that
- * should be used whenever KeyInfo is not present in a signed or
- * an encrypted message. May return null.
- *
- * @return alias name of the default X509 certificate.
- */
- public String getDefaultX509Alias();
-
- /**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
*
@@ -188,22 +258,7 @@ public interface Crypto {
*/
public String getAliasForX509CertThumb(byte[] thumb) throws WSSecurityException;
-
- /**
- * Gets the Keystore that was loaded by the underlying implementation
- *
- * @return the Keystore
- */
- public KeyStore getKeyStore();
-
- /**
- * Gets the CertificateFactory instantiated by the underlying implementation
- *
- * @return the CertificateFactory
- * @throws WSSecurityException
- */
- public CertificateFactory getCertificateFactory() throws WSSecurityException;
-
+
/**
* Uses the CertPath API to validate a given certificate chain
* <p/>
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoBase.java?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CryptoBase.java Mon Jan 17 15:59:44 2011
@@ -77,10 +77,12 @@ public abstract class CryptoBase impleme
private static Log log = LogFactory.getLog(CryptoBase.class);
private static final Constructor<?> BC_509CLASS_CONS;
- protected static Map<String, CertificateFactory> certFactMap =
+ protected Map<String, CertificateFactory> certFactMap =
new HashMap<String, CertificateFactory>();
protected KeyStore keystore = null;
protected KeyStore truststore = null;
+ protected String defaultAlias = null;
+ protected String cryptoProvider = null;
static {
Constructor<?> cons = null;
@@ -99,14 +101,6 @@ public abstract class CryptoBase impleme
protected CryptoBase() {
}
- /**
- * @return a crypto provider name. This operation should
- * return null if the default crypto provider should
- * be used.
- */
- protected abstract String getCryptoProvider();
-
-
private String mapKeystoreProviderToCertProvider(String s) {
if ("SunJSSE".equals(s)) {
return "SUN";
@@ -115,6 +109,98 @@ public abstract class CryptoBase impleme
}
/**
+ * Get the crypto provider associated with this implementation
+ * @return the crypto provider
+ */
+ public String getCryptoProvider() {
+ return cryptoProvider;
+ }
+
+ /**
+ * Set the crypto provider associated with this implementation
+ * @param provider the crypto provider to set
+ */
+ public void setCryptoProvider(String provider) {
+ cryptoProvider = provider;
+ }
+
+ /**
+ * Gets the Keystore that was loaded
+ *
+ * @return the Keystore
+ */
+ public KeyStore getKeyStore() {
+ return keystore;
+ }
+
+ /**
+ * Set the Keystore on this Crypto instance
+ *
+ * @param keyStore the Keystore to set
+ */
+ public void setKeyStore(KeyStore keyStore) {
+ keystore = keyStore;
+ }
+
+ /**
+ * Gets the trust store that was loaded by the underlying implementation
+ *
+ * @return the trust store
+ */
+ public KeyStore getTrustStore() {
+ return truststore;
+ }
+
+ /**
+ * Set the trust store on this Crypto instance
+ *
+ * @param trustStore the trust store to set
+ */
+ public void setTrustStore(KeyStore trustStore) {
+ truststore = trustStore;
+ }
+
+ /**
+ * Retrieves the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not present in a signed or
+ * an encrypted message. May return null.
+ *
+ * @return alias name of the default X509 certificate.
+ */
+ public String getDefaultX509Alias() {
+ return defaultAlias;
+ }
+
+ /**
+ * Sets the alias name of the default certificate which has been
+ * specified as a property. This should be the certificate that is used for
+ * signature and encryption. This alias corresponds to the certificate that
+ * should be used whenever KeyInfo is not present in a signed or
+ * an encrypted message.
+ *
+ * @param alias name of the default X509 certificate.
+ */
+ public void setDefaultX509Alias(String alias) {
+ defaultAlias = alias;
+ }
+
+ /**
+ * Sets the CertificateFactory instance on this Crypto instance
+ *
+ * @param provider the CertificateFactory provider name
+ * @param the CertificateFactory the CertificateFactory instance to set
+ */
+ public void setCertificateFactory(String provider, CertificateFactory certFactory) {
+ if (provider == null || provider.length() == 0) {
+ certFactMap.put(certFactory.getProvider().getName(), certFactory);
+ } else {
+ certFactMap.put(provider, certFactory);
+ }
+ }
+
+ /**
* Singleton certificate factory for this Crypto instance.
* <p/>
*
@@ -123,7 +209,7 @@ public abstract class CryptoBase impleme
* @throws org.apache.ws.security.WSSecurityException
*
*/
- public synchronized CertificateFactory getCertificateFactory() throws WSSecurityException {
+ public CertificateFactory getCertificateFactory() throws WSSecurityException {
String provider = getCryptoProvider();
String keyStoreProvider = null;
if (keystore != null) {
@@ -647,16 +733,6 @@ public abstract class CryptoBase impleme
}
/**
- * A Hook for subclasses to set the keystore without having to
- * load it from an <code>InputStream</code>.
- *
- * @param ks existing keystore
- */
- public void setKeyStore(KeyStore ks) {
- keystore = ks;
- }
-
- /**
* Reads the SubjectKeyIdentifier information from the certificate.
* <p/>
* If the the certificate does not contain a SKI extension then
@@ -709,10 +785,6 @@ public abstract class CryptoBase impleme
return abyte0;
}
- public KeyStore getKeyStore() {
- return keystore;
- }
-
/**
* Lookup X509 Certificates in the keystore according to a given DN of the subject of the
* certificate
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java Mon Jan 17 15:59:44 2011
@@ -22,20 +22,12 @@ package org.apache.ws.security.component
import java.io.IOException;
import java.util.Properties;
-/**
- * JDK1.4 based implementation of Crypto (uses keystore). <p/>
- *
- * @author Davanum Srinivas (dims@yahoo.com).
- */
public class Merlin extends AbstractCrypto {
- /**
- * Constructor. <p/>
- *
- * @param properties
- * @throws CredentialException
- * @throws IOException
- */
+ public Merlin() {
+ // default constructor
+ }
+
public Merlin(Properties properties) throws CredentialException, IOException {
super(properties);
}
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/components/crypto/CryptoTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/components/crypto/CryptoTest.java?rev=1059964&r1=1059963&r2=1059964&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/components/crypto/CryptoTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/components/crypto/CryptoTest.java Mon Jan 17 15:59:44 2011
@@ -19,15 +19,19 @@
package org.apache.ws.security.components.crypto;
+import java.io.InputStream;
+import java.security.KeyStore;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.common.CustomCrypto;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.util.Loader;
+import org.w3c.dom.Document;
-/**
- * Created by IntelliJ IDEA.
- * User: srida01
- * Date: Apr 12, 2004
- * Time: 10:50:05 AM
- * To change this template use File | Settings | File Templates.
- */
public class CryptoTest extends org.junit.Assert {
@org.junit.Test
@@ -72,6 +76,53 @@ public class CryptoTest extends org.juni
}
/**
+ * Test that we can sign and verify a signature using dynamically loaded keystores/truststore
+ */
+ @org.junit.Test
+ public void testDynamicCrypto() throws Exception {
+ WSSecSignature builder = new WSSecSignature();
+ builder.setUserInfo("wss40", "security");
+ builder.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ // Load the keystore
+ Crypto crypto = new Merlin();
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ ClassLoader loader = Loader.getClassLoader(CryptoTest.class);
+ InputStream input = AbstractCrypto.loadInputStream(loader, "keys/wss40.jks");
+ keyStore.load(input, "security".toCharArray());
+ crypto.setKeyStore(keyStore);
+ Document signedDoc = builder.build(doc, crypto, secHeader);
+
+ // Load the truststore
+ Crypto processCrypto = new Merlin();
+ KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ input = AbstractCrypto.loadInputStream(loader, "keys/wss40CA.jks");
+ trustStore.load(input, "security".toCharArray());
+ processCrypto.setTrustStore(trustStore);
+
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ secEngine.processSecurityHeader(signedDoc, null, null, processCrypto);
+
+ // Load a (bad) truststore
+ processCrypto = new Merlin();
+ trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ input = AbstractCrypto.loadInputStream(loader, "keys/wss40badca.jks");
+ trustStore.load(input, "security".toCharArray());
+ processCrypto.setTrustStore(trustStore);
+
+ try {
+ secEngine.processSecurityHeader(signedDoc, null, null, processCrypto);
+ fail("Expected failure on a bad trust store");
+ } catch (WSSecurityException ex) {
+ // expected
+ }
+ }
+
+ /**
* WSS-102 -- ensure AbstractCrypto will null properties
* can be instantiated
*/