You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by ru...@apache.org on 2006/11/22 01:51:26 UTC
svn commit: r477992 - in
/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart:
PolicyBasedResultsValidator.java RampartEngine.java RampartMessageData.java
ValidatorData.java builder/AsymmetricBindingBuilder.java errors.properties
Author: ruchithf
Date: Tue Nov 21 16:51:25 2006
New Revision: 477992
URL: http://svn.apache.org/viewvc?view=rev&rev=477992
Log:
Merging changes from the 1.1 branch
Added:
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/PolicyBasedResultsValidator.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/ValidatorData.java
Modified:
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartEngine.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartMessageData.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java
webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
Added: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/PolicyBasedResultsValidator.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/PolicyBasedResultsValidator.java?view=auto&rev=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/PolicyBasedResultsValidator.java (added)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/PolicyBasedResultsValidator.java Tue Nov 21 16:51:25 2006
@@ -0,0 +1,477 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.rampart.policy.RampartPolicyData;
+import org.apache.rampart.util.RampartUtil;
+import org.apache.ws.secpolicy.Constants;
+import org.apache.ws.secpolicy.model.SupportingToken;
+import org.apache.ws.secpolicy.model.Token;
+import org.apache.ws.secpolicy.model.UsernameToken;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+import java.math.BigInteger;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.Vector;
+
+public class PolicyBasedResultsValidator {
+
+ private static Log log = LogFactory.getLog(PolicyBasedResultsValidator.class);
+
+ public void validate(ValidatorData data, Vector results)
+ throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ //Check presence of timestamp
+ if(rpd.isIncludeTimestamp()) {
+ WSSecurityEngineResult tsResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+ if(tsResult == null) {
+ throw new RampartException("timestampMissing");
+ }
+
+ }
+
+ //sig/encr
+
+ validateProtectionOrder(data, results);
+
+ validateEncryptedParts(data, results);
+
+ //Supporting tokens
+ if(!rmd.isClientSide()) {
+ validateSupportingTokens(data, results);
+ }
+
+ /*
+ * Now we can check the certificate used to sign the message. In the
+ * following implementation the certificate is only trusted if either it
+ * itself or the certificate of the issuer is installed in the keystore.
+ *
+ * Note: the method verifyTrust(X509Certificate) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the signature action result from the action vector
+ WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(
+ results, WSConstants.SIGN);
+
+ if (actionResult != null) {
+ X509Certificate returnCert = actionResult.getCertificate();
+
+ if (returnCert != null) {
+ if (!verifyTrust(returnCert, rmd)) {
+ throw new RampartException ("trustVerificationError");
+ }
+ }
+ }
+
+ /*
+ * Perform further checks on the timestamp that was transmitted in the
+ * header. In the following implementation the timestamp is valid if it
+ * was created after (now-ttl), where ttl is set on server side, not by
+ * the client.
+ *
+ * Note: the method verifyTimestamp(Timestamp) allows custom
+ * implementations with other validation algorithms for subclasses.
+ */
+
+ // Extract the timestamp action result from the action vector
+ actionResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
+
+ if (actionResult != null) {
+ Timestamp timestamp = actionResult.getTimestamp();
+
+ if (timestamp != null) {
+ if (!verifyTimestamp(timestamp, rmd.getTimeToLive())) {
+ throw new RampartException("cannotValidateTimestamp");
+ }
+ }
+ }
+ }
+
+ /**
+ * @param data
+ * @param results
+ */
+ private void validateSupportingTokens(ValidatorData data, Vector results)
+ throws RampartException {
+
+ //Check for UsernameToken
+ RampartPolicyData rpd = data.getRampartMessageData().getPolicyData();
+ SupportingToken suppTok = rpd.getSupportingTokens();
+ handleSupportingTokens(results, suppTok);
+ SupportingToken signedSuppToken = rpd.getSignedSupportingTokens();
+ handleSupportingTokens(results, signedSuppToken);
+ SupportingToken signedEndSuppToken = rpd.getSignedEndorsingSupportingTokens();
+ handleSupportingTokens(results, signedEndSuppToken);
+ SupportingToken endSuppToken = rpd.getEndorsingSupportingTokens();
+ handleSupportingTokens(results, endSuppToken);
+ }
+
+ /**
+ * @param results
+ * @param suppTok
+ * @throws RampartException
+ */
+ private void handleSupportingTokens(Vector results, SupportingToken suppTok) throws RampartException {
+
+ if(suppTok == null) {
+ return;
+ }
+
+ ArrayList tokens = suppTok.getTokens();
+ for (Iterator iter = tokens.iterator(); iter.hasNext();) {
+ Token token = (Token) iter.next();
+ if(token instanceof UsernameToken) {
+ //Check presence of a UsernameToken
+ WSSecurityEngineResult utResult = WSSecurityUtil.fetchActionResult(results, WSConstants.UT);
+ if(utResult == null) {
+ throw new RampartException("usernameTokenMissing");
+ }
+
+ }
+ }
+ }
+
+
+
+
+ /**
+ * @param data
+ * @param results
+ */
+ private void validateProtectionOrder(ValidatorData data, Vector results)
+ throws RampartException {
+
+ String protectionOrder = data.getRampartMessageData().getPolicyData().getProtectionOrder();
+ ArrayList sigEncrActions = this.getSigEncrActions(results);
+
+ if(sigEncrActions.size() < 2) {
+ //There are no results to COMPARE
+ return;
+ }
+ boolean done = false;
+ if(Constants.SIGN_BEFORE_ENCRYPTING.equals(protectionOrder)) {
+ boolean sigfound = false;
+ for (Iterator iter = sigEncrActions.iterator();
+ iter.hasNext() || !done;) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.SIGN) {
+ sigfound = true;
+ } else if(sigfound) {
+ //We have an ENCR action after sig
+ done = true;
+ }
+ }
+
+ } else {
+ boolean encrFound = false;
+ for (Iterator iter = sigEncrActions.iterator();
+ iter.hasNext() || !done;) {
+ Integer act = (Integer) iter.next();
+ if(act.intValue() == WSConstants.ENCR) {
+ encrFound = true;
+ } else if(encrFound) {
+ //We have an ENCR action after sig
+ done = true;
+ }
+ }
+ }
+
+ if(!done) {
+ throw new RampartException("protectionOrderMismatch");
+ }
+ }
+
+
+ private ArrayList getSigEncrActions(Vector results) {
+ ArrayList sigEncrActions = new ArrayList();
+ for (Iterator iter = results.iterator(); iter.hasNext();) {
+ int action = ((WSSecurityEngineResult) iter.next()).getAction();
+ if(WSConstants.SIGN == action || WSConstants.ENCR == action) {
+ sigEncrActions.add(new Integer(action));
+ }
+
+ }
+ return sigEncrActions;
+ }
+
+ private void validateEncryptedParts(ValidatorData data, Vector results)
+ throws RampartException {
+
+ RampartMessageData rmd = data.getRampartMessageData();
+
+ ArrayList encrRefs = getEncryptedReferences(results);
+
+ RampartPolicyData rpd = rmd.getPolicyData();
+
+ //Check for encrypted body
+ if(rpd.isEncryptBody()) {
+
+ if(!encrRefs.remove(data.getBodyEncrDataId())){
+ throw new RampartException("encryptedPartMissing",
+ new String[]{data.getBodyEncrDataId()});
+ }
+ }
+
+ int refCount = 0;
+
+ if(rpd.isSignatureProtection() &&
+ ((rpd.isSymmetricBinding() && rpd.getSignatureToken() != null) ||
+ (!rpd.isSymmetricBinding() && !rpd.isTransportBinding() &&
+ rpd.getInitiatorToken() != null))) {
+ refCount ++;
+ }
+
+ refCount += rpd.getEncryptedParts().size();
+
+ if(encrRefs.size() != refCount) {
+ throw new RampartException("invalidNumberOfEncryptedParts",
+ new String[]{Integer.toString(refCount)});
+ }
+
+ }
+
+
+
+ private boolean verifyTimestamp(Timestamp timestamp, int timeToLive) throws RampartException {
+
+ // Calculate the time that is allowed for the message to travel
+ Calendar validCreation = Calendar.getInstance();
+ long currentTime = validCreation.getTime().getTime();
+ currentTime -= timeToLive * 1000;
+ validCreation.setTime(new Date(currentTime));
+
+ // Validate the time it took the message to travel
+ // if (timestamp.getCreated().before(validCreation) ||
+ // !timestamp.getCreated().equals(validCreation)) {
+ Calendar cre = timestamp.getCreated();
+ if (cre != null && !cre.after(validCreation)) {
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
+ * Evaluate whether a given certificate should be trusted.
+ * Hook to allow subclasses to implement custom validation methods however they see fit.
+ * <p/>
+ * Policy used in this implementation:
+ * 1. Search the keystore for the transmitted certificate
+ * 2. Search the keystore for a connection to the transmitted certificate
+ * (that is, search for certificate(s) of the issuer of the transmitted certificate
+ * 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)
+ *
+ * @param cert the certificate that should be validated against the keystore
+ * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions during CertPathValidation)
+ * @throws WSSecurityException
+ */
+ protected boolean verifyTrust(X509Certificate cert, RampartMessageData rmd) throws RampartException {
+
+ // If no certificate was transmitted, do not trust the signature
+ if (cert == null) {
+ return false;
+ }
+
+ String[] aliases = null;
+ String alias = null;
+ X509Certificate[] certs;
+
+ String subjectString = cert.getSubjectDN().getName();
+ String issuerString = cert.getIssuerDN().getName();
+ BigInteger issuerSerial = cert.getSerialNumber();
+
+ boolean doDebug = log.isDebugEnabled();
+
+ if (doDebug) {
+ log.debug("WSHandler: Transmitted certificate has subject " +
+ subjectString);
+ log.debug("WSHandler: Transmitted certificate has issuer " +
+ issuerString + " (serial " + issuerSerial + ")");
+ }
+
+ // FIRST step
+ // Search the keystore for the transmitted certificate
+
+ // Search the keystore for the alias of the transmitted certificate
+ try {
+ alias = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getAliasForX509Cert(
+ issuerString, issuerSerial);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("cannotFindAliasForCert", new String[]{subjectString}, ex);
+ }
+
+ if (alias != null) {
+ // Retrieve the certificate for the alias from the keystore
+ try {
+ certs = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getCertificates(alias);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("noCertForAlias", new String[] {alias}, ex);
+ }
+
+ // If certificates have been found, the certificates must be compared
+ // to ensure againgst phony DNs (compare encoded form including signature)
+ if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
+ if (doDebug) {
+ log.debug("Direct trust for certificate with " + subjectString);
+ }
+ return true;
+ }
+ } else {
+ if (doDebug) {
+ log.debug("No alias found for subject from issuer with " + issuerString + " (serial " + issuerSerial + ")");
+ }
+ }
+
+ // SECOND step
+ // Search for the issuer of the transmitted certificate in the keystore
+
+ // Search the keystore for the alias of the transmitted certificates issuer
+ try {
+ aliases = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getAliasesForDN(issuerString);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("cannotFindAliasForCert", new String[]{issuerString}, ex);
+ }
+
+ // If the alias has not been found, the issuer is not in the keystore
+ // As a direct result, do not trust the transmitted certificate
+ if (aliases == null || aliases.length < 1) {
+ if (doDebug) {
+ log.debug("No aliases found in keystore for issuer " + issuerString + " of certificate for " + subjectString);
+ }
+ return false;
+ }
+
+ // THIRD step
+ // Check the certificate trust path for every alias of the issuer found in the keystore
+ for (int i = 0; i < aliases.length; i++) {
+ alias = aliases[i];
+
+ if (doDebug) {
+ log.debug("Preparing to validate certificate path with alias " + alias + " for issuer " + issuerString);
+ }
+
+ // Retrieve the certificate(s) for the alias from the keystore
+ try {
+ certs = RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).getCertificates(alias);
+ } catch (WSSecurityException ex) {
+ throw new RampartException("noCertForAlias", new String[] {alias}, ex);
+ }
+
+ // If no certificates have been found, there has to be an error:
+ // The keystore can find an alias but no certificate(s)
+ if (certs == null | certs.length < 1) {
+ throw new RampartException("noCertForAlias", new String[] {alias});
+ }
+
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore
+ // First, create new array
+ X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
+ // Then add the first certificate ...
+ x509certs[0] = cert;
+ // ... and the other certificates
+ for (int j = 0; j < certs.length; j++) {
+ cert = certs[i];
+ x509certs[certs.length + j] = cert;
+ }
+ certs = x509certs;
+
+ // Use the validation method from the crypto to check whether the subjects certificate was really signed by the issuer stated in the certificate
+ try {
+ if (RampartUtil.getSignatureCrypto(
+ rmd.getPolicyData().getRampartConfig(),
+ rmd.getCustomClassLoader()).validateCertPath(certs)) {
+ if (doDebug) {
+ log.debug("WSHandler: Certificate path has been verified for certificate with subject " + subjectString);
+ }
+ return true;
+ }
+ } catch (WSSecurityException ex) {
+ throw new RampartException("certPathVerificationFailed", new String[]{subjectString}, ex);
+ }
+ }
+
+ log.debug("WSHandler: Certificate path could not be verified for certificate with subject " + subjectString);
+ return false;
+ }
+
+
+ private ArrayList getEncryptedReferences(Vector results) {
+
+ //there can be multiple ref lists
+ ArrayList encrResults = getResults(results, WSConstants.ENCR);
+
+ ArrayList refs = new ArrayList();
+
+ for (Iterator iter = encrResults.iterator(); iter.hasNext();) {
+ WSSecurityEngineResult engineResult = (WSSecurityEngineResult) iter.next();
+ ArrayList dataRefUris = engineResult.getDataRefUris();
+
+ //take only the ref list processing results
+ if(dataRefUris != null) {
+ for (Iterator iterator = dataRefUris.iterator(); iterator
+ .hasNext();) {
+ String uri = (String) iterator.next();
+ refs.add(uri);
+ }
+ }
+ }
+
+ return refs;
+ }
+
+
+
+ private ArrayList getResults(Vector results, int action) {
+
+ ArrayList list = new ArrayList();
+
+ for (int i = 0; i < results.size(); i++) {
+ // Check the result of every action whether it matches the given
+ // action
+ if (((WSSecurityEngineResult) results.get(i)).getAction() == action) {
+ list.add((WSSecurityEngineResult) results.get(i));
+ }
+ }
+
+ return list;
+ }
+}
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartEngine.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartEngine.java?view=diff&rev=477992&r1=477991&r2=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartEngine.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartEngine.java Tue Nov 21 16:51:25 2006
@@ -40,7 +40,6 @@
public class RampartEngine {
- private static Log log = LogFactory.getLog(RampartEngine.class);
public Vector process(MessageContext msgCtx) throws WSSPolicyException,
RampartException, WSSecurityException, AxisFault {
@@ -59,6 +58,8 @@
WSSecurityEngine engine = new WSSecurityEngine();
+ ValidatorData data = new ValidatorData(rmd);
+
if(rpd.isSymmetricBinding()) {
//Here we have to create the CB handler to get the tokens from the
//token storage
@@ -85,232 +86,14 @@
msgCtx.setEnvelope(env);
Axis2Util.useDOOM(false);
- this.validateResults(rmd, results);
+ PolicyBasedResultsValidator validator = new PolicyBasedResultsValidator();
+ validator.validate(data, results);
return results;
}
- private void validateResults(RampartMessageData rmd, Vector results) throws RampartException {
-
- /*
- * Now we can check the certificate used to sign the message. In the
- * following implementation the certificate is only trusted if either it
- * itself or the certificate of the issuer is installed in the keystore.
- *
- * Note: the method verifyTrust(X509Certificate) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the signature action result from the action vector
- WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(
- results, WSConstants.SIGN);
-
- if (actionResult != null) {
- X509Certificate returnCert = actionResult.getCertificate();
-
- if (returnCert != null) {
- if (!verifyTrust(returnCert, rmd)) {
- throw new RampartException ("trustVerificationError");
- }
- }
- }
-
- /*
- * Perform further checks on the timestamp that was transmitted in the
- * header. In the following implementation the timestamp is valid if it
- * was created after (now-ttl), where ttl is set on server side, not by
- * the client.
- *
- * Note: the method verifyTimestamp(Timestamp) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the timestamp action result from the action vector
- actionResult = WSSecurityUtil.fetchActionResult(results, WSConstants.TS);
-
- if (actionResult != null) {
- Timestamp timestamp = actionResult.getTimestamp();
-
- if (timestamp != null) {
- if (!verifyTimestamp(timestamp, rmd.getTimeToLive())) {
- throw new RampartException("cannotValidateTimestamp");
- }
- }
- }
-
- }
-
-
- private boolean verifyTimestamp(Timestamp timestamp, int timeToLive) throws RampartException {
-
- // Calculate the time that is allowed for the message to travel
- Calendar validCreation = Calendar.getInstance();
- long currentTime = validCreation.getTime().getTime();
- currentTime -= timeToLive * 1000;
- validCreation.setTime(new Date(currentTime));
-
- // Validate the time it took the message to travel
- // if (timestamp.getCreated().before(validCreation) ||
- // !timestamp.getCreated().equals(validCreation)) {
- Calendar cre = timestamp.getCreated();
- if (cre != null && !cre.after(validCreation)) {
- return false;
- }
- return true;
- }
- /**
- * Evaluate whether a given certificate should be trusted.
- * Hook to allow subclasses to implement custom validation methods however they see fit.
- * <p/>
- * Policy used in this implementation:
- * 1. Search the keystore for the transmitted certificate
- * 2. Search the keystore for a connection to the transmitted certificate
- * (that is, search for certificate(s) of the issuer of the transmitted certificate
- * 3. Verify the trust path for those certificates found because the search for the issuer might be fooled by a phony DN (String!)
- *
- * @param cert the certificate that should be validated against the keystore
- * @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions during CertPathValidation)
- * @throws WSSecurityException
- */
- protected boolean verifyTrust(X509Certificate cert, RampartMessageData rmd) throws RampartException {
-
- // If no certificate was transmitted, do not trust the signature
- if (cert == null) {
- return false;
- }
-
- String[] aliases = null;
- String alias = null;
- X509Certificate[] certs;
-
- String subjectString = cert.getSubjectDN().getName();
- String issuerString = cert.getIssuerDN().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
-
- boolean doDebug = log.isDebugEnabled();
-
- if (doDebug) {
- log.debug("WSHandler: Transmitted certificate has subject " +
- subjectString);
- log.debug("WSHandler: Transmitted certificate has issuer " +
- issuerString + " (serial " + issuerSerial + ")");
- }
-
- // FIRST step
- // Search the keystore for the transmitted certificate
-
- // Search the keystore for the alias of the transmitted certificate
- try {
- alias = RampartUtil.getSignatureCrypto(
- rmd.getPolicyData().getRampartConfig(),
- rmd.getCustomClassLoader()).getAliasForX509Cert(
- issuerString, issuerSerial);
- } catch (WSSecurityException ex) {
- throw new RampartException("cannotFindAliasForCert", new String[]{subjectString}, ex);
- }
-
- if (alias != null) {
- // Retrieve the certificate for the alias from the keystore
- try {
- certs = RampartUtil.getSignatureCrypto(
- rmd.getPolicyData().getRampartConfig(),
- rmd.getCustomClassLoader()).getCertificates(alias);
- } catch (WSSecurityException ex) {
- throw new RampartException("noCertForAlias", new String[] {alias}, ex);
- }
-
- // If certificates have been found, the certificates must be compared
- // to ensure againgst phony DNs (compare encoded form including signature)
- if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
- if (doDebug) {
- log.debug("Direct trust for certificate with " + subjectString);
- }
- return true;
- }
- } else {
- if (doDebug) {
- log.debug("No alias found for subject from issuer with " + issuerString + " (serial " + issuerSerial + ")");
- }
- }
-
- // SECOND step
- // Search for the issuer of the transmitted certificate in the keystore
-
- // Search the keystore for the alias of the transmitted certificates issuer
- try {
- aliases = RampartUtil.getSignatureCrypto(
- rmd.getPolicyData().getRampartConfig(),
- rmd.getCustomClassLoader()).getAliasesForDN(issuerString);
- } catch (WSSecurityException ex) {
- throw new RampartException("cannotFindAliasForCert", new String[]{issuerString}, ex);
- }
-
- // If the alias has not been found, the issuer is not in the keystore
- // As a direct result, do not trust the transmitted certificate
- if (aliases == null || aliases.length < 1) {
- if (doDebug) {
- log.debug("No aliases found in keystore for issuer " + issuerString + " of certificate for " + subjectString);
- }
- return false;
- }
-
- // THIRD step
- // Check the certificate trust path for every alias of the issuer found in the keystore
- for (int i = 0; i < aliases.length; i++) {
- alias = aliases[i];
-
- if (doDebug) {
- log.debug("Preparing to validate certificate path with alias " + alias + " for issuer " + issuerString);
- }
-
- // Retrieve the certificate(s) for the alias from the keystore
- try {
- certs = RampartUtil.getSignatureCrypto(
- rmd.getPolicyData().getRampartConfig(),
- rmd.getCustomClassLoader()).getCertificates(alias);
- } catch (WSSecurityException ex) {
- throw new RampartException("noCertForAlias", new String[] {alias}, ex);
- }
-
- // If no certificates have been found, there has to be an error:
- // The keystore can find an alias but no certificate(s)
- if (certs == null | certs.length < 1) {
- throw new RampartException("noCertForAlias", new String[] {alias});
- }
-
- // Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore
- // First, create new array
- X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
- // Then add the first certificate ...
- x509certs[0] = cert;
- // ... and the other certificates
- for (int j = 0; j < certs.length; j++) {
- cert = certs[i];
- x509certs[certs.length + j] = cert;
- }
- certs = x509certs;
-
- // Use the validation method from the crypto to check whether the subjects certificate was really signed by the issuer stated in the certificate
- try {
- if (RampartUtil.getSignatureCrypto(
- rmd.getPolicyData().getRampartConfig(),
- rmd.getCustomClassLoader()).validateCertPath(certs)) {
- if (doDebug) {
- log.debug("WSHandler: Certificate path has been verified for certificate with subject " + subjectString);
- }
- return true;
- }
- } catch (WSSecurityException ex) {
- throw new RampartException("certPathVerificationFailed", new String[]{subjectString}, ex);
- }
- }
-
- log.debug("WSHandler: Certificate path could not be verified for certificate with subject " + subjectString);
- return false;
- }
}
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartMessageData.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartMessageData.java?view=diff&rev=477992&r1=477991&r2=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartMessageData.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/RampartMessageData.java Tue Nov 21 16:51:25 2006
@@ -37,6 +37,7 @@
import org.apache.rampart.util.Axis2Util;
import org.apache.rampart.util.RampartUtil;
import org.apache.ws.secpolicy.WSSPolicyException;
+import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -46,6 +47,7 @@
import org.apache.ws.security.handler.WSHandlerResult;
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.util.Loader;
+import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
import javax.xml.namespace.QName;
@@ -128,6 +130,8 @@
private boolean sender;
private ClassLoader customClassLoader;
+
+ private SOAPConstants soapConstants;
public RampartMessageData(MessageContext msgCtx, boolean sender) throws RampartException {
@@ -142,6 +146,8 @@
this.document = Axis2Util.getDocumentFromSOAPEnvelope(msgCtx.getEnvelope(), false);
msgCtx.setEnvelope((SOAPEnvelope)this.document.getDocumentElement());
+ this.soapConstants = WSSecurityUtil.getSOAPConstants(this.document.getDocumentElement());
+
//Extract known properties from the msgCtx
if(msgCtx.getProperty(KEY_WST_VERSION) != null) {
@@ -202,15 +208,16 @@
this.policyData = RampartPolicyBuilder.build(it);
}
+ RampartConfig rampartConfig = this.policyData.getRampartConfig();
+
+ if(isClientSide && rampartConfig == null) {
+ //We'r missing the extra info rampart needs
+ throw new RampartException("rampartConigMissing");
+ }
+
if(this.policyData != null) {
- //Check for RST and RSTR for an SCT
- RampartConfig rampartConfig = this.policyData.getRampartConfig();
-
- if(rampartConfig == null) {
- //We'r missing the extra info rampart needs
- throw new RampartException("rampartConigMissing");
- }
+ //Check for RST and RSTR for an SCT
if((WSSHandlerConstants.RST_ACTON_SCT.equals(msgContext.getWSAAction())
|| WSSHandlerConstants.RSTR_ACTON_SCT.equals(msgContext.getWSAAction())) &&
this.policyData.getIssuerPolicy() != null) {
@@ -606,5 +613,9 @@
public ClassLoader getCustomClassLoader() {
return customClassLoader;
+ }
+
+ public SOAPConstants getSoapConstants() {
+ return soapConstants;
}
}
Added: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/ValidatorData.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/ValidatorData.java?view=auto&rev=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/ValidatorData.java (added)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/ValidatorData.java Tue Nov 21 16:51:25 2006
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2004,2005 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.rampart;
+
+import org.apache.axiom.soap.SOAP11Constants;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.utils.EncryptionConstants;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import java.util.ArrayList;
+
+public class ValidatorData {
+
+ private RampartMessageData rmd;
+ ArrayList encryptedDataRefIds = new ArrayList();
+ private String bodyEncrDataId;
+
+ public ValidatorData(RampartMessageData rmd) {
+ this.rmd = rmd;
+ this.extractEncryptedPartInformation();
+ }
+
+ private void extractEncryptedPartInformation() {
+ Node start = rmd.getDocument().getDocumentElement();
+ while(start != null) {
+ Element elem = (Element) WSSecurityUtil.findElement(start,
+ EncryptionConstants._TAG_ENCRYPTEDDATA, WSConstants.ENC_NS);
+ if(elem != null) {
+ Element parentElem = (Element)elem.getParentNode();
+ if(parentElem != null && parentElem.getLocalName().equals(SOAP11Constants.BODY_LOCAL_NAME) &&
+ parentElem.getNamespaceURI().equals(rmd.getSoapConstants().getEnvelopeURI())) {
+ this.bodyEncrDataId = elem.getAttribute("Id");
+ } else {
+ encryptedDataRefIds.add(elem.getAttribute("Id"));
+ }
+
+ if(elem.getNextSibling() != null) {
+ start = elem.getNextSibling();
+ } else {
+ start = elem.getParentNode().getNextSibling();
+ }
+ } else {
+ if(start.getNextSibling() != null) {
+ start = start.getNextSibling();
+ } else {
+ start = start.getParentNode().getNextSibling();
+ }
+ }
+
+ }
+
+ }
+
+ public ArrayList getEncryptedDataRefIds() {
+ return encryptedDataRefIds;
+ }
+
+ public RampartMessageData getRampartMessageData() {
+ return rmd;
+ }
+
+ public String getBodyEncrDataId() {
+ return bodyEncrDataId;
+ }
+
+}
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=diff&rev=477992&r1=477991&r2=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/builder/AsymmetricBindingBuilder.java Tue Nov 21 16:51:25 2006
@@ -62,6 +62,10 @@
private Vector signatureValues = new Vector();
private Element encrTokenElement;
+
+ private Element sigDKTElement;
+
+ private Element encrDKTElement;
private Vector sigParts = new Vector();
@@ -122,7 +126,8 @@
dkEncr.prepare(doc);
// Get and add the DKT element
- encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, dkEncr.getdktElement());
+ this.encrDKTElement = dkEncr.getdktElement();
+ encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
refList = dkEncr.encryptForExternalRef(null, encrParts);
@@ -341,14 +346,20 @@
dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
dkEncr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
dkEncr.prepare(doc);
- Element encrDKTokenElem = null;
- encrDKTokenElem = dkEncr.getdktElement();
- RampartUtil.insertSiblingAfter(rmd, this.encrTokenElement, encrDKTokenElem);
+
+
+ if(this.encrTokenElement != null) {
+ this.encrDKTElement = RampartUtil.insertSiblingAfter(
+ rmd, this.encrTokenElement, dkEncr.getdktElement());
+ } else {
+ this.encrDKTElement = RampartUtil.insertSiblingBefore(
+ rmd, this.sigDKTElement, dkEncr.getdktElement());
+ }
refList = dkEncr.encryptForExternalRef(null, encrParts);
RampartUtil.insertSiblingAfter(rmd,
- encrDKTokenElem,
+ this.encrDKTElement,
refList);
} catch (WSSecurityException e) {
@@ -447,9 +458,11 @@
// Do signature
dkSign.computeSignature();
+ ;
// Add elements to header
- this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
- this.getInsertionLocation(), dkSign.getdktElement()));
+ this.sigDKTElement = RampartUtil.insertSiblingAfter(rmd,
+ this.getInsertionLocation(), dkSign.getdktElement());
+ this.setInsertionLocation(this.sigDKTElement);
this.setInsertionLocation(RampartUtil.insertSiblingAfter(rmd,
this.getInsertionLocation(), dkSign
Modified: webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties?view=diff&rev=477992&r1=477991&r2=477992
==============================================================================
--- webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties (original)
+++ webservices/axis2/trunk/java/modules/security/src/org/apache/rampart/errors.properties Tue Nov 21 16:51:25 2006
@@ -72,3 +72,9 @@
noCertForAlias = Could not get certificates for alias {0}
certPathVerificationFailed = Certificate path verification failed for certificate with subject
+#Rampart Results Validation Errors
+timestampMissing = Missing Timestamp
+encryptedPartMissing = Missing encryption result for id : {0}
+invalidNumberOfEncryptedParts = Invalid number of encrypted parts
+protectionOrderMismatch = Protection order mismatch
+usernameTokenMissing = UsernameToken missing in request
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-cvs-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-cvs-help@ws.apache.org