You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2014/01/06 16:03:42 UTC
svn commit: r1555845 - in /cxf/trunk/services/xkms:
xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/
xkms-common/src/main/java/org/apache/cxf/xkms/handlers/
xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/
xkms-osgi/sr...
Author: ashakirin
Date: Mon Jan 6 15:03:42 2014
New Revision: 1555845
URL: http://svn.apache.org/r1555845
Log:
[CXF-5482]: XKMS: provide direct trust validator
Added:
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
Modified:
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml
cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java (original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XKMSInvoker.java Mon Jan 6 15:03:42 2014
@@ -40,6 +40,7 @@ import org.apache.cxf.xkms.exception.XKM
import org.apache.cxf.xkms.handlers.Applications;
import org.apache.cxf.xkms.handlers.XKMSConstants;
import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
import org.apache.cxf.xkms.model.xkms.LocateRequestType;
import org.apache.cxf.xkms.model.xkms.LocateResultType;
import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
@@ -110,8 +111,20 @@ class XKMSInvoker {
}
public boolean validateCertificate(X509Certificate cert) {
+ return checkCertificateValidity(cert, false);
+ }
+
+ public boolean validateDirectTrustCertificate(X509Certificate cert) {
+ return checkCertificateValidity(cert, true);
+ }
+
+ protected boolean checkCertificateValidity(X509Certificate cert, boolean directTrust) {
try {
ValidateRequestType validateRequestType = prepareValidateXKMSRequest(cert);
+ if (directTrust) {
+ validateRequestType.getQueryKeyBinding().getKeyUsage()
+ .add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+ }
ValidateResultType validateResultType = xkmsConsumer.validate(validateRequestType);
String id = cert.getSubjectDN().getName();
CertificateValidationResult result = parseValidateXKMSResponse(validateResultType, id);
Modified: cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java (original)
+++ cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/handlers/XKMSConstants.java Mon Jan 6 15:03:42 2014
@@ -20,6 +20,7 @@ package org.apache.cxf.xkms.handlers;
public final class XKMSConstants {
public static final String XKMS_ENDPOINT_NAME = "http://cxf.apache.org/services/XKMS/";
+ public static final String DIRECT_TRUST_VALIDATION = "http://cxf.apache.org/xkms#DirectTrust";
private XKMSConstants() {
}
Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorTest.java Mon Jan 6 15:03:42 2014
@@ -31,6 +31,7 @@ import javax.xml.bind.JAXBException;
import org.apache.cxf.xkms.handlers.XKMSConstants;
import org.apache.cxf.xkms.itests.BasicIntegrationTest;
import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
import org.apache.cxf.xkms.model.xkms.QueryKeyBindingType;
import org.apache.cxf.xkms.model.xkms.ReasonEnum;
@@ -122,6 +123,36 @@ public class ValidatorTest extends Basic
.getInvalidReason().get(0));
}
+ @Test
+ public void testDaveDirectTrust() throws JAXBException, CertificateException {
+ X509Certificate daveCertificate = readCertificate("dave.cer");
+ ValidateRequestType request = prepareValidateXKMSRequest(daveCertificate);
+ request.getQueryKeyBinding().getKeyUsage().add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+ StatusType result = doValidate(request);
+
+ Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID, result.getStatusValue());
+ Assert.assertFalse(result.getValidReason().isEmpty());
+ Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALIDITY_INTERVAL.value(), result
+ .getValidReason().get(0));
+ Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(), result
+ .getValidReason().get(1));
+ Assert.assertEquals(XKMSConstants.DIRECT_TRUST_VALIDATION, result
+ .getValidReason().get(2));
+ }
+
+ @Test
+ public void testWss40DirectTrustNegative() throws JAXBException, CertificateException {
+ X509Certificate wss40Certificate = readCertificate("wss40.cer");
+ ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+ request.getQueryKeyBinding().getKeyUsage().add(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE);
+ StatusType result = doValidate(request);
+
+ Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID, result.getStatusValue());
+ Assert.assertFalse(result.getInvalidReason().isEmpty());
+ Assert.assertEquals(XKMSConstants.DIRECT_TRUST_VALIDATION, result
+ .getInvalidReason().get(0));
+ }
+
/*
* Method is taken from {@link org.apache.cxf.xkms.client.XKMSInvokder}.
*/
Modified: cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml (original)
+++ cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml Mon Jan 6 15:03:42 2014
@@ -58,6 +58,9 @@
<argument ref="certificateRepo"/>
<property name="enableRevocation" value="${xkms.enableRevocation}"/>
</bean>
+ <bean id="directTrustValidator" class="org.apache.cxf.xkms.x509.validator.DirectTrustValidator">
+ <argument ref="certificateRepo"/>
+ </bean>
<bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
<argument ref="certificateRepo"/>
</bean>
@@ -71,6 +74,7 @@
<list>
<ref component-id="dateValidator"/>
<ref component-id="trustedAuthorityValidator"/>
+ <ref component-id="directTrustValidator"/>
</list>
</property>
<property name="locators">
Modified: cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml (original)
+++ cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-endpoint.xml Mon Jan 6 15:03:42 2014
@@ -28,6 +28,7 @@
<list>
<ref bean="dateValidator"/>
<ref bean="trustedAuthorityValidator"/>
+ <ref bean="directTrustValidator"/>
</list>
</property>
<property name="locators">
Modified: cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml?rev=1555845&r1=1555844&r2=1555845&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml (original)
+++ cxf/trunk/services/xkms/xkms-war/src/main/webapp/WEB-INF/xkms-key-handlers.xml Mon Jan 6 15:03:42 2014
@@ -14,6 +14,9 @@
<bean id="trustedAuthorityValidator" class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
<constructor-arg ref="certificateRepo"/>
</bean>
+ <bean id="directTrustValidator" class="org.apache.cxf.xkms.x509.validator.DirectTrustValidator">
+ <constructor-arg ref="certificateRepo"/>
+ </bean>
<bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
<constructor-arg ref="certificateRepo"/>
</bean>
Added: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java?rev=1555845&view=auto
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java (added)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/DirectTrustValidator.java Mon Jan 6 15:03:42 2014
@@ -0,0 +1,86 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.xkms.x509.validator;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.xkms.handlers.Validator;
+import org.apache.cxf.xkms.handlers.XKMSConstants;
+import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.KeyUsageEnum;
+import org.apache.cxf.xkms.model.xkms.StatusType;
+import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
+import org.apache.cxf.xkms.x509.repo.CertificateRepo;
+
+public class DirectTrustValidator implements Validator {
+
+ private static final Logger LOG = LogUtils.getL7dLogger(DirectTrustValidator.class);
+
+ private CertificateRepo certRepo;
+
+ public DirectTrustValidator(CertificateRepo certRepo) {
+ this.certRepo = certRepo;
+ }
+
+ /**
+ * Checks if a certificate is located in XKMS storage.
+ *
+ * @param certificate to check
+ * @return true if certificate is found
+ */
+ public boolean isCertificateInRepo(X509Certificate certificate) {
+ X509Certificate findCert = certRepo.findBySubjectDn(certificate.getSubjectDN().getName());
+ return findCert != null;
+ }
+
+ @Override
+ public StatusType validate(ValidateRequestType request) {
+ StatusType status = new StatusType();
+
+ if (request.getQueryKeyBinding() != null) {
+ List<KeyUsageEnum> keyUsages = request.getQueryKeyBinding().getKeyUsage();
+ if (keyUsages.contains(KeyUsageEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_SIGNATURE)) {
+ List<X509Certificate> certificates = ValidateRequestParser.parse(request);
+ if (certificates == null || certificates.isEmpty()) {
+ status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INDETERMINATE);
+ status.getIndeterminateReason().add("http://www.cxf.apache.org/2002/03/xkms#RequestNotSupported");
+ return status;
+ }
+ for (X509Certificate certificate : certificates) {
+ if (!isCertificateInRepo(certificate)) {
+ LOG.warning("Certificate is not found in XKMS repo and is not directly trusted: "
+ + certificate.getSubjectDN().getName());
+ status.getInvalidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
+ status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID);
+ return status;
+ }
+ }
+ status.getValidReason().add(XKMSConstants.DIRECT_TRUST_VALIDATION);
+ }
+ }
+
+ status.setStatusValue(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID);
+
+ return status;
+ }
+}