You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by as...@apache.org on 2013/09/29 20:55:52 UTC
svn commit: r1527385 - in /cxf/trunk/services/xkms:
xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/
xkms-common/src/main/java/org/apache/cxf/xkms/crypto/
Author: ashakirin
Date: Sun Sep 29 18:55:52 2013
New Revision: 1527385
URL: http://svn.apache.org/r1527385
Log:
XKMSCrypto: Introduced allowX509FromJKS property, simplified XKMSCryptoProvider implementation
Modified:
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java
Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java (original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProvider.java Sun Sep 29 18:55:52 2013
@@ -46,24 +46,31 @@ public class XkmsCryptoProvider extends
private static final Logger LOG = LogUtils.getL7dLogger(XkmsCryptoProvider.class);
private final XKMSInvoker xkmsInvoker;
- private Crypto defaultCrypto;
+ private Crypto fallbackCrypto;
private XKMSClientCache xkmsClientCache;
+ private boolean allowX509FromJKS = true;
public XkmsCryptoProvider(XKMSPortType xkmsConsumer) {
this(xkmsConsumer, null);
}
- public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto defaultCrypto) {
- this(xkmsConsumer, defaultCrypto, new EHCacheXKMSClientCache());
+ public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto) {
+ this(xkmsConsumer, fallbackCrypto, new EHCacheXKMSClientCache(), true);
}
- public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto defaultCrypto, XKMSClientCache xkmsClientCache) {
+ public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto, boolean allowX509FromJKS) {
+ this(xkmsConsumer, fallbackCrypto, new EHCacheXKMSClientCache(), allowX509FromJKS);
+ }
+
+ public XkmsCryptoProvider(XKMSPortType xkmsConsumer, Crypto fallbackCrypto,
+ XKMSClientCache xkmsClientCache, boolean allowX509FromJKS) {
if (xkmsConsumer == null) {
throw new IllegalArgumentException("xkmsConsumer may not be null");
}
this.xkmsInvoker = new XKMSInvoker(xkmsConsumer);
- this.defaultCrypto = defaultCrypto;
+ this.fallbackCrypto = fallbackCrypto;
this.xkmsClientCache = xkmsClientCache;
+ this.allowX509FromJKS = allowX509FromJKS;
}
@Override
@@ -73,9 +80,9 @@ public class XkmsCryptoProvider extends
.format("XKMS Runtime: getting public certificate for alias: %s; issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
}
- X509Certificate[] certs = getX509CertificatesInternal(cryptoType);
+ X509Certificate[] certs = getX509(cryptoType);
if (certs == null) {
- LOG.severe(String
+ LOG.warning(String
.format(
"Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
@@ -86,20 +93,20 @@ public class XkmsCryptoProvider extends
@Override
public String getX509Identifier(X509Certificate cert) throws WSSecurityException {
assertDefaultCryptoProvider();
- return defaultCrypto.getX509Identifier(cert);
+ return fallbackCrypto.getX509Identifier(cert);
}
@Override
public PrivateKey getPrivateKey(X509Certificate certificate, CallbackHandler callbackHandler)
throws WSSecurityException {
assertDefaultCryptoProvider();
- return defaultCrypto.getPrivateKey(certificate, callbackHandler);
+ return fallbackCrypto.getPrivateKey(certificate, callbackHandler);
}
@Override
public PrivateKey getPrivateKey(String identifier, String password) throws WSSecurityException {
assertDefaultCryptoProvider();
- return defaultCrypto.getPrivateKey(identifier, password);
+ return fallbackCrypto.getPrivateKey(identifier, password);
}
@Override
@@ -144,66 +151,44 @@ public class XkmsCryptoProvider extends
}
private void assertDefaultCryptoProvider() {
- if (defaultCrypto == null) {
+ if (fallbackCrypto == null) {
throw new UnsupportedOperationException("Not supported by this crypto provider");
}
}
- private X509Certificate[] getX509CertificatesInternal(CryptoType cryptoType) {
- CryptoType.TYPE type = cryptoType.getType();
- if (type == TYPE.SUBJECT_DN) {
- return getX509CertificatesFromXKMS(Applications.PKIX, cryptoType.getSubjectDN());
- } else if (type == TYPE.ALIAS) {
- return getX509CertificatesFromXKMS(cryptoType);
- } else if (type == TYPE.ISSUER_SERIAL) {
- // Try local Crypto first
+ private X509Certificate[] getX509(CryptoType cryptoType) {
+ // Try to get X509 certificate from local keystore if it is configured
+ if (allowX509FromJKS && (fallbackCrypto != null)) {
X509Certificate[] localCerts = getCertificateLocally(cryptoType);
- if (localCerts != null) {
+ if ((localCerts != null) && localCerts.length > 0) {
return localCerts;
}
+ }
+ CryptoType.TYPE type = cryptoType.getType();
+ if (type == TYPE.SUBJECT_DN) {
+ return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
- String key = getKeyForIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
- // Try local cache next
- if (xkmsClientCache != null) {
- XKMSCacheToken cachedToken = xkmsClientCache.get(key);
- if (cachedToken != null && cachedToken.getX509Certificate() != null) {
- return new X509Certificate[] {cachedToken.getX509Certificate()};
- }
+ } else if (type == TYPE.ALIAS) {
+ Applications appId = null;
+ boolean isServiceName = isServiceName(cryptoType);
+ if (!isServiceName) {
+ appId = Applications.PKIX;
+ } else {
+ appId = Applications.SERVICE_SOAP;
}
- // Now ask the XKMS Service
- X509Certificate certificate = xkmsInvoker.getCertificateForIssuerSerial(cryptoType
- .getIssuer(), cryptoType.getSerial());
+ return getX509FromXKMSByID(appId, cryptoType.getAlias());
- // Store in the cache
- storeCertificateInCache(certificate, key, false);
-
- return new X509Certificate[] {
- certificate
- };
+ } else if (type == TYPE.ISSUER_SERIAL) {
+ return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
}
throw new IllegalArgumentException("Unsupported type " + type);
}
- private X509Certificate[] getX509CertificatesFromXKMS(CryptoType cryptoType) {
- Applications appId = null;
- boolean isServiceName = isServiceName(cryptoType);
- if (!isServiceName) {
- X509Certificate[] localCerts = getCertificateLocally(cryptoType);
- if (localCerts != null) {
- return localCerts;
- }
- appId = Applications.PKIX;
- } else {
- appId = Applications.SERVICE_SOAP;
- }
- return getX509CertificatesFromXKMS(appId, cryptoType.getAlias());
- }
-
- private X509Certificate[] getX509CertificatesFromXKMS(Applications application, String id) {
+ private X509Certificate[] getX509FromXKMSByID(Applications application, String id) {
LOG.fine(String.format("Getting public certificate from XKMS for application:%s; id: %s",
application, id));
if (id == null) {
- throw new CryptoProviderException("Id is not specified for certificate request");
+ throw new IllegalArgumentException("Id is not specified for certificate request");
}
// Try local cache first
@@ -225,6 +210,29 @@ public class XkmsCryptoProvider extends
};
}
+ private X509Certificate[] getX509FromXKMSByIssuerSerial(String issuer, BigInteger serial) {
+ LOG.fine(String.format("Getting public certificate from XKMS for issuer:%s; serial: %x",
+ issuer, serial));
+
+ String key = getKeyForIssuerSerial(issuer, serial);
+ // Try local cache first
+ if (xkmsClientCache != null) {
+ XKMSCacheToken cachedToken = xkmsClientCache.get(key);
+ if (cachedToken != null && cachedToken.getX509Certificate() != null) {
+ return new X509Certificate[] {cachedToken.getX509Certificate()};
+ }
+ }
+ // Now ask the XKMS Service
+ X509Certificate certificate = xkmsInvoker.getCertificateForIssuerSerial(issuer, serial);
+
+ // Store in the cache
+ storeCertificateInCache(certificate, key, false);
+
+ return new X509Certificate[] {
+ certificate
+ };
+ }
+
/**
* Try to get certificate locally. First try using the supplied CryptoType. If this
* does not work, and if the supplied CryptoType is a ALIAS, then try again with SUBJECT_DN
@@ -235,14 +243,14 @@ public class XkmsCryptoProvider extends
*/
private X509Certificate[] getCertificateLocally(CryptoType cryptoType) {
// This only applies if we've configured a local Crypto instance...
- if (defaultCrypto == null) {
+ if (fallbackCrypto == null) {
return null;
}
// First try using the supplied CryptoType instance
X509Certificate[] localCerts = null;
try {
- localCerts = defaultCrypto.getX509Certificates(cryptoType);
+ localCerts = fallbackCrypto.getX509Certificates(cryptoType);
} catch (Exception e) {
LOG.info("Certificate is not found in local keystore using desired CryptoType: "
+ cryptoType.getType().name());
@@ -256,7 +264,7 @@ public class XkmsCryptoProvider extends
newCryptoType.setSubjectDN(cryptoType.getAlias());
try {
- localCerts = defaultCrypto.getX509Certificates(newCryptoType);
+ localCerts = fallbackCrypto.getX509Certificates(newCryptoType);
} catch (Exception e) {
LOG.info("Certificate is not found in local keystore and will be requested from "
+ "XKMS (first trying the cache): " + cryptoType.getAlias());
Modified: cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java (original)
+++ cxf/trunk/services/xkms/xkms-client/src/main/java/org/apache/cxf/xkms/crypto/impl/XkmsCryptoProviderFactory.java Sun Sep 29 18:55:52 2013
@@ -70,4 +70,9 @@ public class XkmsCryptoProviderFactory i
public Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto) {
return new XkmsCryptoProvider(xkmsClient, fallbackCrypto);
}
+
+ @Override
+ public Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto, boolean allowX509FromJKS) {
+ return new XkmsCryptoProvider(xkmsClient, fallbackCrypto, allowX509FromJKS);
+ }
}
Modified: cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java?rev=1527385&r1=1527384&r2=1527385&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java (original)
+++ cxf/trunk/services/xkms/xkms-common/src/main/java/org/apache/cxf/xkms/crypto/CryptoProviderFactory.java Sun Sep 29 18:55:52 2013
@@ -56,4 +56,15 @@ public interface CryptoProviderFactory {
* @return
*/
Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto);
+
+ /**
+ * Create with overridden XKMSPortType, fallbackCrypto and control of getting X509 from local keystore
+ *
+ * @param xkmsClient
+ * @param fallbackCrypto
+ * @param allowX509FromJKS
+ * @return
+ */
+ Crypto create(XKMSPortType xkmsClient, Crypto fallbackCrypto, boolean allowX509FromJKS);
+
}