You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/22 13:31:29 UTC
svn commit: r777480 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/components/crypto/ test/ test/wssec/
Author: coheigea
Date: Fri May 22 11:31:29 2009
New Revision: 777480
URL: http://svn.apache.org/viewvc?rev=777480&view=rev
Log:
[WSS-184] - Added configuration to change the truststore
- The configuration options are "org.apache.ws.security.crypto.merlin.truststore." "file|password|type"
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/test/crypto.properties
webservices/wss4j/trunk/test/wss40.properties
webservices/wss4j/trunk/test/wss40CA.properties
webservices/wss4j/trunk/test/wss40badca.properties
webservices/wss4j/trunk/test/wss40badcatrust.properties
webservices/wss4j/trunk/test/wss86.properties
webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/AbstractCrypto.java Fri May 22 11:31:29 2009
@@ -40,6 +40,44 @@
*/
public abstract class AbstractCrypto extends CryptoBase {
+ /*
+ * Deprecated types
+ */
+ public static final String OLD_KEYSTORE_FILE =
+ "org.apache.ws.security.crypto.merlin.file";
+ public static final String OLD_CRYPTO_PROVIDER =
+ "org.apache.ws.security.crypto.merlin.keystore.provider";
+
+ /*
+ * Crypto provider
+ */
+ public static final String CRYPTO_PROVIDER =
+ "org.apache.ws.security.crypto.merlin.crypto.provider";
+
+ /*
+ * KeyStore configuration types
+ */
+ public static final String KEYSTORE_FILE =
+ "org.apache.ws.security.crypto.merlin.keystore.file";
+ public static final String KEYSTORE_PASSWORD =
+ "org.apache.ws.security.crypto.merlin.keystore.password";
+ public static final String KEYSTORE_TYPE =
+ "org.apache.ws.security.crypto.merlin.keystore.type";
+ public static final String KEYSTORE_ALIAS =
+ "org.apache.ws.security.crypto.merlin.keystore.alias";
+
+ /*
+ * TrustStore configuration types
+ */
+ public static final String LOAD_CA_CERTS =
+ "org.apache.ws.security.crypto.merlin.load.cacerts";
+ public static final String TRUSTSTORE_FILE =
+ "org.apache.ws.security.crypto.merlin.truststore.file";
+ public static final String TRUSTSTORE_PASSWORD =
+ "org.apache.ws.security.crypto.merlin.truststore.password";
+ public static final String TRUSTSTORE_TYPE =
+ "org.apache.ws.security.crypto.merlin.truststore.type";
+
private static final Log log = LogFactory.getLog(AbstractCrypto.class.getName());
private static final boolean doDebug = log.isDebugEnabled();
@@ -64,11 +102,93 @@
*/
public AbstractCrypto(Properties properties, ClassLoader loader)
throws CredentialException, IOException {
- this.properties = properties;
- if (this.properties == null) {
+ if (properties == null) {
return;
}
- String location = this.properties.getProperty("org.apache.ws.security.crypto.merlin.file");
+ this.properties = properties;
+ String provider = properties.getProperty(CRYPTO_PROVIDER);
+ if (provider == null) {
+ provider = properties.getProperty(OLD_CRYPTO_PROVIDER);
+ }
+ //
+ // Load the KeyStore
+ //
+ String keyStoreLocation = properties.getProperty(KEYSTORE_FILE);
+ if (keyStoreLocation == null) {
+ keyStoreLocation = properties.getProperty(OLD_KEYSTORE_FILE);
+ }
+ if (keyStoreLocation != null) {
+ InputStream is = loadInputStream(loader, keyStoreLocation);
+
+ try {
+ String passwd = properties.getProperty(KEYSTORE_PASSWORD, "security");
+ String type = properties.getProperty(KEYSTORE_TYPE, KeyStore.getDefaultType());
+ keystore = load(is, passwd, provider, type);
+ if (doDebug) {
+ log.debug(
+ "The KeyStore " + keyStoreLocation + " of type " + type
+ + " has been loaded"
+ );
+ }
+ } finally {
+ if (is != null) {
+ is.close();
+ }
+ }
+ } else {
+ if (doDebug) {
+ log.debug("The KeyStore is not loaded as KEYSTORE_FILE is null");
+ }
+ }
+
+ //
+ // Load the TrustStore
+ //
+ String trustStoreLocation = properties.getProperty(TRUSTSTORE_FILE);
+ if (trustStoreLocation != null) {
+ InputStream is = loadInputStream(loader, trustStoreLocation);
+
+ try {
+ String passwd = properties.getProperty(TRUSTSTORE_PASSWORD, "changeit");
+ String type = properties.getProperty(TRUSTSTORE_TYPE, KeyStore.getDefaultType());
+ truststore = load(is, passwd, provider, type);
+ if (doDebug) {
+ log.debug(
+ "The TrustStore " + trustStoreLocation + " of type " + type
+ + " has been loaded"
+ );
+ }
+ } finally {
+ if (is != null) {
+ is.close();
+ }
+ }
+ } else {
+ String loadCacerts = properties.getProperty(LOAD_CA_CERTS, "false");
+ if (Boolean.valueOf(loadCacerts).booleanValue()) {
+ String cacertsPath = System.getProperty("java.home") + "/lib/security/cacerts";
+ InputStream is = new FileInputStream(cacertsPath);
+ try {
+ String cacertsPasswd = properties.getProperty(TRUSTSTORE_PASSWORD, "changeit");
+ truststore = load(is, cacertsPasswd, null, KeyStore.getDefaultType());
+ if (doDebug) {
+ log.debug("CA certs have been loaded");
+ }
+ } finally {
+ if (is != null) {
+ is.close();
+ }
+ }
+ }
+ }
+ }
+
+
+ /**
+ * Load a KeyStore object as an InputStream, using the ClassLoader and location arguments
+ */
+ public static InputStream loadInputStream(ClassLoader loader, String location)
+ throws CredentialException, IOException {
InputStream is = null;
if (location != null) {
java.net.URL url = Loader.getResource(loader, location);
@@ -78,9 +198,9 @@
is = new java.io.FileInputStream(location);
}
- /**
- * If we don't find it, then look on the file system.
- */
+ //
+ // If we don't find it, then look on the file system.
+ //
if (is == null) {
try {
is = new FileInputStream(location);
@@ -94,61 +214,9 @@
}
}
}
-
- /**
- * Load the keystore
- */
- try {
- String provider =
- properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.provider");
- String passwd =
- properties.getProperty(
- "org.apache.ws.security.crypto.merlin.keystore.password",
- "security"
- );
- String type =
- properties.getProperty(
- "org.apache.ws.security.crypto.merlin.keystore.type",
- KeyStore.getDefaultType()
- );
- this.keystore = load(is, passwd, provider, type);
- } finally {
- if (is != null) {
- is.close();
- }
- }
-
- /**
- * Load cacerts
- */
- String loadCacerts =
- properties.getProperty(
- "org.apache.ws.security.crypto.merlin.load.cacerts",
- "false"
- );
- if (Boolean.valueOf(loadCacerts).booleanValue()) {
- String cacertsPath = System.getProperty("java.home") + "/lib/security/cacerts";
- InputStream cacertsIs = new FileInputStream(cacertsPath);
- try {
- String cacertsPasswd =
- properties.getProperty(
- "org.apache.ws.security.crypto.merlin.cacerts.password",
- "changeit"
- );
- this.cacerts = load(cacertsIs, cacertsPasswd, null, KeyStore.getDefaultType());
- if (doDebug) {
- log.debug("CA certs have been loaded");
- }
- } finally {
- cacertsIs.close();
- }
- } else {
- if (doDebug) {
- log.debug("CA certs have not been loaded");
- }
- }
+ return is;
}
-
+
/**
* Loads the keystore from an <code>InputStream </code>.
@@ -192,9 +260,9 @@
protected String
getCryptoProvider() {
- return properties.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
+ return properties.getProperty(CRYPTO_PROVIDER);
}
-
+
/**
* Retrieves the alias name of the default certificate which has been
* specified as a property. This should be the certificate that is used for
@@ -208,6 +276,6 @@
if (properties == null) {
return null;
}
- return properties.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
+ return properties.getProperty(KEYSTORE_ALIAS);
}
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java Fri May 22 11:31:29 2009
@@ -78,7 +78,7 @@
private static Log log = LogFactory.getLog(CryptoBase.class);
protected static Map certFactMap = new HashMap();
protected KeyStore keystore = null;
- protected KeyStore cacerts = null;
+ protected KeyStore truststore = null;
/**
* Constructor
@@ -207,6 +207,9 @@
* @throws Exception
*/
public PrivateKey getPrivateKey(String alias, String password) throws Exception {
+ if (keystore == null) {
+ throw new Exception("The keystore is null");
+ }
if (alias == null || !keystore.isKeyEntry(alias)) {
log.error("Cannot find key for alias: " + alias);
throw new Exception("Cannot find key for alias: " + alias);
@@ -248,6 +251,10 @@
X509Name issuerName = null;
Certificate cert = null;
+ if (keystore == null) {
+ return null;
+ }
+
//
// Convert the issuer DN to a java X500Principal object first. This is to ensure
// interop with a DN constructed from .NET, where e.g. it uses "S" instead of "ST".
@@ -309,6 +316,10 @@
X509Name issuerName = null;
Certificate cert = null;
+ if (keystore == null) {
+ return null;
+ }
+
//
// Convert the issuer DN to a java X500Principal object first. This is to ensure
// interop with a DN constructed from .NET, where e.g. it uses "S" instead of "ST".
@@ -404,6 +415,9 @@
public String getAliasForX509Cert(byte[] skiBytes) throws WSSecurityException {
Certificate cert = null;
+ if (keystore == null) {
+ return null;
+ }
try {
for (Enumeration e = keystore.aliases(); e.hasMoreElements();) {
String alias = (String) e.nextElement();
@@ -441,6 +455,9 @@
*/
public String getAliasForX509Cert(Certificate cert) throws WSSecurityException {
try {
+ if (keystore == null) {
+ return null;
+ }
String alias = keystore.getCertificateAlias(cert);
if (alias != null) {
return alias;
@@ -483,11 +500,11 @@
}
}
- if (certs == null && cacerts != null) {
+ if (certs == null && truststore != null) {
// Now look into the trust stores
- certs = cacerts.getCertificateChain(alias);
+ certs = truststore.getCertificateChain(alias);
if (certs == null) {
- Certificate cert = cacerts.getCertificate(alias);
+ Certificate cert = truststore.getCertificate(alias);
if (cert != null) {
certs = new Certificate[]{cert};
}
@@ -526,6 +543,10 @@
public String getAliasForX509CertThumb(byte[] thumb) throws WSSecurityException {
Certificate cert = null;
MessageDigest sha = null;
+
+ if (keystore == null) {
+ return null;
+ }
try {
sha = WSSecurityUtil.resolveMessageDigest();
@@ -660,11 +681,14 @@
// The DN to search the keystore for
X500Principal subjectRDN = new X500Principal(subjectDN);
- List aliases = getAliases(subjectRDN, keystore);
+ List aliases = null;
+ if (keystore != null) {
+ aliases = getAliases(subjectRDN, keystore);
+ }
- //If we can't find the issuer in the keystore then look at cacerts
- if (aliases.size() == 0 && cacerts != null) {
- aliases = getAliases(subjectRDN, cacerts);
+ //If we can't find the issuer in the keystore then look at the truststore
+ if ((aliases == null || aliases.size() == 0) && truststore != null) {
+ aliases = getAliases(subjectRDN, truststore);
}
// Convert the vector into an array
@@ -749,12 +773,12 @@
CertPath path = getCertificateFactory().generateCertPath(certList);
Set set = new HashSet();
- if (cacerts != null) {
- Enumeration cacertsAliases = cacerts.aliases();
- while (cacertsAliases.hasMoreElements()) {
- String alias = (String) cacertsAliases.nextElement();
+ if (truststore != null) {
+ Enumeration truststoreAliases = truststore.aliases();
+ while (truststoreAliases.hasMoreElements()) {
+ String alias = (String) truststoreAliases.nextElement();
X509Certificate cert =
- (X509Certificate) cacerts.getCertificate(alias);
+ (X509Certificate) truststore.getCertificate(alias);
TrustAnchor anchor =
new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
set.add(anchor);
@@ -762,14 +786,16 @@
}
// Add certificates from the keystore
- Enumeration aliases = keystore.aliases();
- while (aliases.hasMoreElements()) {
- String alias = (String) aliases.nextElement();
- X509Certificate cert =
- (X509Certificate) keystore.getCertificate(alias);
- TrustAnchor anchor =
- new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
- set.add(anchor);
+ if (keystore != null) {
+ Enumeration aliases = keystore.aliases();
+ while (aliases.hasMoreElements()) {
+ String alias = (String) aliases.nextElement();
+ X509Certificate cert =
+ (X509Certificate) keystore.getCertificate(alias);
+ TrustAnchor anchor =
+ new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
+ set.add(anchor);
+ }
}
PKIXParameters param = new PKIXParameters(set);
Modified: webservices/wss4j/trunk/test/crypto.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/crypto.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/crypto.properties (original)
+++ webservices/wss4j/trunk/test/crypto.properties Fri May 22 11:31:29 2009
@@ -2,4 +2,4 @@
org.apache.ws.security.crypto.merlin.keystore.type=pkcs12
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=16c73ab6-b892-458f-abf5-2f875f74882e
-org.apache.ws.security.crypto.merlin.file=keys/x509.PFX.MSFT
+org.apache.ws.security.crypto.merlin.keystore.file=keys/x509.PFX.MSFT
Modified: webservices/wss4j/trunk/test/wss40.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss40.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wss40.properties (original)
+++ webservices/wss4j/trunk/test/wss40.properties Fri May 22 11:31:29 2009
@@ -2,4 +2,4 @@
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=wss40
-org.apache.ws.security.crypto.merlin.file=keys/wss40.jks
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40.jks
Modified: webservices/wss4j/trunk/test/wss40CA.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss40CA.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wss40CA.properties (original)
+++ webservices/wss4j/trunk/test/wss40CA.properties Fri May 22 11:31:29 2009
@@ -1,4 +1,3 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
-org.apache.ws.security.crypto.merlin.keystore.type=jks
-org.apache.ws.security.crypto.merlin.keystore.password=security
-org.apache.ws.security.crypto.merlin.file=keys/wss40CA.jks
+org.apache.ws.security.crypto.merlin.truststore.password=security
+org.apache.ws.security.crypto.merlin.truststore.file=keys/wss40CA.jks
Modified: webservices/wss4j/trunk/test/wss40badca.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss40badca.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wss40badca.properties (original)
+++ webservices/wss4j/trunk/test/wss40badca.properties Fri May 22 11:31:29 2009
@@ -1,4 +1,4 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=security
-org.apache.ws.security.crypto.merlin.file=keys/wss40badca.jks
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40badca.jks
Modified: webservices/wss4j/trunk/test/wss40badcatrust.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss40badcatrust.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wss40badcatrust.properties (original)
+++ webservices/wss4j/trunk/test/wss40badcatrust.properties Fri May 22 11:31:29 2009
@@ -1,4 +1,4 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=security
-org.apache.ws.security.crypto.merlin.file=keys/wss40badcatrust.jks
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40badcatrust.jks
Modified: webservices/wss4j/trunk/test/wss86.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss86.properties?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wss86.properties (original)
+++ webservices/wss4j/trunk/test/wss86.properties Fri May 22 11:31:29 2009
@@ -3,4 +3,4 @@
org.apache.ws.security.crypto.merlin.keystore.password=security
org.apache.ws.security.crypto.merlin.keystore.alias=wss86
org.apache.ws.security.crypto.merlin.load.cacerts=true
-org.apache.ws.security.crypto.merlin.file=keys/wss86.keystore
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss86.keystore
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java?rev=777480&r1=777479&r2=777480&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java Fri May 22 11:31:29 2009
@@ -349,8 +349,8 @@
WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
java.security.Principal principal =
(java.security.Principal) actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
- //System.out.println(principal.getName());
- assertTrue(principal.getName().indexOf("derivedKey") != -1);
+ // System.out.println(principal.getName());
+ assertTrue(principal.getName().indexOf("DK") != -1);
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org