You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2012/02/17 15:55:30 UTC
svn commit: r1245588 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/validate/SignatureTrustValidator.java test/java/org/apache/ws/security/message/SignatureCRLTest.java test/resources/wss40rev.properties

Author: coheigea
Date: Fri Feb 17 14:55:29 2012
New Revision: 1245588

URL: http://svn.apache.org/viewvc?rev=1245588&view=rev
Log:
[WSS-341] - Make CRL's work on signature verification when the certificate is in the keystore
 - Patch applied, thanks.

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
    webservices/wss4j/trunk/src/test/resources/wss40rev.properties

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java?rev=1245588&r1=1245587&r2=1245588&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java Fri Feb 17 14:55:29 2012
@@ -167,7 +167,7 @@ public class SignatureTrustValidator imp
         //
         // FIRST step - Search the keystore for the transmitted certificate
         //
-        if (isCertificateInKeyStore(crypto, cert)) {
+        if (!enableRevocation && isCertificateInKeyStore(crypto, cert)) {
             return true;
         }
 

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java?rev=1245588&r1=1245587&r2=1245588&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java Fri Feb 17 14:55:29 2012
@@ -142,6 +142,45 @@ public class SignatureCRLTest extends or
         }
     }
     
+    
+    /**
+     * Test signing a SOAP message using a BST. Revocation is enabled and so the test
+     * should fail. The trust store that is used is the keystore that contains the revoked
+     * certificate. See WSS-341:
+     * https://issues.apache.org/jira/browse/WSS-341
+     */
+    @org.junit.Test
+    public void testSignatureDirectReferenceRevocationKeyStore() throws Exception {
+        WSSecSignature sign = new WSSecSignature();
+        sign.setUserInfo("wss40rev", "security");
+        sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        Document signedDoc = sign.build(doc, crypto, secHeader);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug(outputString);
+        }
+        //
+        // Verify the signature
+        //
+        try {
+            verify(signedDoc, crypto, true);
+            fail ("Failure expected on a revoked certificate");
+        } catch (Exception ex) {
+            String errorMessage = ex.getMessage();
+            // Different errors using different JDKs...
+            assertTrue(errorMessage.contains("Certificate has been revoked")
+                || errorMessage.contains("Certificate revocation")
+                || errorMessage.contains("Error during certificate path validation"));
+        }
+    }
+    
     /**
      * Verifies the soap envelope
      * <p/>

Modified: webservices/wss4j/trunk/src/test/resources/wss40rev.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40rev.properties?rev=1245588&r1=1245587&r2=1245588&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40rev.properties (original)
+++ webservices/wss4j/trunk/src/test/resources/wss40rev.properties Fri Feb 17 14:55:29 2012
@@ -3,3 +3,4 @@ org.apache.ws.security.crypto.merlin.key
 org.apache.ws.security.crypto.merlin.keystore.password=security
 org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
 org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40rev.jks
+org.apache.ws.security.crypto.merlin.x509crl.file=keys/wss40CACRL.pem