You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/03/29 09:25:44 UTC
[2/2] cxf git commit: CXF-7084 - Dynamically load signature
validation keys using KeyName. Thanks to Hugo Trippaers for the patch. This
closes #177.
CXF-7084 - Dynamically load signature validation keys using KeyName.
Thanks to Hugo Trippaers for the patch.
This closes #177.
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2ea81b5f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2ea81b5f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2ea81b5f
Branch: refs/heads/master
Commit: 2ea81b5f7dd84d4d179a2d9ac77c5660a8aeb3c9
Parents: eb55972
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Wed Mar 29 10:25:00 2017 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Wed Mar 29 10:25:00 2017 +0100
----------------------------------------------------------------------
.../rs/security/xml/SignatureProperties.java | 16 +++++++++
.../rs/security/xml/XmlSecInInterceptor.java | 37 ++++++++++++++++++++
.../jaxrs/security/xml/JAXRSXmlSecTest.java | 2 +-
.../systest/jaxrs/security/xml/stax-server.xml | 12 ++++++-
4 files changed, 65 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
index 040cbb0..13cd047 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/SignatureProperties.java
@@ -18,6 +18,8 @@
*/
package org.apache.cxf.rs.security.xml;
+import java.util.Map;
+
public class SignatureProperties {
private String signatureAlgo;
private String signatureDigestAlgo;
@@ -25,6 +27,7 @@ public class SignatureProperties {
private String signatureC14nTransform;
private String signatureKeyIdType;
private String signatureKeyName;
+ private Map<String, String> keyNameAliasMap;
public void setSignatureAlgo(String signatureAlgo) {
this.signatureAlgo = signatureAlgo;
@@ -63,4 +66,17 @@ public class SignatureProperties {
this.signatureKeyName = signatureKeyName;
}
+ public Map<String, String> getKeyNameAliasMap() {
+ return keyNameAliasMap;
+ }
+
+ /**
+ * Set the Signature KeyName alias lookup map. It is used on the receiving side for signature.
+ * It maps a KeyName to a key alias - so it allows us to associate a (e.g.) key alias in
+ * a keystore with a given KeyName contained in a KeyInfo structure of the Signature.
+ */
+ public void setKeyNameAliasMap(Map<String, String> keyNameAliasMap) {
+ this.keyNameAliasMap = keyNameAliasMap;
+ }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
index 4514051..5730381 100644
--- a/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
+++ b/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSecInInterceptor.java
@@ -27,6 +27,7 @@ import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
+import java.util.Map;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
@@ -66,6 +67,7 @@ import org.apache.xml.security.stax.ext.InboundXMLSec;
import org.apache.xml.security.stax.ext.XMLSec;
import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.apache.xml.security.stax.ext.XMLSecurityProperties;
+import org.apache.xml.security.stax.impl.securityToken.KeyNameSecurityToken;
import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
@@ -216,7 +218,19 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
if (certs != null && certs.length > 0) {
properties.setSignatureVerificationKey(certs[0].getPublicKey());
}
+ } else if (sigCrypto != null && sigProps != null && sigProps.getKeyNameAliasMap() != null) {
+ Map<String, String> keyNameAliasMap = sigProps.getKeyNameAliasMap();
+ for (Map.Entry<String, String> mapping: keyNameAliasMap.entrySet()) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(mapping.getValue());
+ X509Certificate[] certs = sigCrypto.getX509Certificates(cryptoType);
+ if (certs != null && certs.length > 0) {
+ properties.addKeyNameMapping(mapping.getKey(), certs[0].getPublicKey());
+ }
+ }
}
+
+
}
protected SecurityEventListener configureSecurityEventListener(
@@ -300,6 +314,10 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
SecurityToken token = event.getSecurityToken();
if (token != null) {
X509Certificate[] certs = token.getX509Certificates();
+ if (certs == null && token.getPublicKey() == null && token instanceof KeyNameSecurityToken) {
+ certs = getX509CertificatesForKeyName(sigCrypto, msg, (KeyNameSecurityToken)token);
+ }
+
PublicKey publicKey = token.getPublicKey();
X509Certificate cert = null;
if (certs != null && certs.length > 0) {
@@ -321,6 +339,25 @@ public class XmlSecInInterceptor extends AbstractPhaseInterceptor<Message> imple
}
}
+ private X509Certificate[] getX509CertificatesForKeyName(Crypto sigCrypto, Message msg, KeyNameSecurityToken token)
+ throws XMLSecurityException {
+ X509Certificate[] certs;
+ KeyNameSecurityToken keyNameSecurityToken = token;
+ String keyName = keyNameSecurityToken.getKeyName();
+ String alias = null;
+ if (sigProps != null && sigProps.getKeyNameAliasMap() != null) {
+ alias = sigProps.getKeyNameAliasMap().get(keyName);
+ }
+ try {
+ certs = RSSecurityUtils.getCertificates(sigCrypto, alias);
+ } catch (Exception e) {
+ throw new XMLSecurityException("empty", new Object[] {"Error during Signature Trust "
+ + "validation"});
+ }
+ return certs;
+ }
+
+
protected void throwFault(String error, Exception ex) {
LOG.warning(error);
Response response = JAXRSUtils.toResponseBuilder(400).entity(error).build();
http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
index bb08668..1166daa 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/JAXRSXmlSecTest.java
@@ -424,7 +424,7 @@ public class JAXRSXmlSecTest extends AbstractBusClientServerTestBase {
sigOutInterceptor.setKeyInfoMustBeAvailable(true);
SignatureProperties sigProps = new SignatureProperties();
- sigProps.setSignatureKeyName("alice");
+ sigProps.setSignatureKeyName("alice-kn");
sigProps.setSignatureKeyIdType("KeyName");
sigOutInterceptor.setSignatureProperties(sigProps);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2ea81b5f/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
index 3ff5b4e..c1c3c0c 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/xml/stax-server.xml
@@ -148,12 +148,22 @@ under the License.
</jaxrs:properties>
</jaxrs:server>
+ <util:map id="keyNameMap">
+ <entry key="alice-kn" value="alice" />
+ </util:map>
+ <bean id="keyNameSigProps" class="org.apache.cxf.rs.security.xml.SignatureProperties">
+ <property name="keyNameAliasMap" ref="keyNameMap"/>
+ </bean>
+ <bean id="xmlSecInHandlerKeyName" class="org.apache.cxf.rs.security.xml.XmlSecInInterceptor">
+ <property name="signatureProperties" ref="keyNameSigProps"/>
+ <property name="requireSignature" value="true"/>
+ </bean>
<jaxrs:server address="https://localhost:${testutil.ports.jaxrs-xmlsec-stax}/xmlsigkeyname">
<jaxrs:serviceBeans>
<ref bean="serviceBean"/>
</jaxrs:serviceBeans>
<jaxrs:inInterceptors>
- <ref bean="xmlSigInHandler"/>
+ <ref bean="xmlSecInHandlerKeyName"/>
</jaxrs:inInterceptors>
<jaxrs:outInterceptors>
<ref bean="xmlSigOutHandler"/>