You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2010/11/30 03:54:09 UTC
svn commit: r1040394 - in /cxf/branches/2.3.x-fixes: ./ rt/ws/security/
rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/
rt/ws/security/src/test/java/META-INF/cxf/
rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/
Author: dkulp
Date: Tue Nov 30 02:54:09 2010
New Revision: 1040394
URL: http://svn.apache.org/viewvc?rev=1040394&view=rev
Log:
Merged revisions 1040388 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1040388 | dkulp | 2010-11-29 21:34:39 -0500 (Mon, 29 Nov 2010) | 4 lines
[CXF-3152] Update to wss4j 1.5.10
Add support for PKI cert chain
Patch from Colm O hEigeartaigh applied but test disabled until the certs
are available.
........
Added:
cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
- copied unchanged from r1040388, cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/alice.properties
cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
- copied unchanged from r1040388, cxf/trunk/rt/ws/security/src/test/java/META-INF/cxf/cxfca.properties
cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
- copied unchanged from r1040388, cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/KeystorePasswordCallback.java
Modified:
cxf/branches/2.3.x-fixes/ (props changed)
cxf/branches/2.3.x-fixes/rt/ws/security/pom.xml
cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
Propchange: cxf/branches/2.3.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/pom.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/pom.xml?rev=1040394&r1=1040393&r2=1040394&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/pom.xml (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/pom.xml Tue Nov 30 02:54:09 2010
@@ -91,7 +91,7 @@
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
- <version>1.5.9</version>
+ <version>1.5.10</version>
<exclusions>
<exclusion>
<groupId>axis</groupId>
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java?rev=1040394&r1=1040393&r2=1040394&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java Tue Nov 30 02:54:09 2010
@@ -315,10 +315,20 @@ public class WSS4JInInterceptor extends
WSSecurityEngineResult result =
(WSSecurityEngineResult) signatureResults.get(i);
+ //
+ // Verify the certificate chain associated with signature verification if
+ // it exists. If it does not, then try to verify the (single) certificate
+ // used for signature verification
+ //
X509Certificate returnCert = (X509Certificate)result
.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
- if (returnCert != null && !verifyTrust(returnCert, reqData)) {
+ X509Certificate[] returnCertChain = (X509Certificate[])result
+ .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+
+ if (returnCertChain != null && !verifyTrust(returnCertChain, reqData)) {
+ LOG.warning("The certificate chain used for the signature is not trusted");
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ } else if (returnCert != null && !verifyTrust(returnCert, reqData)) {
LOG.warning("The certificate used for the signature is not trusted");
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
Modified: cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java?rev=1040394&r1=1040393&r2=1040394&view=diff
==============================================================================
--- cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java (original)
+++ cxf/branches/2.3.x-fixes/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/WSS4JInOutTest.java Tue Nov 30 02:54:09 2010
@@ -541,6 +541,75 @@ public class WSS4JInOutTest extends Abst
assertEquals(obj.getClass().getName(), CustomProcessor.class.getName());
}
+ @Test
+ @org.junit.Ignore
+ public void testPKIPath() throws Exception {
+ Document doc = readDocument("wsse-request-clean.xml");
+
+ WSS4JOutInterceptor ohandler = new WSS4JOutInterceptor();
+ PhaseInterceptor<SoapMessage> handler = ohandler.createEndingInterceptor();
+
+ SoapMessage msg = new SoapMessage(new MessageImpl());
+ Exchange ex = new ExchangeImpl();
+ ex.setInMessage(msg);
+
+ SOAPMessage saajMsg = MessageFactory.newInstance().createMessage();
+ SOAPPart part = saajMsg.getSOAPPart();
+ part.setContent(new DOMSource(doc));
+ saajMsg.saveChanges();
+
+ msg.setContent(SOAPMessage.class, saajMsg);
+
+ msg.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+ msg.put(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/alice.properties");
+ msg.put(WSHandlerConstants.USER, "alice");
+ msg.put(WSHandlerConstants.PW_CALLBACK_CLASS, KeystorePasswordCallback.class.getName());
+ msg.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
+ msg.put(WSHandlerConstants.USE_SINGLE_CERTIFICATE, "false");
+
+ handler.handleMessage(msg);
+
+ doc = part;
+
+ assertValid("//wsse:Security", doc);
+ assertValid("//wsse:Security/ds:Signature", doc);
+
+ byte[] docbytes = getMessageBytes(doc);
+
+ XMLStreamReader reader = StaxUtils.createXMLStreamReader(new ByteArrayInputStream(docbytes));
+
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+ dbf.setValidating(false);
+ dbf.setIgnoringComments(false);
+ dbf.setIgnoringElementContentWhitespace(true);
+ dbf.setNamespaceAware(true);
+
+ DocumentBuilder db = dbf.newDocumentBuilder();
+ db.setEntityResolver(new NullResolver());
+ doc = StaxUtils.read(db, reader, false);
+
+ WSS4JInInterceptor inHandler = new WSS4JInInterceptor();
+
+ SoapMessage inmsg = new SoapMessage(new MessageImpl());
+ ex.setInMessage(inmsg);
+ inmsg.setContent(SOAPMessage.class, saajMsg);
+
+ inHandler.setProperty(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
+ inHandler.setProperty(WSHandlerConstants.SIG_PROP_FILE, "META-INF/cxf/cxfca.properties");
+
+ inHandler.handleMessage(inmsg);
+
+ WSSecurityEngineResult result =
+ (WSSecurityEngineResult) inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
+ assertNotNull(result);
+ X509Certificate[] certificates = (X509Certificate[])result
+ .get(WSSecurityEngineResult.TAG_X509_CERTIFICATES);
+ assertNotNull(certificates);
+ assertEquals(certificates.length, 2);
+ }
+
+
private byte[] getMessageBytes(Document doc) throws Exception {
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
XMLStreamWriter byteArrayWriter = StaxUtils.createXMLStreamWriter(outputStream);