You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/21 13:47:34 UTC
svn commit: r777081 - in /webservices/wss4j/trunk: ./
src/org/apache/ws/security/components/crypto/
src/org/apache/ws/security/handler/ src/org/apache/ws/security/message/
src/org/apache/ws/security/message/token/
src/org/apache/ws/security/processor/ ...
Author: coheigea
Date: Thu May 21 11:47:33 2009
New Revision: 777081
URL: http://svn.apache.org/viewvc?rev=777081&view=rev
Log:
[WSS-40] - A Refactor of the crypto stuff
- I removed all "reverse" functionality, it wasn't being used anyway.
- I removed the BouncyCastle crypto implementation
- I merged the Merlin functionality into CryptoBase, as JDK 1.4 is the minimum requirement for the next release
- I improved some of the verifyTrust checking in WSHandler.
Removed:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/BouncyCastle.java
Modified:
webservices/wss4j/trunk/pom.xml
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Crypto.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/PKIPathSecurity.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Thu May 21 11:47:33 2009
@@ -400,12 +400,12 @@
<artifactId>commons-logging</artifactId>
<version>${commons.logging.version}</version>
<scope>compile</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.santuario</groupId>
- <artifactId>xmlsec</artifactId>
- <version>${xmlsec.version}</version>
- <scope>compile</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.santuario</groupId>
+ <artifactId>xmlsec</artifactId>
+ <version>${xmlsec.version}</version>
+ <scope>compile</scope>
</dependency>
<dependency>
<groupId>commons-discovery</groupId>
@@ -418,12 +418,12 @@
<artifactId>commons-codec</artifactId>
<version>1.3</version>
<scope>test</scope>
- </dependency>
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit.version}</version>
- <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit.version}</version>
+ <scope>test</scope>
</dependency>
<dependency>
<groupId>xalan</groupId>
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Crypto.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Crypto.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Crypto.java Thu May 21 11:47:33 2009
@@ -47,29 +47,34 @@
/**
* Construct an array of X509Certificate's from the byte array.
- * <p/>
*
* @param data The <code>byte</code> array containing the X509 data
- * @param reverse If set the first certificate in input data will
- * the last in the array
- * @return An array of X509 certificates, ordered according to
- * the reverse flag
+ * @return An array of X509 certificates
* @throws WSSecurityException
*/
- X509Certificate[] getX509Certificates(byte[] data, boolean reverse) throws WSSecurityException;
+ X509Certificate[] getX509Certificates(byte[] data) throws WSSecurityException;
+
+ /**
+ * Lookup an X509 Certificate in the keystore according to a given serial number and
+ * the issuer of a Certificate.
+ *
+ * @param issuer The issuer's name for the certificate
+ * @param serialNumber The serial number of the certificate from the named issuer
+ * @return the X509 certificate that matches the serialNumber and issuer name
+ * or null if no such certificate was found.
+ */
+ public X509Certificate getX509Certificate(String issuer, BigInteger serialNumber)
+ throws WSSecurityException;
/**
- * get a byte array given an array of X509 certificates.
+ * Get a byte array given an array of X509 certificates.
* <p/>
*
- * @param reverse If set the first certificate in the array data will
- * the last in the byte array
- * @param certs The certificates to convert
- * @return The byte array for the certificates ordered according
- * to the reverse flag
+ * @param certs The certificates to convert
+ * @return The byte array for the certificates
* @throws WSSecurityException
*/
- byte[] getCertificateData(boolean reverse, X509Certificate[] certs) throws WSSecurityException;
+ byte[] getCertificateData(X509Certificate[] certs) throws WSSecurityException;
/**
* Gets the private key identified by <code>alias</> and <code>password</code>.
@@ -81,6 +86,14 @@
* @throws Exception
*/
public PrivateKey getPrivateKey(String alias, String password) throws Exception;
+
+ /**
+ * Check to see if the certificate argument is in the keystore
+ * @param cert The certificate to check
+ * @return true if cert is in the keystore
+ * @throws WSSecurityException
+ */
+ public boolean isCertificateInKeyStore(X509Certificate cert) throws WSSecurityException;
/**
* get the list of certificates for a given alias. This method
@@ -112,20 +125,6 @@
public String getAliasForX509Cert(Certificate cert) throws WSSecurityException;
/**
- * Lookup a X509 Certificate in the keystore according to a given
- * the issuer of a Certificate.
- * <p/>
- * The search gets all alias names of the keystore and gets the certificate chain
- * for each alias. Then the Issuer of each certificate of the chain
- * is compared with the parameters.
- *
- * @param issuer The issuer's name for the certificate
- * @return alias name of the certificate that matches the issuer name
- * or null if no such certificate was found.
- */
- public String getAliasForX509Cert(String issuer) throws WSSecurityException;
-
- /**
* Search a X509 Certificate in the keystore according to a given serial number and
* the issuer of a Certificate.
* <p/>
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java Thu May 21 11:47:33 2009
@@ -38,18 +38,23 @@
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
import java.security.cert.CertificateFactory;
+import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.Vector;
import javax.security.auth.x500.X500Principal;
@@ -61,10 +66,18 @@
* To change this template use File | Settings | File Templates.
*/
public abstract class CryptoBase implements Crypto {
+ public static final String SKI_OID = "2.5.29.14";
+ /**
+ * OID For the NameConstraints Extension to X.509
+ *
+ * http://java.sun.com/j2se/1.4.2/docs/api/
+ * http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
+ */
+ public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
+
private static Log log = LogFactory.getLog(CryptoBase.class);
protected static Map certFactMap = new HashMap();
protected KeyStore keystore = null;
- static String SKI_OID = "2.5.29.14";
protected KeyStore cacerts = null;
/**
@@ -99,7 +112,10 @@
*/
public synchronized CertificateFactory getCertificateFactory() throws WSSecurityException {
String provider = getCryptoProvider();
- String keyStoreProvider = keystore == null ? null : keystore.getProvider().getName();
+ String keyStoreProvider = null;
+ if (keystore != null) {
+ keyStoreProvider = keystore.getProvider().getName();
+ }
//Try to find a CertificateFactory that generates certs that are fully
//compatible with the certs in the KeyStore (Sun -> Sun, BC -> BC, etc...)
@@ -162,25 +178,23 @@
}
/**
- * load a X509Certificate from the input stream.
- * <p/>
+ * Load a X509Certificate from the input stream.
*
- * @param in The <code>InputStream</code> array containing the X509 data
- * @return Returns a X509 certificate
+ * @param The <code>InputStream</code> containing the X509Certificate
+ * @return An X509 certificate
* @throws org.apache.ws.security.WSSecurityException
*
*/
public X509Certificate loadCertificate(InputStream in) throws WSSecurityException {
- X509Certificate cert = null;
try {
- cert = (X509Certificate) getCertificateFactory().generateCertificate(in);
+ CertificateFactory certFactory = getCertificateFactory();
+ return (X509Certificate) certFactory.generateCertificate(in);
} catch (CertificateException e) {
throw new WSSecurityException(
WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError",
null, e
);
}
- return cert;
}
/**
@@ -216,52 +230,81 @@
}
/**
- * Lookup a X509 Certificate in the keystore according to a given
+ * Lookup an X509 Certificate in the keystore according to a given serial number and
* the issuer of a Certificate.
- * <p/>
+ *
* The search gets all alias names of the keystore and gets the certificate chain
- * for each alias. Then the Issuer for each certificate of the chain
+ * for each alias. Then the SerialNumber and Issuer for each certificate of the chain
* is compared with the parameters.
*
- * @param issuer The issuer's name for the certificate
- * @return alias name of the certificate that matches the issuer name
+ * @param issuer The issuer's name for the certificate
+ * @param serialNumber The serial number of the certificate from the named issuer
+ * @return alias name of the certificate that matches serialNumber and issuer name
* or null if no such certificate was found.
*/
- public String getAliasForX509Cert(String issuer) throws WSSecurityException {
- return getAliasForX509Cert(issuer, null, false);
- }
+ public String getAliasForX509Cert(String issuer, BigInteger serialNumber)
+ throws WSSecurityException {
+ X500Principal issuerRDN = null;
+ X509Name issuerName = null;
+ Certificate cert = null;
+
+ //
+ // Convert the issuer DN to a java X500Principal object first. This is to ensure
+ // interop with a DN constructed from .NET, where e.g. it uses "S" instead of "ST".
+ // Then convert it to a BouncyCastle X509Name, which will order the attributes of
+ // the DN in a particular way (see WSS-168). If the conversion to an X500Principal
+ // object fails (e.g. if the DN contains "E" instead of "EMAILADDRESS"), then fall
+ // back on a direct conversion to a BC X509Name
+ //
+ try {
+ issuerRDN = new X500Principal(issuer);
+ issuerName = new X509Name(issuerRDN.getName());
+ } catch (java.lang.IllegalArgumentException ex) {
+ issuerName = new X509Name(issuer);
+ }
+ try {
+ for (Enumeration e = keystore.aliases(); e.hasMoreElements();) {
+ String alias = (String) e.nextElement();
+ Certificate[] certs = keystore.getCertificateChain(alias);
+ if (certs == null || certs.length == 0) {
+ // no cert chain, so lets check if getCertificate gives us a result.
+ cert = keystore.getCertificate(alias);
+ if (cert == null) {
+ continue;
+ }
+ } else {
+ cert = certs[0];
+ }
+ if (!(cert instanceof X509Certificate)) {
+ continue;
+ }
+ X509Certificate x509cert = (X509Certificate) cert;
+ if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {
+ X509Name certName = new X509Name(x509cert.getIssuerDN().getName());
+ if (certName.equals(issuerName)) {
+ return alias;
+ }
+ }
+ }
+ } catch (KeyStoreException e) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "keystore", null, e);
+ }
+ return null;
+ }
+
+
/**
- * Lookup a X509 Certificate in the keystore according to a given serial number and
+ * Lookup an X509 Certificate in the keystore according to a given serial number and
* the issuer of a Certificate.
- * <p/>
- * The search gets all alias names of the keystore and gets the certificate chain
- * for each alias. Then the SerialNumber and Issuer for each certificate of the chain
- * is compared with the parameters.
- *
+ *
* @param issuer The issuer's name for the certificate
* @param serialNumber The serial number of the certificate from the named issuer
- * @return alias name of the certificate that matches serialNumber and issuer name
+ * @return the X509 certificate that matches the serialNumber and issuer name
* or null if no such certificate was found.
*/
- public String getAliasForX509Cert(String issuer, BigInteger serialNumber)
+ public X509Certificate getX509Certificate(String issuer, BigInteger serialNumber)
throws WSSecurityException {
- return getAliasForX509Cert(issuer, serialNumber, true);
- }
-
- /*
- * need to check if "getCertificateChain" also finds certificates that are
- * used for encryption only, i.e. they may not be signed by a CA
- * Otherwise we must define a restriction how to use certificate:
- * each certificate must be signed by a CA or is a self signed Certificate
- * (this should work as well).
- * --- remains to be tested in several ways --
- */
- private String getAliasForX509Cert(
- String issuer,
- BigInteger serialNumber,
- boolean useSerialNumber
- ) throws WSSecurityException {
X500Principal issuerRDN = null;
X509Name issuerName = null;
Certificate cert = null;
@@ -289,7 +332,7 @@
// no cert chain, so lets check if getCertificate gives us a result.
cert = keystore.getCertificate(alias);
if (cert == null) {
- return null;
+ continue;
}
} else {
cert = certs[0];
@@ -298,10 +341,10 @@
continue;
}
X509Certificate x509cert = (X509Certificate) cert;
- if (!useSerialNumber || x509cert.getSerialNumber().compareTo(serialNumber) == 0) {
+ if (x509cert.getSerialNumber().compareTo(serialNumber) == 0) {
X509Name certName = new X509Name(x509cert.getIssuerDN().getName());
if (certName.equals(issuerName)) {
- return alias;
+ return x509cert;
}
}
}
@@ -310,6 +353,39 @@
}
return null;
}
+
+
+ /**
+ * Check to see if the certificate argument is in the keystore
+ * @param cert The certificate to check
+ * @return true if cert is in the keystore
+ * @throws WSSecurityException
+ */
+ public boolean isCertificateInKeyStore(X509Certificate cert) throws WSSecurityException {
+ String issuerString = cert.getIssuerDN().getName();
+ BigInteger issuerSerial = cert.getSerialNumber();
+
+ X509Certificate foundCert = getX509Certificate(issuerString, issuerSerial);
+
+ //
+ // If a certificate has been found, the certificates must be compared
+ // to ensure against phony DNs (compare encoded form including signature)
+ //
+ if (foundCert != null && foundCert.equals(cert)) {
+ if (log.isDebugEnabled()) {
+ log.debug("Direct trust for certificate with " + cert.getSubjectDN().getName());
+ }
+ return true;
+ }
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "No alias found for subject from issuer with " + issuerString
+ + " (serial " + issuerSerial + ")"
+ );
+ }
+ return false;
+ }
+
/**
* Lookup a X509 Certificate in the keystore according to a given
@@ -336,7 +412,7 @@
// no cert chain, so lets check if getCertificate gives us a result.
cert = keystore.getCertificate(alias);
if (cert == null) {
- return null;
+ continue;
}
} else {
cert = certs[0];
@@ -345,10 +421,7 @@
continue;
}
byte[] data = getSKIBytesFromCert((X509Certificate) cert);
- if (data.length != skiBytes.length) {
- continue;
- }
- if (Arrays.equals(data, skiBytes)) {
+ if (data.length == skiBytes.length && Arrays.equals(data, skiBytes)) {
return alias;
}
}
@@ -373,11 +446,10 @@
return alias;
}
// Use brute force search
- Enumeration e = keystore.aliases();
- while (e.hasMoreElements()) {
+ for (Enumeration e = keystore.aliases(); e.hasMoreElements();) {
alias = (String) e.nextElement();
- X509Certificate cert2 = (X509Certificate) keystore.getCertificate(alias);
- if (cert2.equals(cert)) {
+ Certificate retrievedCert = keystore.getCertificate(alias);
+ if (retrievedCert.equals(cert)) {
return alias;
}
}
@@ -435,7 +507,8 @@
}
return x509certs;
}
-
+
+
/**
* Lookup a X509 Certificate in the keystore according to a given
* Thumbprint.
@@ -470,7 +543,7 @@
// no cert chain, so lets check if getCertificate gives us a result.
cert = keystore.getCertificate(alias);
if (cert == null) {
- return null;
+ continue;
}
} else {
cert = certs[0];
@@ -568,11 +641,12 @@
}
public KeyStore getKeyStore() {
- return this.keystore;
+ return keystore;
}
/**
- * Lookup X509 Certificates in the keystore according to a given DN of the subject of the certificate
+ * Lookup X509 Certificates in the keystore according to a given DN of the subject of the
+ * certificate
* <p/>
* The search gets all alias names of the keystore and gets the certificate (chain)
* for each alias. Then the DN of the certificate is compared with the parameters.
@@ -586,11 +660,11 @@
// The DN to search the keystore for
X500Principal subjectRDN = new X500Principal(subjectDN);
- List aliases = getAlias(subjectRDN, keystore);
+ List aliases = getAliases(subjectRDN, keystore);
//If we can't find the issuer in the keystore then look at cacerts
if (aliases.size() == 0 && cacerts != null) {
- aliases = getAlias(subjectRDN, cacerts);
+ aliases = getAliases(subjectRDN, cacerts);
}
// Convert the vector into an array
@@ -603,28 +677,17 @@
}
/**
- * get a byte array given an array of X509 certificates.
+ * Get a byte array given an array of X509 certificates.
* <p/>
*
- * @param reverse If set the first certificate in the array data will
- * the last in the byte array
- * @param certs The certificates to convert
- * @return The byte array for the certificates ordered according
- * to the reverse flag
+ * @param certs The certificates to convert
+ * @return The byte array for the certificates
* @throws WSSecurityException
*/
- public byte[] getCertificateData(boolean reverse, X509Certificate[] certs)
+ public byte[] getCertificateData(X509Certificate[] certs)
throws WSSecurityException {
- List list = new Vector();
- for (int i = 0; i < certs.length; i++) {
- if (reverse) {
- list.add(0, certs[i]);
- } else {
- list.add(certs[i]);
- }
- }
try {
- CertPath path = getCertificateFactory().generateCertPath(list);
+ CertPath path = getCertificateFactory().generateCertPath(Arrays.asList(certs));
return path.getEncoded();
} catch (CertificateEncodingException e) {
throw new WSSecurityException(
@@ -644,13 +707,10 @@
* <p/>
*
* @param data The <code>byte</code> array containing the X509 data
- * @param reverse If set the first certificate in input data will
- * the last in the array
- * @return An array of X509 certificates, ordered according to
- * the reverse flag
+ * @return An array of X509 certificates
* @throws WSSecurityException
*/
- public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
+ public X509Certificate[] getX509Certificates(byte[] data)
throws WSSecurityException {
InputStream in = new ByteArrayInputStream(data);
CertPath path = null;
@@ -664,9 +724,9 @@
}
List l = path.getCertificates();
X509Certificate[] certs = new X509Certificate[l.size()];
- Iterator iterator = l.iterator();
- for (int i = 0; i < l.size(); i++) {
- certs[(reverse) ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
+ int i = 0;
+ for (Iterator iterator = l.iterator(); iterator.hasNext(); ) {
+ certs[i++] = (X509Certificate) iterator.next();
}
return certs;
}
@@ -675,40 +735,55 @@
* Overridden because there's a bug in the base class where they don't use
* the provider variant for the certificate validator.
*
- * @param certs
- * Certificate chain to validate
+ * @param certs X509Certificate chain to validate
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
public boolean
validateCertPath(
- java.security.cert.X509Certificate[] certs
+ X509Certificate[] certs
) throws org.apache.ws.security.WSSecurityException {
try {
// Generate cert path
- java.util.List cert_list = java.util.Arrays.asList(certs);
- java.security.cert.CertPath path =
- getCertificateFactory().generateCertPath(cert_list);
-
- // Use the certificates in the keystore as TrustAnchors
- java.security.cert.PKIXParameters param =
- new java.security.cert.PKIXParameters(this.keystore);
+ List certList = Arrays.asList(certs);
+ CertPath path = getCertificateFactory().generateCertPath(certList);
+ Set set = new HashSet();
+ if (cacerts != null) {
+ Enumeration cacertsAliases = cacerts.aliases();
+ while (cacertsAliases.hasMoreElements()) {
+ String alias = (String) cacertsAliases.nextElement();
+ X509Certificate cert =
+ (X509Certificate) cacerts.getCertificate(alias);
+ TrustAnchor anchor =
+ new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
+ set.add(anchor);
+ }
+ }
+
+ // Add certificates from the keystore
+ Enumeration aliases = keystore.aliases();
+ while (aliases.hasMoreElements()) {
+ String alias = (String) aliases.nextElement();
+ X509Certificate cert =
+ (X509Certificate) keystore.getCertificate(alias);
+ TrustAnchor anchor =
+ new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
+ set.add(anchor);
+ }
+
+ PKIXParameters param = new PKIXParameters(set);
+
// Do not check a revocation list
param.setRevocationEnabled(false);
// Verify the trust path using the above settings
String provider = getCryptoProvider();
- java.security.cert.CertPathValidator validator = null;
+ CertPathValidator validator = null;
if (provider == null || provider.length() == 0) {
- validator =
- java.security.cert.CertPathValidator.getInstance("PKIX");
+ validator = CertPathValidator.getInstance("PKIX");
} else {
- validator =
- java.security.cert.CertPathValidator.getInstance(
- "PKIX",
- provider
- );
+ validator = CertPathValidator.getInstance("PKIX", provider);
}
validator.validate(path, param);
} catch (java.security.NoSuchProviderException e) {
@@ -756,7 +831,15 @@
return true;
}
- private List getAlias(X500Principal subjectRDN, KeyStore store) throws WSSecurityException {
+ /**
+ * Get all of the aliases of the X500Principal argument in the supplied KeyStore
+ * @param subjectRDN The X500Principal
+ * @param store The KeyStore
+ * @return A list of aliases
+ * @throws WSSecurityException
+ */
+ private static List getAliases(X500Principal subjectRDN, KeyStore store)
+ throws WSSecurityException {
// Store the aliases found
List aliases = new Vector();
Certificate cert = null;
@@ -770,7 +853,7 @@
// no cert chain, so lets check if getCertificate gives us a result.
cert = store.getCertificate(alias);
if (cert == null) {
- return null;
+ continue;
}
certs = new Certificate[]{cert};
} else {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/Merlin.java Thu May 21 11:47:33 2009
@@ -19,29 +19,8 @@
package org.apache.ws.security.components.crypto;
-import org.apache.ws.security.WSSecurityException;
-
-import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.cert.CertPath;
-import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertificateEncodingException;
-import java.security.cert.CertificateException;
-import java.security.cert.PKIXParameters;
-import java.security.cert.TrustAnchor;
-import java.security.cert.X509Certificate;
-import java.util.Enumeration;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
import java.util.Properties;
-import java.util.Vector;
/**
* JDK1.4 based implementation of Crypto (uses keystore). <p/>
@@ -49,13 +28,6 @@
* @author Davanum Srinivas (dims@yahoo.com).
*/
public class Merlin extends AbstractCrypto {
- /**
- * OID For the NameConstraints Extension to X.509
- *
- * http://java.sun.com/j2se/1.4.2/docs/api/
- * http://www.ietf.org/rfc/rfc3280.txt (s. 4.2.1.11)
- */
- public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
/**
* Constructor. <p/>
@@ -73,145 +45,4 @@
super(properties, loader);
}
- /**
- * Construct an array of X509Certificate's from the byte array. <p/>
- *
- * @param data
- * The <code>byte</code> array containing the X509 data
- * @param reverse
- * If set the first certificate in input data will the last in
- * the array
- * @return An array of X509 certificates, ordered according to the reverse
- * flag
- * @throws WSSecurityException
- */
- public X509Certificate[] getX509Certificates(byte[] data, boolean reverse)
- throws WSSecurityException {
- InputStream in = new ByteArrayInputStream(data);
- CertPath path = null;
- try {
- path = getCertificateFactory().generateCertPath(in);
- } catch (CertificateException e) {
- throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError", null, e
- );
- }
- List l = path.getCertificates();
- X509Certificate[] certs = new X509Certificate[l.size()];
- Iterator iterator = l.iterator();
- for (int i = 0; i < l.size(); i++) {
- certs[(reverse) ? (l.size() - 1 - i) : i] = (X509Certificate) iterator.next();
- }
- return certs;
- }
-
- /**
- * get a byte array given an array of X509 certificates. <p/>
- *
- * @param reverse
- * If set the first certificate in the array data will the last
- * in the byte array
- * @param certs
- * The certificates to convert
- * @return The byte array for the certificates ordered according to the
- * reverse flag
- * @throws WSSecurityException
- */
- public byte[] getCertificateData(boolean reverse, X509Certificate[] certs)
- throws WSSecurityException {
- List list = new Vector();
- for (int i = 0; i < certs.length; i++) {
- if (reverse) {
- list.add(0, certs[i]);
- } else {
- list.add(certs[i]);
- }
- }
- try {
- CertPath path = getCertificateFactory().generateCertPath(list);
- return path.getEncoded();
- } catch (CertificateEncodingException e) {
- throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError", null, e
- );
- } catch (CertificateException e) {
- throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "parseError", null, e
- );
- }
- }
-
- public boolean validateCertPath(X509Certificate[] certs) throws WSSecurityException {
- try {
- // Generate cert path
- java.util.List certList = java.util.Arrays.asList(certs);
- CertPath path = this.getCertificateFactory().generateCertPath(certList);
-
- java.util.Set set = new HashSet();
- if (this.cacerts != null) {
- Enumeration cacertsAliases = this.cacerts.aliases();
- while (cacertsAliases.hasMoreElements()) {
- String alias = (String) cacertsAliases.nextElement();
- X509Certificate cert =
- (X509Certificate) this.cacerts.getCertificate(alias);
- TrustAnchor anchor =
- new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
- set.add(anchor);
- }
- }
-
- // Add certificates from the keystore
- Enumeration aliases = this.keystore.aliases();
- while (aliases.hasMoreElements()) {
- String alias = (String) aliases.nextElement();
- X509Certificate cert =
- (X509Certificate) this.keystore.getCertificate(alias);
- TrustAnchor anchor =
- new TrustAnchor(cert, cert.getExtensionValue(NAME_CONSTRAINTS_OID));
- set.add(anchor);
- }
-
- PKIXParameters param = new PKIXParameters(set);
-
- // Do not check a revocation list
- param.setRevocationEnabled(false);
-
- // Verify the trust path using the above settings
- String provider =
- properties.getProperty("org.apache.ws.security.crypto.merlin.cert.provider");
- CertPathValidator certPathValidator;
- if (provider == null || provider.length() == 0) {
- certPathValidator = CertPathValidator.getInstance("PKIX");
- } else {
- certPathValidator = CertPathValidator.getInstance("PKIX", provider);
- }
- certPathValidator.validate(path, param);
- } catch (NoSuchProviderException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- } catch (NoSuchAlgorithmException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- } catch (CertificateException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- } catch (InvalidAlgorithmParameterException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- } catch (CertPathValidatorException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- } catch (KeyStoreException ex) {
- throw new WSSecurityException(WSSecurityException.FAILURE,
- "certpath", new Object[] { ex.getMessage() },
- (Throwable) ex);
- }
-
- return true;
- }
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Thu May 21 11:47:33 2009
@@ -1067,13 +1067,10 @@
return false;
}
- String[] aliases = null;
- String alias = null;
- X509Certificate[] certs;
-
String subjectString = cert.getSubjectDN().getName();
String issuerString = cert.getIssuerDN().getName();
BigInteger issuerSerial = cert.getSerialNumber();
+ Crypto crypto = reqData.getSigCrypto();
if (doDebug) {
log.debug("WSHandler: Transmitted certificate has subject " + subjectString);
@@ -1083,57 +1080,20 @@
);
}
- // FIRST step
- // Search the keystore for the transmitted certificate
-
- // Search the keystore for the alias of the transmitted certificate
- try {
- alias = reqData.getSigCrypto().getAliasForX509Cert(issuerString, issuerSerial);
- } catch (WSSecurityException ex) {
- throw new WSSecurityException(
- "WSHandler: Could not get alias for certificate with " + subjectString, ex
- );
- }
-
- if (alias != null) {
- // Retrieve the certificate for the alias from the keystore
- try {
- certs = reqData.getSigCrypto().getCertificates(alias);
- } catch (WSSecurityException ex) {
- throw new WSSecurityException(
- "WSHandler: Could not get certificates for alias " + alias, ex
- );
- }
-
- // If certificates have been found, the certificates must be compared
- // to ensure against phony DNs (compare encoded form including signature)
- if (certs != null && certs.length > 0 && cert.equals(certs[0])) {
- if (doDebug) {
- log.debug("Direct trust for certificate with " + subjectString);
- }
- return true;
- }
- } else {
- if (doDebug) {
- log.debug(
- "No alias found for subject from issuer with " + issuerString
- + " (serial " + issuerSerial + ")"
- );
- }
+ //
+ // FIRST step - Search the keystore for the transmitted certificate
+ //
+ if (crypto.isCertificateInKeyStore(cert)) {
+ return true;
}
- // SECOND step
- // Search for the issuer of the transmitted certificate in the keystore
- // Search the keystore for the alias of the transmitted certificates issuer
- try {
- aliases = reqData.getSigCrypto().getAliasesForDN(issuerString);
- } catch (WSSecurityException ex) {
- throw new WSSecurityException(
- "WSHandler: Could not get alias for certificate with " + issuerString, ex
- );
- }
+ //
+ // SECOND step - Search for the issuer of the transmitted certificate in the
+ // keystore or the truststore
+ //
+ String[] aliases = crypto.getAliasesForDN(issuerString);
- // If the alias has not been found, the issuer is not in the keystore
+ // If the alias has not been found, the issuer is not in the keystore/truststore
// As a direct result, do not trust the transmitted certificate
if (aliases == null || aliases.length < 1) {
if (doDebug) {
@@ -1145,10 +1105,13 @@
return false;
}
+ //
// THIRD step
- // Check the certificate trust path for every alias of the issuer found in the keystore
+ // Check the certificate trust path for every alias of the issuer found in the
+ // keystore/truststore
+ //
for (int i = 0; i < aliases.length; i++) {
- alias = aliases[i];
+ String alias = aliases[i];
if (doDebug) {
log.debug(
@@ -1157,52 +1120,39 @@
);
}
- // Retrieve the certificate(s) for the alias from the keystore
- try {
- certs = reqData.getSigCrypto().getCertificates(alias);
- } catch (WSSecurityException ex) {
- throw new WSSecurityException(
- "WSHandler: Could not get certificates for alias " + alias, ex
- );
- }
+ // Retrieve the certificate(s) for the alias from the keystore/truststore
+ X509Certificate[] certs = crypto.getCertificates(alias);
// If no certificates have been found, there has to be an error:
- // The keystore can find an alias but no certificate(s)
+ // The keystore/truststore can find an alias but no certificate(s)
if (certs == null || certs.length < 1) {
throw new WSSecurityException(
"WSHandler: Could not get certificates for alias " + alias
);
}
+ //
// Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore
- // First, create new array
+ // and the certificate(s) of the issuer from the keystore/truststore
+ //
X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
- // Then add the first certificate ...
x509certs[0] = cert;
- // ... and the other certificates
for (int j = 0; j < certs.length; j++) {
x509certs[j + 1] = certs[j];
}
- certs = x509certs;
+ ///
// Use the validation method from the crypto to check whether the subjects'
// certificate was really signed by the issuer stated in the certificate
- try {
- if (reqData.getSigCrypto().validateCertPath(certs)) {
- if (doDebug) {
- log.debug(
- "WSHandler: Certificate path has been verified for certificate "
- + "with subject " + subjectString
- );
- }
- return true;
+ //
+ if (crypto.validateCertPath(x509certs)) {
+ if (doDebug) {
+ log.debug(
+ "WSHandler: Certificate path has been verified for certificate "
+ + "with subject " + subjectString
+ );
}
- } catch (WSSecurityException ex) {
- throw new WSSecurityException(
- "WSHandler: Certificate path verification failed for certificate "
- + "with subject " + subjectString, ex
- );
+ return true;
}
}
@@ -1214,7 +1164,8 @@
}
return false;
}
-
+
+
/**
* Evaluate whether a timestamp is considered valid on the receivers' side. Hook to
* allow subclasses to implement custom validation methods however they see fit.
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java Thu May 21 11:47:33 2009
@@ -197,7 +197,7 @@
// Add the DKTs
dkt = new DerivedKeyToken(wscVersion, document);
- dktId = wssConfig.getIdAllocator().createId("derivedKeyId-", dkt);
+ dktId = wssConfig.getIdAllocator().createId("DK-", dkt);
dkt.setOffset(offset);
dkt.setLength(length);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java Thu May 21 11:47:33 2009
@@ -175,7 +175,7 @@
ref.setURI("#" + certUri);
if (!useSingleCert) {
bstToken = new PKIPathSecurity(document);
- ((PKIPathSecurity) bstToken).setX509Certificates(certs, false, crypto);
+ ((PKIPathSecurity) bstToken).setX509Certificates(certs, crypto);
} else {
bstToken = new X509Security(document);
((X509Security) bstToken).setX509Certificate(certs[0]);
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/PKIPathSecurity.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/PKIPathSecurity.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/PKIPathSecurity.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/PKIPathSecurity.java Thu May 21 11:47:33 2009
@@ -67,13 +67,13 @@
* @return array of certificates
* @throws WSSecurityException
*/
- public X509Certificate[] getX509Certificates(boolean reverse, Crypto crypto)
+ public X509Certificate[] getX509Certificates(Crypto crypto)
throws WSSecurityException {
byte[] data = getToken();
if (data == null) {
return null;
}
- return crypto.getX509Certificates(data, reverse);
+ return crypto.getX509Certificates(data);
}
/**
@@ -86,13 +86,12 @@
*/
public void setX509Certificates(
X509Certificate[] certs,
- boolean reverse,
Crypto crypto
) throws WSSecurityException {
if (certs == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noCert");
}
- byte[] data = crypto.getCertificateData(reverse, certs);
+ byte[] data = crypto.getCertificateData(certs);
setToken(data);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java Thu May 21 11:47:33 2009
@@ -100,7 +100,7 @@
throws WSSecurityException {
createSecurityToken(elem);
if (token instanceof PKIPathSecurity) {
- certificates = ((PKIPathSecurity) token).getX509Certificates(false, crypto);
+ certificates = ((PKIPathSecurity) token).getX509Certificates(crypto);
} else if (token instanceof X509Security) {
X509Certificate cert = ((X509Security) token).getX509Certificate(crypto);
certificates = new X509Certificate[]{cert};
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Thu May 21 11:47:33 2009
@@ -561,7 +561,7 @@
}
BinarySecurity token = createSecurityToken(elem);
if (token instanceof PKIPathSecurity) {
- return ((PKIPathSecurity) token).getX509Certificates(false, crypto);
+ return ((PKIPathSecurity) token).getX509Certificates(crypto);
} else {
X509Certificate cert = ((X509Security) token).getX509Certificate(crypto);
return new X509Certificate[]{cert};
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java?rev=777081&r1=777080&r2=777081&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java Thu May 21 11:47:33 2009
@@ -126,32 +126,6 @@
return msg;
}
- /**
- * A unit test...
- */
- public void testGetAliasWithPlainIssuer() throws Exception {
- String issuer = "EMAILADDRESS=Werner@example.com,CN=Werner,OU=WSS4J,O=Apache,L=Munich,ST=Bayern,C=DE";
- String alias = crypto.getAliasForX509Cert(issuer);
- assertNotNull("Alias not found using plain issuer only", alias);
- }
-
- /**
- * A unit test...
- */
- public void testGetAliasWithEncodedIssuer() throws Exception {
- String issuer = "1.2.840.113549.1.9.1=#16125765726e6572406578616d706c652e636f6d,CN=Werner,OU=WSS4J,O=Apache,L=Munich,ST=Bayern,C=DE";
- String alias = crypto.getAliasForX509Cert(issuer);
- assertNotNull("Alias not found using encoded issuer only", alias);
- }
-
- /**
- * A unit test...
- */
- public void testGetAliasWithMicrosoftState() throws Exception {
- String issuer = "EMAILADDRESS=Werner@example.com,CN=Werner,OU=WSS4J,O=Apache,L=Munich,S=Bayern,C=DE";
- String alias = crypto.getAliasForX509Cert(issuer);
- assertNotNull("Alias not found using Microsoft style states (S= instead of ST=)", alias);
- }
/**
* Test signing a SOAP message using a cert with an OID
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org