You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/29 13:51:39 UTC
svn commit: r779937 - in /webservices/wss4j/trunk: ./
src/org/apache/ws/axis/security/ src/org/apache/ws/security/handler/
src/org/apache/ws/security/message/token/
src/org/apache/ws/security/processor/ test/wssec/
Author: coheigea
Date: Fri May 29 11:51:38 2009
New Revision: 779937
URL: http://svn.apache.org/viewvc?rev=779937&view=rev
Log:
[WSS-191] - Moved trust verification from WSHandler to SignatureProcessor
- Trust is now verified on certificates *before* signature validation
- This means that bad requests are rejected quicker
- Also it works around a security bug in the WSHandler implementations where trust is only verified on a single certificate
- Also did a general rewrite of the SignatureProcessor
Modified:
webservices/wss4j/trunk/pom.xml
webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DerivedKeyToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/test/wssec/MyHandler.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java
Modified: webservices/wss4j/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/pom.xml?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/pom.xml (original)
+++ webservices/wss4j/trunk/pom.xml Fri May 29 11:51:38 2009
@@ -303,7 +303,9 @@
</plugin>
</plugins>
- </pluginManagement>
+ </pluginManagement>
+
+ <defaultGoal>install</defaultGoal>
</build>
@@ -378,6 +380,13 @@
<scope>compile</scope>
</dependency>
</dependencies>
+ </profile>
+ <profile>
+ <id>fastinstall</id>
+ <properties>
+ <maven.test.skip>true</maven.test.skip>
+ <pmd.skip>true</pmd.skip>
+ </properties>
</profile>
</profiles>
Modified: webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/axis/security/WSDoAllReceiver.java Fri May 29 11:51:38 2009
@@ -33,7 +33,6 @@
import org.apache.ws.axis.security.handler.WSDoAllHandler;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -47,7 +46,6 @@
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPHeaderElement;
import java.io.ByteArrayOutputStream;
-import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
@@ -273,30 +271,6 @@
.setProcessed(true);
/*
- * Now we can check the certificate used to sign the message. In the
- * following implementation the certificate is only trusted if
- * either it itself or the certificate of the issuer is installed in
- * the keystore.
- *
- * Note: the method verifyTrust(X509Certificate) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the signature action result from the action vector
- WSSecurityEngineResult actionResult = WSSecurityUtil
- .fetchActionResult(wsResult, WSConstants.SIGN);
-
- if (actionResult != null) {
- X509Certificate returnCert =
- (X509Certificate)actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
- if (returnCert != null && !verifyTrust(returnCert, reqData)) {
- throw new AxisFault(
- "WSDoAllReceiver: The certificate used for the signature is not trusted");
- }
- }
-
- /*
* now check the security actions: do they match, in right order?
*/
if (!checkReceiverResults(wsResult, actions)) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSHandler.java Fri May 29 11:51:38 2009
@@ -34,6 +34,7 @@
import org.apache.ws.security.message.WSSecHeader;
import org.apache.ws.security.message.token.SignatureConfirmation;
import org.apache.ws.security.message.token.Timestamp;
+import org.apache.ws.security.processor.SignatureProcessor;
import org.apache.ws.security.util.Loader;
import org.apache.ws.security.util.StringUtil;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -42,7 +43,6 @@
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
-import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Hashtable;
@@ -1058,111 +1058,11 @@
* @return true if the certificate is trusted, false if not (AxisFault is thrown for exceptions
* during CertPathValidation)
* @throws WSSecurityException
+ * @deprecated Trust is verified on signature certificates in the SignatureProcessor by default
*/
protected boolean verifyTrust(X509Certificate cert, RequestData reqData)
throws WSSecurityException {
-
- // If no certificate was transmitted, do not trust the signature
- if (cert == null) {
- return false;
- }
-
- String subjectString = cert.getSubjectDN().getName();
- String issuerString = cert.getIssuerDN().getName();
- BigInteger issuerSerial = cert.getSerialNumber();
- Crypto crypto = reqData.getSigCrypto();
-
- if (doDebug) {
- log.debug("WSHandler: Transmitted certificate has subject " + subjectString);
- log.debug(
- "WSHandler: Transmitted certificate has issuer " + issuerString
- + " (serial " + issuerSerial + ")"
- );
- }
-
- //
- // FIRST step - Search the keystore for the transmitted certificate
- //
- if (crypto.isCertificateInKeyStore(cert)) {
- return true;
- }
-
- //
- // SECOND step - Search for the issuer of the transmitted certificate in the
- // keystore or the truststore
- //
- String[] aliases = crypto.getAliasesForDN(issuerString);
-
- // If the alias has not been found, the issuer is not in the keystore/truststore
- // As a direct result, do not trust the transmitted certificate
- if (aliases == null || aliases.length < 1) {
- if (doDebug) {
- log.debug(
- "No aliases found in keystore for issuer " + issuerString
- + " of certificate for " + subjectString
- );
- }
- return false;
- }
-
- //
- // THIRD step
- // Check the certificate trust path for every alias of the issuer found in the
- // keystore/truststore
- //
- for (int i = 0; i < aliases.length; i++) {
- String alias = aliases[i];
-
- if (doDebug) {
- log.debug(
- "Preparing to validate certificate path with alias " + alias
- + " for issuer " + issuerString
- );
- }
-
- // Retrieve the certificate(s) for the alias from the keystore/truststore
- X509Certificate[] certs = crypto.getCertificates(alias);
-
- // If no certificates have been found, there has to be an error:
- // The keystore/truststore can find an alias but no certificate(s)
- if (certs == null || certs.length < 1) {
- throw new WSSecurityException(
- "WSHandler: Could not get certificates for alias " + alias
- );
- }
-
- //
- // Form a certificate chain from the transmitted certificate
- // and the certificate(s) of the issuer from the keystore/truststore
- //
- X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
- x509certs[0] = cert;
- for (int j = 0; j < certs.length; j++) {
- x509certs[j + 1] = certs[j];
- }
-
- ///
- // Use the validation method from the crypto to check whether the subjects'
- // certificate was really signed by the issuer stated in the certificate
- //
- if (crypto.validateCertPath(x509certs)) {
- if (doDebug) {
- log.debug(
- "WSHandler: Certificate path has been verified for certificate "
- + "with subject " + subjectString
- );
- }
- return true;
- }
- }
-
- if (doDebug) {
- log.debug(
- "WSHandler: Certificate path could not be verified for "
- + "certificate with subject " + subjectString
- );
- }
- return false;
+ return SignatureProcessor.verifyTrust(cert, reqData.getSigCrypto());
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/handler/WSS4JHandler.java Fri May 29 11:51:38 2009
@@ -23,7 +23,6 @@
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.SOAPConstants;
import org.apache.ws.security.WSConstants;
-import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.utils.XMLUtils;
@@ -50,7 +49,6 @@
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;
-import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
@@ -474,29 +472,6 @@
headerElement.setMustUnderstand(false); // is this sufficient?
/*
- * Now we can check the certificate used to sign the message.
- * In the following implementation the certificate is only trusted
- * if either it itself or the certificate of the issuer is installed
- * in the keystore.
- *
- * Note: the method verifyTrust(X509Certificate) allows custom
- * implementations with other validation algorithms for subclasses.
- */
-
- // Extract the signature action result from the action vector
-
- WSSecurityEngineResult actionResult = WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);
-
- if (actionResult != null) {
- X509Certificate returnCert =
- (X509Certificate)actionResult.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
-
- if (returnCert != null && !verifyTrust(returnCert, reqData)) {
- throw new JAXRPCException("WSS4JHandler: The certificate used for the signature is not trusted");
- }
- }
-
- /*
* now check the security actions: do they match, in right order?
*/
if (!checkReceiverResults(wsResult, actions)) {
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DerivedKeyToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DerivedKeyToken.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DerivedKeyToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/DerivedKeyToken.java Fri May 29 11:51:38 2009
@@ -19,6 +19,7 @@
package org.apache.ws.security.message.token;
+import java.security.Principal;
import java.util.Enumeration;
import java.util.Hashtable;
@@ -27,6 +28,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.conversation.ConversationConstants;
import org.apache.ws.security.conversation.ConversationException;
@@ -462,6 +464,32 @@
return algo;
}
}
+
+ /**
+ * Create a WSDerivedKeyTokenPrincipal from this DerivedKeyToken object
+ */
+ public Principal createPrincipal() throws WSSecurityException {
+ WSDerivedKeyTokenPrincipal principal = new WSDerivedKeyTokenPrincipal(getID());
+ principal.setNonce(getNonce());
+ principal.setLabel(getLabel());
+ principal.setLength(getLength());
+ principal.setOffset(getOffset());
+
+ String basetokenId = null;
+ SecurityTokenReference securityTokenReference = getSecurityTokenReference();
+ if (securityTokenReference.containsReference()) {
+ basetokenId = securityTokenReference.getReference().getURI();
+ if (basetokenId.charAt(0) == '#') {
+ basetokenId = basetokenId.substring(1);
+ }
+ } else {
+ // KeyIdentifier
+ basetokenId = securityTokenReference.getKeyIdentifierValue();
+ }
+ principal.setBasetokenId(basetokenId);
+
+ return principal;
+ }
/**
* Set the derivation algorithm of this derived key token.
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java Fri May 29 11:51:38 2009
@@ -23,6 +23,7 @@
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSUsernameTokenPrincipal;
import org.apache.ws.security.util.DOM2Writer;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.util.XmlSchemaDateFormat;
@@ -37,6 +38,7 @@
import javax.xml.namespace.QName;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.text.DateFormat;
@@ -695,7 +697,18 @@
}
return false;
}
-
+
+ /**
+ * Create a WSUsernameTokenPrincipal from this UsernameToken object
+ */
+ public Principal createPrincipal() {
+ WSUsernameTokenPrincipal principal =
+ new WSUsernameTokenPrincipal(getName(), isHashed());
+ principal.setNonce(getNonce());
+ principal.setPassword(getPassword());
+ principal.setCreatedTime(getCreated());
+ return principal;
+ }
/**
* This static method generates a 128 bit salt value as defined in WSS
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java Fri May 29 11:51:38 2009
@@ -53,6 +53,7 @@
private String id;
private byte[] keyBytes;
+ private DerivedKeyToken dkt;
private byte[] secret;
private int length;
@@ -72,7 +73,7 @@
) throws WSSecurityException {
// Deserialize the DKT
- DerivedKeyToken dkt = new DerivedKeyToken(elem);
+ dkt = new DerivedKeyToken(elem);
extractSecret(wsDocInfo, dkt, cb, crypto);
String tempNonce = dkt.getNonce();
@@ -269,6 +270,13 @@
length = len;
deriveKey();
return keyBytes;
- }
+ }
+
+ /**
+ * Return the DerivedKeyToken object
+ */
+ public DerivedKeyToken getDerivedKeyToken() {
+ return dkt;
+ }
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Fri May 29 11:51:38 2009
@@ -26,7 +26,6 @@
import org.apache.ws.security.PublicKeyPrincipal;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
-import org.apache.ws.security.WSDerivedKeyTokenPrincipal;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSDocInfoStore;
import org.apache.ws.security.WSPasswordCallback;
@@ -48,17 +47,21 @@
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.exceptions.XMLSecurityException;
import org.apache.xml.security.keys.KeyInfo;
+import org.apache.xml.security.keys.keyresolver.KeyResolverException;
import org.apache.xml.security.signature.Reference;
import org.apache.xml.security.signature.SignedInfo;
import org.apache.xml.security.signature.XMLSignature;
import org.apache.xml.security.signature.XMLSignatureException;
import org.opensaml.SAMLAssertion;
+import org.w3c.dom.Document;
import org.w3c.dom.Element;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
+import java.math.BigInteger;
+import java.security.PublicKey;
import java.security.Principal;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
@@ -67,7 +70,6 @@
public class SignatureProcessor implements Processor {
private static Log log = LogFactory.getLog(SignatureProcessor.class.getName());
- private static Log tlog = LogFactory.getLog("org.apache.ws.security.TIME");
private String signatureId;
@@ -105,30 +107,22 @@
WSDocInfoStore.delete(wsDocInfo);
}
}
+ int actionPerformed = WSConstants.SIGN;
if (lastPrincipalFound instanceof WSUsernameTokenPrincipal) {
- returnResults.add(
- 0,
- new WSSecurityEngineResult(
- WSConstants.UT_SIGN,
- lastPrincipalFound,
- null,
- protectedRefs,
- signatureValue
- )
- );
- } else {
- returnResults.add(
- 0,
- new WSSecurityEngineResult(
- WSConstants.SIGN,
- lastPrincipalFound,
- certs,
- protectedRefs,
- signatureValue
- )
- );
+ actionPerformed = WSConstants.UT_SIGN;
}
- signatureId = elem.getAttributeNS(null, "Id");
+
+ returnResults.add(
+ 0,
+ new WSSecurityEngineResult(
+ actionPerformed,
+ lastPrincipalFound,
+ certs,
+ protectedRefs,
+ signatureValue
+ )
+ );
+ signatureId = elem.getAttribute("Id");
}
/**
@@ -176,40 +170,33 @@
if (log.isDebugEnabled()) {
log.debug("Verify XML Signature");
}
- long t0 = 0, t1 = 0, t2 = 0;
- if (tlog.isDebugEnabled()) {
- t0 = System.currentTimeMillis();
- }
XMLSignature sig = null;
try {
sig = new XMLSignature(elem, null);
- } catch (XMLSecurityException e2) {
+ } catch (XMLSecurityException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, "noXMLSig", null, e2
+ WSSecurityException.FAILED_CHECK, "noXMLSig", null, ex
);
}
-
sig.addResourceResolver(EnvelopeIdResolver.getInstance());
- KeyInfo info = sig.getKeyInfo();
+ KeyInfo keyInfo = sig.getKeyInfo();
byte[] secretKey = null;
- UsernameToken ut = null;
- DerivedKeyToken dkt = null;
- SAMLKeyInfo samlKi = null;
- String customTokenId = null;
- java.security.PublicKey publicKey = null;
+ PublicKey publicKey = null;
+ Principal principal = null;
- if (info != null && info.containsKeyValue()) {
+ if (keyInfo != null && keyInfo.containsKeyValue()) {
try {
- publicKey = info.getPublicKey();
- } catch (Exception ex) {
- throw new WSSecurityException(ex.getMessage(), ex);
+ publicKey = keyInfo.getPublicKey();
+ principal = validatePublicKey(cb, publicKey);
+ } catch (KeyResolverException ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
}
- } else if (info != null) {
+ } else if (keyInfo != null) {
Element strElement =
WSSecurityUtil.getDirectChildElement(
- info.getElement(),
+ keyInfo.getElement(),
SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
WSConstants.WSSE_NS
);
@@ -219,123 +206,80 @@
);
}
SecurityTokenReference secRef = new SecurityTokenReference(strElement);
+ //
// Here we get some information about the document that is being
// processed, in particular the crypto implementation, and already
// detected BST that may be used later during dereferencing.
//
-
if (secRef.containsReference()) {
Element token = secRef.getTokenElement(elem.getOwnerDocument(), wsDocInfo, cb);
- //
- // at this point check token type: UsernameToken, Binary, SAML
- // Crypto required only for Binary and SAML
- //
+ String wsuId = token.getAttributeNS(WSConstants.WSU_NS, "Id");
QName el = new QName(token.getNamespaceURI(), token.getLocalName());
- if (el.equals(WSSecurityEngine.USERNAME_TOKEN)) {
- String id = token.getAttributeNS(WSConstants.WSU_NS, "Id");
+ if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
+ certs = getCertificates(token, wsDocInfo, crypto);
+ principal = validateCertificates(certs, crypto);
+ } else if (el.equals(WSSecurityEngine.USERNAME_TOKEN)) {
UsernameTokenProcessor utProcessor =
- (UsernameTokenProcessor) wsDocInfo.getProcessor(id);
- ut = utProcessor.getUt();
+ (UsernameTokenProcessor) wsDocInfo.getProcessor(wsuId);
+
+ UsernameToken ut = utProcessor.getUt();
if (ut.isDerivedKey()) {
secretKey = ut.getDerivedKey();
} else {
secretKey = ut.getSecretKey();
}
+ principal = ut.createPrincipal();
} else if (el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02)
|| el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
- dkt = new DerivedKeyToken(token);
- String id = dkt.getID();
DerivedKeyTokenProcessor dktProcessor =
- (DerivedKeyTokenProcessor) wsDocInfo.getProcessor(id);
+ (DerivedKeyTokenProcessor) wsDocInfo.getProcessor(wsuId);
String signatureMethodURI = sig.getSignedInfo().getSignatureMethodURI();
+ DerivedKeyToken dkt = dktProcessor.getDerivedKeyToken();
int keyLength = (dkt.getLength() > 0) ? dkt.getLength() :
WSSecurityUtil.getKeyLength(signatureMethodURI);
secretKey = dktProcessor.getKeyBytes(keyLength);
- } else {
- if (el.equals(WSSecurityEngine.BINARY_TOKEN)) {
- certs = getCertificates(token, wsDocInfo, crypto);
- } else if (el.equals(WSSecurityEngine.SAML_TOKEN)) {
+ principal = dkt.createPrincipal();
+ } else if (el.equals(WSSecurityEngine.SAML_TOKEN)) {
+ if (crypto == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "noSigCryptoFile"
+ );
+ }
+ SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
+ certs = samlKi.getCerts();
+ validateCertificates(certs, crypto);
+ secretKey = samlKi.getSecret();
+ principal = createPrincipalFromSAMLKeyInfo(samlKi);
+ } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
+ String encryptedKeyID = token.getAttribute("Id");
+ EncryptedKeyProcessor encryptKeyProcessor =
+ (EncryptedKeyProcessor)wsDocInfo.getProcessor(encryptedKeyID);
+
+ if (encryptKeyProcessor == null) {
if (crypto == null) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSigCryptoFile"
);
}
- samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
- certs = samlKi.getCerts();
- secretKey = samlKi.getSecret();
-
- } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
- String encryptedKeyID = token.getAttributeNS(null,"Id");
- EncryptedKeyProcessor encryptKeyProcessor =
- (EncryptedKeyProcessor)wsDocInfo.getProcessor(encryptedKeyID);
-
- if (encryptKeyProcessor == null ) {
- if (crypto == null) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE, "noSigCryptoFile"
- );
- }
- encryptKeyProcessor = new EncryptedKeyProcessor();
- encryptKeyProcessor.handleEncryptedKey(token, cb, crypto);
- }
- secretKey = encryptKeyProcessor.getDecryptedBytes();
- } else {
- // Try custom token through callback handler
- // try to find a custom token
- String id = secRef.getReference().getURI();
- if (id.charAt(0) == '#') {
- id = id.substring(1);
- }
- WSPasswordCallback pwcb =
- new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noPassword",
- new Object[] {id},
- e
- );
- }
-
- secretKey = pwcb.getKey();
- customTokenId = id;
- if (secretKey == null) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY,
- "unsupportedKeyInfo",
- new Object[]{el.toString()}
- );
- }
- }
+ encryptKeyProcessor = new EncryptedKeyProcessor();
+ encryptKeyProcessor.handleEncryptedKey(token, cb, crypto);
+ }
+ secretKey = encryptKeyProcessor.getDecryptedBytes();
+ principal = new CustomTokenPrincipal(encryptedKeyID);
+ } else {
+ String id = secRef.getReference().getURI();
+ secretKey = getSecretKeyFromCustomToken(id, cb);
+ principal = new CustomTokenPrincipal(id);
}
} else if (secRef.containsX509Data() || secRef.containsX509IssuerSerial()) {
certs = secRef.getX509IssuerSerial(crypto);
+ principal = validateCertificates(certs, crypto);
} else if (secRef.containsKeyIdentifier()) {
if (secRef.getKeyIdentifierValueType().equals(SecurityTokenReference.ENC_KEY_SHA1_URI)) {
String id = secRef.getKeyIdentifierValue();
- WSPasswordCallback pwcb =
- new WSPasswordCallback(
- id,
- null,
- SecurityTokenReference.ENC_KEY_SHA1_URI,
- WSPasswordCallback.ENCRYPTED_KEY_TOKEN
- );
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "noPassword",
- new Object[] {id},
- e
- );
- }
- secretKey = pwcb.getKey();
+ secretKey = getSecretKeyFromEncKeySHA1KI(id, cb);
+ principal = new CustomTokenPrincipal(id);
} else if (WSConstants.WSS_SAML_KI_VALUE_TYPE.equals(secRef.getKeyIdentifierValueType())) {
Element token =
secRef.getKeyIdentifierTokenElement(elem.getOwnerDocument(), wsDocInfo, cb);
@@ -345,11 +289,14 @@
WSSecurityException.FAILURE, "noSigCryptoFile"
);
}
- samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
+ SAMLKeyInfo samlKi = SAMLUtil.getSAMLKeyInfo(token, crypto, cb);
certs = samlKi.getCerts();
+ validateCertificates(certs, crypto);
secretKey = samlKi.getSecret();
+ principal = createPrincipalFromSAMLKeyInfo(samlKi);
} else {
certs = secRef.getKeyIdentifier(crypto);
+ principal = validateCertificates(certs, crypto);
}
} else {
throw new WSSecurityException(
@@ -359,29 +306,64 @@
);
}
} else {
- if (crypto == null) {
- throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
- }
- if (crypto.getDefaultX509Alias() != null) {
- certs = crypto.getCertificates(crypto.getDefaultX509Alias());
- } else {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
- );
- }
- }
- if (tlog.isDebugEnabled()) {
- t1 = System.currentTimeMillis();
+ principal = getDefaultPrincipal(crypto);
}
+ //
+ // Check that we have a certificate, a public key or a secret key with which to
+ // perform signature verification
+ //
if ((certs == null || certs.length == 0 || certs[0] == null)
&& secretKey == null
&& publicKey == null) {
throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
- if (certs != null) {
+
+ //
+ // Perform the signature verification and build up a List of elements that the
+ // signature refers to
+ //
+ try {
+ boolean signatureOk = false;
+ if (certs != null && certs[0] != null) {
+ signatureOk = sig.checkSignatureValue(certs[0]);
+ } else if (publicKey != null) {
+ signatureOk = sig.checkSignatureValue(publicKey);
+ } else {
+ signatureOk = sig.checkSignatureValue(sig.createSecretKey(secretKey));
+ }
+ if (signatureOk) {
+ signatureValue = sig.getSignatureValue();
+ SignedInfo signedInfo = sig.getSignedInfo();
+ protectedRefs =
+ buildProtectedRefs(elem.getOwnerDocument(), signedInfo, protectedRefs);
+
+ return principal;
+ } else {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ }
+ } catch (XMLSignatureException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, null, null, ex
+ );
+ }
+ }
+
+
+ /**
+ * Validate an array of certificates by checking the validity of each cert, and verifying trust
+ * @param certsToValidate The array of certificates to validate
+ * @param crypto The crypto object representing the keystore
+ * @return A principal representing the first element in the array (if it exists)
+ * @throws WSSecurityException
+ */
+ public static Principal validateCertificates(
+ X509Certificate[] certsToValidate,
+ Crypto crypto
+ ) throws WSSecurityException {
+ if (certsToValidate != null && certsToValidate.length > 0) {
try {
- for (int i = 0; i < certs.length; i++) {
- certs[i].checkValidity();
+ for (int i = 0; i < certsToValidate.length; i++) {
+ certsToValidate[i].checkValidity();
}
} catch (CertificateExpiredException e) {
throw new WSSecurityException(
@@ -392,126 +374,314 @@
WSSecurityException.FAILED_CHECK, "invalidCert", null, e
);
}
+ if (!verifyTrust(certsToValidate[0], crypto)) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ }
+ return certsToValidate[0].getSubjectX500Principal();
}
+ return null;
+ }
+
+
+ /**
+ * Evaluate whether a given certificate should be trusted.
+ *
+ * Policy used in this implementation:
+ * 1. Search the keystore for the transmitted certificate
+ * 2. Search the keystore for a connection to the transmitted certificate
+ * (that is, search for certificate(s) of the issuer of the transmitted certificate
+ * 3. Verify the trust path for those certificates found because the search for the issuer
+ * might be fooled by a phony DN (String!)
+ *
+ * @param cert the certificate that should be validated against the keystore
+ * @return true if the certificate is trusted, false if not
+ * @throws WSSecurityException
+ */
+ public static boolean verifyTrust(X509Certificate cert, Crypto crypto)
+ throws WSSecurityException {
+
+ // If no certificate was transmitted, do not trust the signature
+ if (cert == null) {
+ return false;
+ }
+
+ String subjectString = cert.getSubjectDN().getName();
+ String issuerString = cert.getIssuerDN().getName();
+ BigInteger issuerSerial = cert.getSerialNumber();
+
+ if (log.isDebugEnabled()) {
+ log.debug("Transmitted certificate has subject " + subjectString);
+ log.debug(
+ "Transmitted certificate has issuer " + issuerString + " (serial "
+ + issuerSerial + ")"
+ );
+ }
+
//
- // Delegate verification of a public key to a Callback Handler
+ // FIRST step - Search the keystore for the transmitted certificate
//
- if (publicKey != null) {
- PublicKeyCallback pwcb =
- new PublicKeyCallback(publicKey);
- try {
- Callback[] callbacks = new Callback[]{pwcb};
- cb.handle(callbacks);
- if (!pwcb.isVerified()) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_AUTHENTICATION, null, null, null
+ if (crypto.isCertificateInKeyStore(cert)) {
+ return true;
+ }
+
+ //
+ // SECOND step - Search for the issuer of the transmitted certificate in the
+ // keystore or the truststore
+ //
+ String[] aliases = crypto.getAliasesForDN(issuerString);
+
+ // If the alias has not been found, the issuer is not in the keystore/truststore
+ // As a direct result, do not trust the transmitted certificate
+ if (aliases == null || aliases.length < 1) {
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "No aliases found in keystore for issuer " + issuerString
+ + " of certificate for " + subjectString
+ );
+ }
+ return false;
+ }
+
+ //
+ // THIRD step
+ // Check the certificate trust path for every alias of the issuer found in the
+ // keystore/truststore
+ //
+ for (int i = 0; i < aliases.length; i++) {
+ String alias = aliases[i];
+
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "Preparing to validate certificate path with alias " + alias
+ + " for issuer " + issuerString
+ );
+ }
+
+ // Retrieve the certificate(s) for the alias from the keystore/truststore
+ X509Certificate[] certs = crypto.getCertificates(alias);
+
+ // If no certificates have been found, there has to be an error:
+ // The keystore/truststore can find an alias but no certificate(s)
+ if (certs == null || certs.length < 1) {
+ throw new WSSecurityException(
+ "Could not get certificates for alias " + alias
+ );
+ }
+
+ //
+ // Form a certificate chain from the transmitted certificate
+ // and the certificate(s) of the issuer from the keystore/truststore
+ //
+ X509Certificate[] x509certs = new X509Certificate[certs.length + 1];
+ x509certs[0] = cert;
+ for (int j = 0; j < certs.length; j++) {
+ x509certs[j + 1] = certs[j];
+ }
+
+ ///
+ // Use the validation method from the crypto to check whether the subjects'
+ // certificate was really signed by the issuer stated in the certificate
+ //
+ if (crypto.validateCertPath(x509certs)) {
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "Certificate path has been verified for certificate with subject "
+ + subjectString
);
}
- } catch (Exception e) {
+ return true;
+ }
+ }
+
+ if (log.isDebugEnabled()) {
+ log.debug(
+ "Certificate path could not be verified for certificate with subject "
+ + subjectString
+ );
+ }
+ return false;
+ }
+
+
+ /**
+ * Get the default principal from the KeyStore
+ * @param crypto The Crypto object containing the default alias
+ * @return The default principal
+ * @throws WSSecurityException
+ */
+ private Principal getDefaultPrincipal(
+ Crypto crypto
+ ) throws WSSecurityException {
+ if (crypto == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noSigCryptoFile");
+ }
+ if (crypto.getDefaultX509Alias() != null) {
+ certs = crypto.getCertificates(crypto.getDefaultX509Alias());
+ return certs[0].getSubjectX500Principal();
+ } else {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "unsupportedKeyInfo"
+ );
+ }
+ }
+
+
+ /**
+ * Get the Secret Key from a CallbackHandler for a custom token
+ * @param id The id of the element
+ * @param cb The CallbackHandler object
+ * @return A Secret Key
+ * @throws WSSecurityException
+ */
+ private byte[] getSecretKeyFromCustomToken(
+ String id,
+ CallbackHandler cb
+ ) throws WSSecurityException {
+ if (id.charAt(0) == '#') {
+ id = id.substring(1);
+ }
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
+ try {
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
+ } catch (Exception e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
+ }
+
+ return pwcb.getKey();
+ }
+
+
+ /**
+ * Get the Secret Key from a CallbackHandler for the Encrypted Key SHA1 case.
+ * @param id The id of the element
+ * @param cb The CallbackHandler object
+ * @return A Secret Key
+ * @throws WSSecurityException
+ */
+ private byte[] getSecretKeyFromEncKeySHA1KI(
+ String id,
+ CallbackHandler cb
+ ) throws WSSecurityException {
+ WSPasswordCallback pwcb =
+ new WSPasswordCallback(
+ id,
+ null,
+ SecurityTokenReference.ENC_KEY_SHA1_URI,
+ WSPasswordCallback.ENCRYPTED_KEY_TOKEN
+ );
+ try {
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
+ } catch (Exception e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[] {id},
+ e
+ );
+ }
+ return pwcb.getKey();
+ }
+
+
+ /**
+ * A method to create a Principal from a SAML KeyInfo
+ * @param samlKeyInfo The SAML KeyInfo object
+ * @return A principal
+ */
+ private static Principal createPrincipalFromSAMLKeyInfo(
+ SAMLKeyInfo samlKeyInfo
+ ) {
+ X509Certificate[] samlCerts = samlKeyInfo.getCerts();
+ Principal principal = null;
+ if (samlCerts != null && samlCerts.length > 0) {
+ principal = samlCerts[0].getSubjectX500Principal();
+ } else {
+ final SAMLAssertion assertion = samlKeyInfo.getAssertion();
+ principal = new CustomTokenPrincipal(assertion.getId());
+ ((CustomTokenPrincipal)principal).setTokenObject(assertion);
+ }
+ return principal;
+ }
+
+ /**
+ * Validate a public key via a CallbackHandler
+ * @param cb The CallbackHandler object
+ * @param publicKey The PublicKey to validate
+ * @return A PublicKeyPrincipal object encapsulating the public key after successful
+ * validation
+ * @throws WSSecurityException
+ */
+ private static Principal validatePublicKey(
+ CallbackHandler cb,
+ PublicKey publicKey
+ ) throws WSSecurityException {
+ PublicKeyCallback pwcb =
+ new PublicKeyCallback(publicKey);
+ try {
+ Callback[] callbacks = new Callback[]{pwcb};
+ cb.handle(callbacks);
+ if (!pwcb.isVerified()) {
throw new WSSecurityException(
- WSSecurityException.FAILED_AUTHENTICATION, null, null, e
+ WSSecurityException.FAILED_AUTHENTICATION, null, null, null
);
}
+ } catch (Exception e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_AUTHENTICATION, null, null, e
+ );
}
- try {
- boolean signatureOk = false;
- if (certs != null) {
- signatureOk = sig.checkSignatureValue(certs[0]);
- } else if (publicKey != null) {
- signatureOk = sig.checkSignatureValue(publicKey);
- } else {
- signatureOk = sig.checkSignatureValue(sig.createSecretKey(secretKey));
+ return new PublicKeyPrincipal(publicKey);
+ }
+
+
+ /**
+ * This method digs into the Signature element to get the elements that
+ * this Signature covers. Build the QName of these Elements and return them
+ * to caller
+ * @param doc The owning document
+ * @param signedInfo The SignedInfo object
+ * @param protectedRefs A list of protected references
+ * @return A list of protected references
+ * @throws WSSecurityException
+ */
+ private static List buildProtectedRefs(
+ Document doc,
+ SignedInfo signedInfo,
+ List protectedRefs
+ ) throws WSSecurityException {
+ for (int i = 0; i < signedInfo.getLength(); i++) {
+ Reference siRef;
+ try {
+ siRef = signedInfo.item(i);
+ } catch (XMLSecurityException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_CHECK, null, null, ex
+ );
}
- if (signatureOk) {
- if (tlog.isDebugEnabled()) {
- t2 = System.currentTimeMillis();
- tlog.debug(
- "Verify: total= " + (t2 - t0) + ", prepare-cert= " + (t1 - t0)
- + ", verify= " + (t2 - t1)
- );
- }
- signatureValue = sig.getSignatureValue();
- //
- // Now dig into the Signature element to get the elements that
- // this Signature covers. Build the QName of these Elements and
- // return them to caller
- //
- SignedInfo si = sig.getSignedInfo();
- int numReferences = si.getLength();
- for (int i = 0; i < numReferences; i++) {
- Reference siRef;
- try {
- siRef = si.item(i);
- } catch (XMLSecurityException e3) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, null, null, e3
- );
- }
- String uri = siRef.getURI();
- if (!"".equals(uri)) {
- Element se = WSSecurityUtil.getElementByWsuId(elem.getOwnerDocument(), uri);
- if (se == null) {
- se = WSSecurityUtil.getElementByGenId(elem.getOwnerDocument(), uri);
- }
- if (se == null) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
- }
- WSDataRef ref = new WSDataRef();
- ref.setWsuId(uri);
- ref.setName(new QName(se.getNamespaceURI(), se.getLocalName()));
- protectedRefs.add(ref);
- }
+ String uri = siRef.getURI();
+ if (!"".equals(uri)) {
+ Element se = WSSecurityUtil.getElementByWsuId(doc, uri);
+ if (se == null) {
+ se = WSSecurityUtil.getElementByGenId(doc, uri);
}
-
- if (certs != null) {
- return certs[0].getSubjectDN();
- } else if (publicKey != null) {
- return new PublicKeyPrincipal(publicKey);
- } else if (ut != null) {
- WSUsernameTokenPrincipal principal =
- new WSUsernameTokenPrincipal(ut.getName(), ut.isHashed());
- principal.setNonce(ut.getNonce());
- principal.setPassword(ut.getPassword());
- principal.setCreatedTime(ut.getCreated());
- return principal;
- } else if (dkt != null) {
- WSDerivedKeyTokenPrincipal principal = new WSDerivedKeyTokenPrincipal(dkt.getID());
- principal.setNonce(dkt.getNonce());
- principal.setLabel(dkt.getLabel());
- principal.setLength(dkt.getLength());
- principal.setOffset(dkt.getOffset());
- String basetokenId = null;
- SecurityTokenReference securityTokenReference = dkt.getSecurityTokenReference();
- if (securityTokenReference.containsReference()) {
- basetokenId = securityTokenReference.getReference().getURI();
- if (basetokenId.charAt(0) == '#') {
- basetokenId = basetokenId.substring(1);
- }
- } else {
- // KeyIdentifier
- basetokenId = securityTokenReference.getKeyIdentifierValue();
- }
- principal.setBasetokenId(basetokenId);
- return principal;
- } else if (samlKi != null) {
- final SAMLAssertion assertion = samlKi.getAssertion();
- CustomTokenPrincipal principal = new CustomTokenPrincipal(assertion.getId());
- principal.setTokenObject(assertion);
- return principal;
- } else if (secretKey != null) {
- // This is the custom key scenario
- return new CustomTokenPrincipal(customTokenId);
- } else {
- throw new WSSecurityException("Cannot determine principal");
+ if (se == null) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
}
- } else {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK);
+ WSDataRef ref = new WSDataRef();
+ ref.setWsuId(uri);
+ ref.setProtectedElement(se);
+ protectedRefs.add(ref);
}
- } catch (XMLSignatureException e1) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, null, null, e1
- );
}
+ return protectedRefs;
}
Modified: webservices/wss4j/trunk/test/wssec/MyHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/MyHandler.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/MyHandler.java (original)
+++ webservices/wss4j/trunk/test/wssec/MyHandler.java Fri May 29 11:51:38 2009
@@ -19,8 +19,6 @@
package wssec;
-import java.security.cert.X509Certificate;
-
import org.apache.ws.security.handler.WSHandler;
import org.apache.ws.security.handler.RequestData;
import org.w3c.dom.Document;
@@ -112,14 +110,5 @@
return checkReceiverResultsAnyOrder(results, actions);
}
- public boolean verifyCertificate(
- X509Certificate cert,
- RequestData reqData
- ) throws org.apache.ws.security.WSSecurityException {
- return verifyTrust(
- cert,
- reqData
- );
- }
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java?rev=779937&r1=779936&r2=779937&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS40.java Fri May 29 11:51:38 2009
@@ -167,23 +167,11 @@
// Verify the signature
//
List results = verify(signedDoc, cryptoCA);
-
- //
- // Verify trust on the X509Certificate
- //
- MyHandler handler = new MyHandler();
- final RequestData reqData = new RequestData();
- reqData.setSigCrypto(cryptoCA);
WSSecurityEngineResult result =
WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
-
X509Certificate cert =
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
assertTrue (cert != null);
- boolean trusted = handler.verifyCertificate(cert, reqData);
- if (!trusted) {
- fail("The X509 Certificate is not trusted!");
- }
}
@@ -245,22 +233,8 @@
//
// Verify the signature
//
- List results = verify(signedDoc, CryptoFactory.getInstance("wss40badcatrust.properties"));
-
- //
- // Verify trust on the X509Certificate
- //
- MyHandler handler = new MyHandler();
- final RequestData reqData = new RequestData();
- reqData.setSigCrypto(CryptoFactory.getInstance("wss40badcatrust.properties"));
- WSSecurityEngineResult result =
- WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
-
- X509Certificate cert =
- (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
- assertTrue (cert != null);
try {
- handler.verifyCertificate(cert, reqData);
+ verify(signedDoc, CryptoFactory.getInstance("wss40badcatrust.properties"));
fail("Failure expected on bad CA cert!");
} catch (WSSecurityException ex) {
// expected
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org