You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2013/09/10 16:26:49 UTC
svn commit: r1521504 - in /cxf/trunk/services/xkms:
xkms-itests/src/test/java/org/apache/cxf/xkms/itests/
xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/
xkms-itests/src/test/resources/data/xkms/certificates/ xkms-itests/src/te...
Author: coheigea
Date: Tue Sep 10 14:26:49 2013
New Revision: 1521504
URL: http://svn.apache.org/r1521504
Log:
[CXF-5255] - Finished with CRL support in XKMS
Added:
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg
- copied, changed from r1521415, cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
Modified:
cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
Modified: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/BasicIntegrationTest.java Tue Sep 10 14:26:49 2013
@@ -74,10 +74,14 @@ public class BasicIntegrationTest {
replaceConfigurationFile("data/xkms/certificates/trusted_cas/root.cer",
new File("src/test/resources/data/xkms/certificates/trusted_cas/root.cer")),
+ replaceConfigurationFile("data/xkms/certificates/trusted_cas/wss40CA.cer",
+ new File("src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer")),
replaceConfigurationFile("data/xkms/certificates/cas/alice.cer",
new File("src/test/resources/data/xkms/certificates/cas/alice.cer")),
replaceConfigurationFile("data/xkms/certificates/dave.cer",
new File("src/test/resources/data/xkms/certificates/dave.cer")),
+ replaceConfigurationFile("data/xkms/certificates/crls/wss40CACRL.cer",
+ new File("src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer")),
replaceConfigurationFile("etc/org.apache.cxf.xkms.cfg", getConfigFile()),
editConfigurationFilePut("etc/org.ops4j.pax.url.mvn.cfg", "org.ops4j.pax.url.mvn.repositories", REPOS),
Added: cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java?rev=1521504&view=auto
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java (added)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/java/org/apache/cxf/xkms/itests/handlers/validator/ValidatorCRLTest.java Tue Sep 10 14:26:49 2013
@@ -0,0 +1,139 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.xkms.itests.handlers.validator;
+
+import java.io.File;
+import java.io.InputStream;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.UUID;
+
+import javax.xml.bind.JAXBElement;
+
+import org.apache.cxf.xkms.handlers.XKMSConstants;
+import org.apache.cxf.xkms.itests.BasicIntegrationTest;
+import org.apache.cxf.xkms.model.xkms.KeyBindingEnum;
+import org.apache.cxf.xkms.model.xkms.MessageAbstractType;
+import org.apache.cxf.xkms.model.xkms.QueryKeyBindingType;
+import org.apache.cxf.xkms.model.xkms.ReasonEnum;
+import org.apache.cxf.xkms.model.xkms.StatusType;
+import org.apache.cxf.xkms.model.xkms.ValidateRequestType;
+import org.apache.cxf.xkms.model.xmldsig.KeyInfoType;
+import org.apache.cxf.xkms.model.xmldsig.X509DataType;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.ops4j.pax.exam.junit.PaxExam;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@RunWith(PaxExam.class)
+public class ValidatorCRLTest extends BasicIntegrationTest {
+ private static final String PATH_TO_RESOURCES = "/data/xkms/certificates/";
+
+ private static final org.apache.cxf.xkms.model.xmldsig.ObjectFactory DSIG_OF =
+ new org.apache.cxf.xkms.model.xmldsig.ObjectFactory();
+ private static final org.apache.cxf.xkms.model.xkms.ObjectFactory XKMS_OF =
+ new org.apache.cxf.xkms.model.xkms.ObjectFactory();
+
+ private static final Logger LOG = LoggerFactory.getLogger(ValidatorCRLTest.class);
+
+ @Override
+ protected File getConfigFile() {
+ return new File("src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg");
+ }
+
+ @Test
+ public void testValidCertWithCRL() throws CertificateException {
+ X509Certificate wss40Certificate = readCertificate("wss40.cer");
+ ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+ StatusType result = doValidate(request);
+
+ Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALID, result.getStatusValue());
+ Assert.assertFalse(result.getValidReason().isEmpty());
+ Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_VALIDITY_INTERVAL.value(), result
+ .getValidReason().get(0));
+ Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(), result
+ .getValidReason().get(1));
+ }
+
+ @Test
+ public void testRevokedCertificate() throws CertificateException {
+ X509Certificate wss40Certificate = readCertificate("wss40rev.cer");
+ ValidateRequestType request = prepareValidateXKMSRequest(wss40Certificate);
+ StatusType result = doValidate(request);
+
+ Assert.assertEquals(KeyBindingEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_INVALID, result.getStatusValue());
+ Assert.assertFalse(result.getInvalidReason().isEmpty());
+ Assert.assertEquals(ReasonEnum.HTTP_WWW_W_3_ORG_2002_03_XKMS_ISSUER_TRUST.value(), result
+ .getInvalidReason().get(0));
+ }
+
+ /*
+ * Method is taken from {@link org.apache.cxf.xkms.client.XKMSInvoker}.
+ */
+ private ValidateRequestType prepareValidateXKMSRequest(X509Certificate cert) {
+ JAXBElement<byte[]> x509Cert;
+ try {
+ x509Cert = DSIG_OF.createX509DataTypeX509Certificate(cert.getEncoded());
+ } catch (CertificateEncodingException e) {
+ throw new IllegalArgumentException(e);
+ }
+ X509DataType x509DataType = DSIG_OF.createX509DataType();
+ x509DataType.getX509IssuerSerialOrX509SKIOrX509SubjectName().add(x509Cert);
+ JAXBElement<X509DataType> x509Data = DSIG_OF.createX509Data(x509DataType);
+
+ KeyInfoType keyInfoType = DSIG_OF.createKeyInfoType();
+ keyInfoType.getContent().add(x509Data);
+
+ QueryKeyBindingType queryKeyBindingType = XKMS_OF.createQueryKeyBindingType();
+ queryKeyBindingType.setKeyInfo(keyInfoType);
+
+ ValidateRequestType validateRequestType = XKMS_OF.createValidateRequestType();
+ setGenericRequestParams(validateRequestType);
+ validateRequestType.setQueryKeyBinding(queryKeyBindingType);
+ // temporary
+ validateRequestType.setId(cert.getSubjectDN().toString());
+ return validateRequestType;
+ }
+
+ private void setGenericRequestParams(MessageAbstractType request) {
+ request.setService(XKMSConstants.XKMS_ENDPOINT_NAME);
+ request.setId(UUID.randomUUID().toString());
+ }
+
+ private X509Certificate readCertificate(String path) throws CertificateException {
+ InputStream inputStream = ValidatorCRLTest.class.getResourceAsStream(PATH_TO_RESOURCES + path);
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ return (X509Certificate)cf.generateCertificate(inputStream);
+ }
+
+ private StatusType doValidate(ValidateRequestType request) {
+ try {
+ return xkmsService.validate(request).getKeyBinding().get(0).getStatus();
+ } catch (Exception e) {
+ // Avoid serialization problems for some exceptions when transported by pax exam
+ LOG.error(e.getMessage(), e);
+ throw new RuntimeException(e.getMessage());
+ }
+ }
+
+}
Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer (added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/crls/wss40CACRL.cer Tue Sep 10 14:26:49 2013 differ
Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer (added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/trusted_cas/wss40CA.cer Tue Sep 10 14:26:49 2013 differ
Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer (added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40.cer Tue Sep 10 14:26:49 2013 differ
Added: cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer?rev=1521504&view=auto
==============================================================================
Files cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer (added) and cxf/trunk/services/xkms/xkms-itests/src/test/resources/data/xkms/certificates/wss40rev.cer Tue Sep 10 14:26:49 2013 differ
Modified: cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg Tue Sep 10 14:26:49 2013
@@ -23,6 +23,9 @@ xkms.enableXKRSS=true
# Certificate repository ldap or file
xkms.certificate.repo=file
+# Disable Revocation
+xkms.enableRevocation=false
+
# Filesystem backend
xkms.file.storageDir=data/xkms/certificates
@@ -39,9 +42,11 @@ xkms.ldap.schema.attrUID=uid
xkms.ldap.schema.attrIssuerID=manager
xkms.ldap.schema.attrSerialNumber=employeeNumber
xkms.ldap.schema.attrCrtBinary=userCertificate;binary
+xkms.ldap.schema.attrCrlBinary=certificateRevocationList;binary
xkms.ldap.schema.constAttrNamesCSV=sn
xkms.ldap.schema.constAttrValuesCSV=X509 certificate
xkms.ldap.schema.serviceCertRDNTemplate=cn=%s,ou=services
xkms.ldap.schema.serviceCertUIDTemplate=cn=%s
xkms.ldap.schema.trustedAuthorities=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
+xkms.ldap.schema.crls=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
xkms.ldap.schema.intermediates=(&(objectClass=inetOrgPerson)(ou:dn:=intermediateCAs))
Copied: cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg (from r1521415, cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg)
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg?p2=cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg&p1=cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg&r1=1521415&r2=1521504&rev=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms.cfg (original)
+++ cxf/trunk/services/xkms/xkms-itests/src/test/resources/etc/org.apache.cxf.xkms_revocation.cfg Tue Sep 10 14:26:49 2013
@@ -23,6 +23,9 @@ xkms.enableXKRSS=true
# Certificate repository ldap or file
xkms.certificate.repo=file
+# Enable Revocation
+xkms.enableRevocation=true
+
# Filesystem backend
xkms.file.storageDir=data/xkms/certificates
@@ -39,9 +42,11 @@ xkms.ldap.schema.attrUID=uid
xkms.ldap.schema.attrIssuerID=manager
xkms.ldap.schema.attrSerialNumber=employeeNumber
xkms.ldap.schema.attrCrtBinary=userCertificate;binary
+xkms.ldap.schema.attrCrlBinary=certificateRevocationList;binary
xkms.ldap.schema.constAttrNamesCSV=sn
xkms.ldap.schema.constAttrValuesCSV=X509 certificate
xkms.ldap.schema.serviceCertRDNTemplate=cn=%s,ou=services
xkms.ldap.schema.serviceCertUIDTemplate=cn=%s
xkms.ldap.schema.trustedAuthorities=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
+xkms.ldap.schema.crls=(&(objectClass=inetOrgPerson)(ou:dn:=rootCAs))
xkms.ldap.schema.intermediates=(&(objectClass=inetOrgPerson)(ou:dn:=intermediateCAs))
Modified: cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml (original)
+++ cxf/trunk/services/xkms/xkms-osgi/src/main/resources/OSGI-INF/blueprint/blueprint.xml Tue Sep 10 14:26:49 2013
@@ -30,6 +30,7 @@
<cm:property name="xkms.ldap.pwd" value=""/>
<cm:property name="xkms.ldap.retry" value="2"/>
<cm:property name="xkms.ldap.rootDN" value=""/>
+ <cm:property name="xkms.enableRevocation" value="true"/>
</cm:default-properties>
</cm:property-placeholder>
@@ -46,6 +47,7 @@
<property name="attrIssuerID" value="${xkms.ldap.schema.attrIssuerID}" />
<property name="attrSerialNumber" value="${xkms.ldap.schema.attrSerialNumber}" />
<property name="attrCrtBinary" value="${xkms.ldap.schema.attrCrtBinary}" />
+ <property name="attrCrlBinary" value="${xkms.ldap.schema.attrCrlBinary}" />
<property name="constAttrNamesCSV" value="${xkms.ldap.schema.constAttrNamesCSV}" />
<property name="constAttrValuesCSV" value="${xkms.ldap.schema.constAttrValuesCSV}" />
<property name="serviceCertRDNTemplate"
@@ -53,6 +55,7 @@
<property name="serviceCertUIDTemplate"
value="${xkms.ldap.schema.serviceCertUIDTemplate}" />
<property name="trustedAuthorityFilter" value="${xkms.ldap.schema.trustedAuthorities}" />
+ <property name="crlFilter" value="${xkms.ldap.schema.crls}" />
<property name="intermediateFilter" value="${xkms.ldap.schema.intermediates}" />
</bean>
@@ -69,6 +72,7 @@
<bean id="trustedAuthorityValidator"
class="org.apache.cxf.xkms.x509.validator.TrustedAuthorityValidator">
<argument ref="certificateRepo" />
+ <property name="enableRevocation" value="${xkms.enableRevocation}" />
</bean>
<bean id="x509Locator" class="org.apache.cxf.xkms.x509.handlers.X509Locator">
Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java (original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapCertificateRepo.java Tue Sep 10 14:26:49 2013
@@ -19,12 +19,12 @@
package org.apache.cxf.xkms.x509.repo.ldap;
import java.io.ByteArrayInputStream;
+import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
-import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -89,8 +89,7 @@ public class LdapCertificateRepo impleme
@Override
public List<X509CRL> getCRLs() {
- // TODO
- return Collections.emptyList();
+ return getCRLsFromLdap(rootDN, ldapConfig.getAttrCrlBinary(), ldapConfig.getAttrCrlBinary());
}
private List<X509Certificate> getCertificatesFromLdap(String tmpRootDN, String tmpFilter, String tmpAttrName) {
@@ -115,6 +114,31 @@ public class LdapCertificateRepo impleme
throw new RuntimeException(e.getMessage(), e);
}
}
+
+ private List<X509CRL> getCRLsFromLdap(String tmpRootDN, String tmpFilter, String tmpAttrName) {
+ try {
+ List<X509CRL> crls = new ArrayList<X509CRL>();
+ NamingEnumeration<SearchResult> answer = ldapSearch.searchSubTree(tmpRootDN, tmpFilter);
+ while (answer.hasMore()) {
+ SearchResult sr = answer.next();
+ Attributes attrs = sr.getAttributes();
+ Attribute attribute = attrs.get(tmpAttrName);
+ if (attribute != null) {
+ CertificateFactory cf = CertificateFactory.getInstance("X.509");
+ X509CRL crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(
+ (byte[]) attribute.get()));
+ crls.add(crl);
+ }
+ }
+ return crls;
+ } catch (CertificateException e) {
+ throw new RuntimeException(e.getMessage(), e);
+ } catch (NamingException e) {
+ throw new RuntimeException(e.getMessage(), e);
+ } catch (CRLException e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
private void saveCertificate(X509Certificate cert, String dn) {
Attributes attribs = new BasicAttributes();
Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java (original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/repo/ldap/LdapSchemaConfig.java Tue Sep 10 14:26:49 2013
@@ -24,12 +24,14 @@ public class LdapSchemaConfig {
private String attrIssuerID = "manager";
private String attrSerialNumber = "employeeNumber";
private String attrCrtBinary = "userCertificate;binary";
+ private String attrCrlBinary = "certificateRevocationList;binary";
private String constAttrNamesCSV = "sn";
private String constAttrValuesCSV = "X509 certificate";
private String serviceCertRDNTemplate = "cn=%s,ou=services";
private String serviceCertUIDTemplate = "cn=%s";
private String trustedAuthorityFilter = "(&(objectClass=inetOrgPerson)(ou:dn:=CAs))";
private String intermediateFilter = "(objectClass=*)";
+ private String crlFilter = "(&(objectClass=inetOrgPerson)(ou:dn:=CAs))";
public String getCertObjectClass() {
return certObjectClass;
@@ -119,4 +121,20 @@ public class LdapSchemaConfig {
this.intermediateFilter = intermediateFilter;
}
+ public String getCrlFilter() {
+ return crlFilter;
+ }
+
+ public void setCrlFilter(String crlFilter) {
+ this.crlFilter = crlFilter;
+ }
+
+ public String getAttrCrlBinary() {
+ return attrCrlBinary;
+ }
+
+ public void setAttrCrlBinary(String attrCrlBinary) {
+ this.attrCrlBinary = attrCrlBinary;
+ }
+
}
Modified: cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java
URL: http://svn.apache.org/viewvc/cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java?rev=1521504&r1=1521503&r2=1521504&view=diff
==============================================================================
--- cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java (original)
+++ cxf/trunk/services/xkms/xkms-x509-handlers/src/main/java/org/apache/cxf/xkms/x509/validator/TrustedAuthorityValidator.java Tue Sep 10 14:26:49 2013
@@ -53,11 +53,12 @@ public class TrustedAuthorityValidator i
private static final Logger LOG = LogUtils.getL7dLogger(TrustedAuthorityValidator.class);
CertificateRepo certRepo;
+ boolean enableRevocation = true;
public TrustedAuthorityValidator(CertificateRepo certRepo) {
this.certRepo = certRepo;
}
-
+
/**
* Checks if a certificate is signed by a trusted authority.
*
@@ -71,7 +72,6 @@ public class TrustedAuthorityValidator i
try {
List<X509Certificate> intermediateCerts = certRepo.getCaCerts();
List<X509Certificate> trustedAuthorityCerts = certRepo.getTrustedCaCerts();
- List<X509CRL> crls = certRepo.getCRLs();
Set<TrustAnchor> trustAnchors = asTrustAnchors(trustedAuthorityCerts);
CertStoreParameters intermediateParams = new CollectionCertStoreParameters(intermediateCerts);
CertStoreParameters certificateParams = new CollectionCertStoreParameters(certificates);
@@ -84,12 +84,15 @@ public class TrustedAuthorityValidator i
CertPath certPath = builder.build(pkixParams).getCertPath();
// Now validate the CertPath (including CRL checking)
- if (!crls.isEmpty()) {
- pkixParams.setRevocationEnabled(true);
- CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
- pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+ if (enableRevocation) {
+ List<X509CRL> crls = certRepo.getCRLs();
+ if (!crls.isEmpty()) {
+ pkixParams.setRevocationEnabled(true);
+ CertStoreParameters crlParams = new CollectionCertStoreParameters(crls);
+ pkixParams.addCertStore(CertStore.getInstance("Collection", crlParams));
+ }
}
-
+
CertPathValidator validator = CertPathValidator.getInstance("PKIX");
validator.validate(certPath, pkixParams);
} catch (InvalidAlgorithmParameterException e) {
@@ -132,4 +135,12 @@ public class TrustedAuthorityValidator i
return status;
}
+ public boolean isEnableRevocation() {
+ return enableRevocation;
+ }
+
+ public void setEnableRevocation(boolean enableRevocation) {
+ this.enableRevocation = enableRevocation;
+ }
+
}