You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2009/10/30 15:24:38 UTC
svn commit: r831307 - in
/cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https:
CertConstraintsTest.java resources/Bethal.jks resources/Gordy.jks
resources/cert-constraints.xml
Author: dkulp
Date: Fri Oct 30 14:24:37 2009
New Revision: 831307
URL: http://svn.apache.org/viewvc?rev=831307&view=rev
Log:
[CXF-2507] Patch from Colm applied to add unit tests to cert contraints
Added:
cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java (with props)
cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Bethal.jks
cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Gordy.jks
cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml (with props)
Added: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java?rev=831307&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java (added)
+++ cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java Fri Oct 30 14:24:37 2009
@@ -0,0 +1,185 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.cxf.transport.https;
+
+import java.io.ByteArrayInputStream;
+import java.io.DataInputStream;
+import java.io.FileInputStream;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+
+import org.apache.cxf.configuration.security.CertificateConstraintsType;
+import org.apache.cxf.helpers.DOMUtils;
+
+public class CertConstraintsTest extends org.junit.Assert {
+
+ @org.junit.Test
+ public void
+ testCertConstraints() throws Exception {
+ final X509Certificate bethalCert =
+ loadCertificate("Bethal.jks", "JKS", "password", "bethal");
+ final X509Certificate gordyCert =
+ loadCertificate("Gordy.jks", "JKS", "password", "gordy");
+
+ CertConstraints tmp = null;
+ //
+ // bethal matches but gordy doesn't
+ //
+ tmp = loadCertConstraints("subject-CN-bethal");
+ assertTrue(tmp.matches(bethalCert) && !tmp.matches(gordyCert));
+ //
+ // gordy matches but bethal doesn't
+ //
+ tmp = loadCertConstraints("subject-CN-gordy");
+ assertTrue(!tmp.matches(bethalCert) && tmp.matches(gordyCert));
+
+ //
+ // both are under the ApacheTest organization
+ //
+ tmp = loadCertConstraints("subject-O-apache");
+ assertTrue(tmp.matches(bethalCert) && tmp.matches(gordyCert));
+
+ //
+ // only bethal is both CN=Bethal and O=ApacheTest
+ //
+ tmp = loadCertConstraints("subject-CN-bethal-O-apache");
+ assertTrue(tmp.matches(bethalCert) && !tmp.matches(gordyCert));
+
+ //
+ // neither are O=BadApacheTest
+ //
+ tmp = loadCertConstraints("subject-CN-bethal-O-badapache");
+ assertTrue(!tmp.matches(bethalCert) && !tmp.matches(gordyCert));
+
+ //
+ // both satisfy either CN=Bethal or O=ApacheTest
+ //
+ tmp = loadCertConstraints("subject-CN-bethal-O-apache-ANY");
+ assertTrue(tmp.matches(bethalCert) && tmp.matches(gordyCert));
+
+ //
+ // only Bethal has "Bethal" as an issuer
+ //
+ tmp = loadCertConstraints("issuer-CN-bethal-O-apache");
+ assertTrue(tmp.matches(bethalCert) && !tmp.matches(gordyCert));
+ }
+
+ //
+ // Private utilities
+ //
+
+ private static CertConstraints
+ loadCertConstraints(
+ final String id
+ ) throws Exception {
+ CertificateConstraintsType certsConstraintsType =
+ loadCertificateConstraintsType(id);
+ return CertConstraintsJaxBUtils.createCertConstraints(certsConstraintsType);
+ }
+
+ private static CertificateConstraintsType
+ loadCertificateConstraintsType(
+ final String id
+ ) throws Exception {
+ return loadGeneratedType(
+ CertificateConstraintsType.class,
+ "certConstraints",
+ "resources/cert-constraints.xml",
+ id
+ );
+ }
+
+ private static X509Certificate
+ loadCertificate(
+ final String keystoreFilename,
+ final String keystoreType,
+ final String keystorePassword,
+ final String id
+ ) throws Exception {
+ final KeyStore store = KeyStore.getInstance(keystoreType);
+ FileInputStream fis = new FileInputStream(
+ "src/test/java/org/apache/cxf/transport/https/resources/" + keystoreFilename);
+ DataInputStream dis = new DataInputStream(fis);
+ byte[] bytes = new byte[dis.available()];
+ dis.readFully(bytes);
+ ByteArrayInputStream bin = new ByteArrayInputStream(bytes);
+ store.load(bin, keystorePassword.toCharArray());
+ for (java.util.Enumeration<String> aliases = store.aliases(); aliases.hasMoreElements();) {
+ final String alias = aliases.nextElement();
+ if (id.equals(alias)) {
+ return (X509Certificate) store.getCertificate(alias);
+ }
+ }
+ assert false;
+ throw new RuntimeException("error in test -- keystore " + id + " has no trusted certs");
+ }
+
+ private static <T> T
+ loadGeneratedType(
+ final Class<T> cls,
+ final String elementName,
+ final String name,
+ final String id
+ ) throws Exception {
+ final org.w3c.dom.Document doc = loadDocument(name);
+ final org.w3c.dom.Element testData = doc.getDocumentElement();
+ final org.w3c.dom.NodeList data = testData.getElementsByTagName("datum");
+ for (int i = 0; i < data.getLength(); ++i) {
+ final org.w3c.dom.Element datum = (org.w3c.dom.Element) data.item(i);
+ if (datum.getAttribute("id").equals(id)) {
+ final org.w3c.dom.NodeList elts = datum.getElementsByTagNameNS(
+ "http://cxf.apache.org/configuration/security", elementName
+ );
+ assert elts.getLength() == 1;
+ return unmarshal(cls, (org.w3c.dom.Element) elts.item(0));
+ }
+ }
+ throw new Exception("Bad test! No test data with id " + id);
+ }
+
+
+ private static org.w3c.dom.Document
+ loadDocument(
+ final String name
+ ) throws Exception {
+ final java.io.InputStream inStream =
+ CertConstraintsTest.class.getResourceAsStream(name);
+ return DOMUtils.readXml(inStream);
+ }
+
+ private static <T> T
+ unmarshal(
+ final Class<T> cls,
+ final org.w3c.dom.Element elt
+ ) throws JAXBException {
+ final JAXBContext ctx = JAXBContext.newInstance(cls.getPackage().getName());
+ final Unmarshaller unmarshaller = ctx.createUnmarshaller();
+ final JAXBElement<T> jaxbElement =
+ unmarshaller.unmarshal(elt, cls);
+ return jaxbElement.getValue();
+ }
+
+}
Propchange: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/CertConstraintsTest.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Added: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Bethal.jks
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Bethal.jks?rev=831307&view=auto
==============================================================================
Files cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Bethal.jks (added) and cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Bethal.jks Fri Oct 30 14:24:37 2009 differ
Added: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Gordy.jks
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Gordy.jks?rev=831307&view=auto
==============================================================================
Files cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Gordy.jks (added) and cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/Gordy.jks Fri Oct 30 14:24:37 2009 differ
Added: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml?rev=831307&view=auto
==============================================================================
--- cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml (added)
+++ cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml Fri Oct 30 14:24:37 2009
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<test-data xmlns:sec="http://cxf.apache.org/configuration/security">
+ <datum id="subject-CN-bethal">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints>
+ <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="subject-CN-gordy">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints>
+ <sec:RegularExpression>.*CN=Gordy.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="subject-O-apache">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints>
+ <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="subject-CN-bethal-O-apache">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints>
+ <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+ <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="subject-CN-bethal-O-badapache">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints>
+ <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+ <sec:RegularExpression>.*O=BadApacheTest.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="subject-CN-bethal-O-apache-ANY">
+ <sec:certConstraints>
+ <sec:SubjectDNConstraints combinator="ANY">
+ <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+ <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+ </sec:SubjectDNConstraints>
+ </sec:certConstraints>
+ </datum>
+ <datum id="issuer-CN-bethal-O-apache">
+ <sec:certConstraints>
+ <sec:IssuerDNConstraints>
+ <sec:RegularExpression>.*CN=Bethal.*</sec:RegularExpression>
+ <sec:RegularExpression>.*O=ApacheTest.*</sec:RegularExpression>
+ </sec:IssuerDNConstraints>
+ </sec:certConstraints>
+ </datum>
+
+</test-data>
Propchange: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml
------------------------------------------------------------------------------
svn:keywords = Rev Date
Propchange: cxf/trunk/rt/transports/http/src/test/java/org/apache/cxf/transport/https/resources/cert-constraints.xml
------------------------------------------------------------------------------
svn:mime-type = text/xml