You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2012/02/17 16:08:21 UTC
svn commit: r1245598 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/action/
test/java/org/apache/ws/security/common/
test/java/org/apache/ws/security/message/ test/resources/
Author: coheigea
Date: Fri Feb 17 15:08:20 2012
New Revision: 1245598
URL: http://svn.apache.org/viewvc?rev=1245598&view=rev
Log:
[WSS-340] - support Certificates revocation check before encrypt on sender side
- Patch applied, thanks
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionCRLTest.java
webservices/wss4j/trunk/src/test/resources/wss40All.properties
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/EncryptionAction.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/KeystoreCallbackHandler.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/EncryptionAction.java?rev=1245598&r1=1245597&r2=1245598&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/EncryptionAction.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/action/EncryptionAction.java Fri Feb 17 15:08:20 2012
@@ -19,11 +19,15 @@
package org.apache.ws.security.action;
+import java.security.cert.X509Certificate;
+
import javax.security.auth.callback.CallbackHandler;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoType;
import org.apache.ws.security.handler.RequestData;
import org.apache.ws.security.handler.WSHandler;
import org.apache.ws.security.handler.WSHandlerConstants;
@@ -62,6 +66,16 @@ public class EncryptionAction implements
}
wsEncrypt.setUserInfo(reqData.getEncUser());
wsEncrypt.setUseThisCert(reqData.getEncCert());
+ Crypto crypto = reqData.getEncCrypto();
+ boolean enableRevocation = Boolean.valueOf(handler.getStringOption(WSHandlerConstants.ENABLE_REVOCATION));
+ if (enableRevocation && crypto != null) {
+ CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+ cryptoType.setAlias(reqData.getEncUser());
+ X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
+ if (certs != null && certs.length > 0) {
+ crypto.verifyTrust(certs, enableRevocation);
+ }
+ }
if (reqData.getEncryptParts().size() > 0) {
wsEncrypt.setParts(reqData.getEncryptParts());
}
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/KeystoreCallbackHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/KeystoreCallbackHandler.java?rev=1245598&r1=1245597&r2=1245598&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/KeystoreCallbackHandler.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/common/KeystoreCallbackHandler.java Fri Feb 17 15:08:20 2012
@@ -39,6 +39,7 @@ public class KeystoreCallbackHandler imp
public KeystoreCallbackHandler() {
users.put("wss86", "security");
users.put("wss40", "security");
+ users.put("wss40rev", "security");
users.put("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
}
Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionCRLTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionCRLTest.java?rev=1245598&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionCRLTest.java (added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionCRLTest.java Fri Feb 17 15:08:20 2012
@@ -0,0 +1,170 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.w3c.dom.Document;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.common.CustomHandler;
+import org.apache.ws.security.common.KeystoreCallbackHandler;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.handler.WSHandlerConstants;
+
+
+/**
+ * This is a test for Certificate Revocation List checking before encryption.
+ *
+ * This test reuse the revoked certificate from SignatureCRLTest
+ *
+ */
+public class EncryptionCRLTest extends org.junit.Assert {
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(EncryptionCRLTest.class);
+
+ private WSSecurityEngine secEngine = new WSSecurityEngine();
+ private CallbackHandler keystoreCallbackHandler = new KeystoreCallbackHandler();
+ private Crypto crypto = null;
+
+ public EncryptionCRLTest() throws Exception {
+ crypto = CryptoFactory.getInstance("wss40All.properties");
+ }
+
+ /**
+ * Setup method
+ *
+ * @throws java.lang.Exception Thrown when there is a problem in setup
+ */
+ @org.junit.Before
+ public void setUp() throws Exception {
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ wssConfig.setWsiBSPCompliant(true);
+ secEngine.setWssConfig(wssConfig);
+ }
+
+ /**
+ * Test that encrypts without certificate revocation check
+ * so it should pass
+ *
+ * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption
+ */
+ @org.junit.Test
+ public void testEncryptionWithOutRevocationCheck() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setEncUser("wss40rev");
+ reqData.setEncKeyId(WSConstants.BST_DIRECT_REFERENCE);
+ reqData.setEncSymmAlgo(WSConstants.TRIPLE_DES);
+ reqData.setEncCrypto(crypto);
+ java.util.Map<String, Object> messageContext = new java.util.TreeMap<String, Object>();
+ messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, keystoreCallbackHandler);
+ reqData.setMsgContext(messageContext);
+ reqData.setUsername("wss40rev");
+
+ final java.util.List<Integer> actions = new java.util.ArrayList<Integer>();
+ actions.add(new Integer(WSConstants.ENCR));
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ handler.send(
+ WSConstants.ENCR,
+ doc,
+ reqData,
+ actions,
+ true
+ );
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
+
+ verify(doc, crypto, keystoreCallbackHandler);
+ }
+
+ /**
+ * Test that encrypts with certificate revocation check
+ * so it should fail
+ *
+ * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption
+ */
+ @org.junit.Test
+ public void testEncryptionWithRevocationCheck() throws Exception {
+ final WSSConfig cfg = WSSConfig.getNewInstance();
+ final RequestData reqData = new RequestData();
+ reqData.setWssConfig(cfg);
+ reqData.setEncUser("wss40rev");
+ reqData.setEncKeyId(WSConstants.BST_DIRECT_REFERENCE);
+ reqData.setEncSymmAlgo(WSConstants.TRIPLE_DES);
+ reqData.setEncCrypto(crypto);
+ java.util.Map<String, Object> messageContext = new java.util.TreeMap<String, Object>();
+ messageContext.put(WSHandlerConstants.PW_CALLBACK_REF, keystoreCallbackHandler);
+ reqData.setMsgContext(messageContext);
+ reqData.setUsername("wss40rev");
+
+ final java.util.List<Integer> actions = new java.util.ArrayList<Integer>();
+ actions.add(new Integer(WSConstants.ENCR));
+ final Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ CustomHandler handler = new CustomHandler();
+ handler.setOption(WSHandlerConstants.ENABLE_REVOCATION, "true");
+ try {
+ handler.send(
+ WSConstants.ENCR,
+ doc,
+ reqData,
+ actions,
+ true
+ );
+ fail ("Failure expected on a revoked certificate");
+ } catch (Exception ex) {
+ String errorMessage = ex.getMessage();
+ // Different errors using different JDKs...
+ assertTrue(errorMessage.contains("Certificate has been revoked")
+ || errorMessage.contains("Certificate revocation")
+ || errorMessage.contains("Error during certificate path validation"));
+ }
+
+ }
+
+ /**
+ * Verifies the soap envelope <p/>
+ *
+ * @param envelope
+ * @throws Exception
+ * Thrown when there is a problem in verification
+ */
+ private void verify(
+ Document doc, Crypto decCrypto, CallbackHandler handler
+ ) throws Exception {
+ secEngine.processSecurityHeader(doc, null, handler, decCrypto);
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ }
+}
\ No newline at end of file
Added: webservices/wss4j/trunk/src/test/resources/wss40All.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40All.properties?rev=1245598&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40All.properties (added)
+++ webservices/wss4j/trunk/src/test/resources/wss40All.properties Fri Feb 17 15:08:20 2012
@@ -0,0 +1,9 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=security
+org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40rev.jks
+org.apache.ws.security.crypto.merlin.truststore.password=security
+org.apache.ws.security.crypto.merlin.truststore.file=keys/wss40CA.jks
+org.apache.ws.security.crypto.merlin.x509crl.file=keys/wss40CACRL.pem
+