You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2016/10/18 15:20:57 UTC
svn commit: r1765463 - in /webservices/wss4j/branches/2_1_x-fixes:
ws-security-common/src/main/java/org/apache/wss4j/common/crypto/
ws-security-dom/src/main/java/org/apache/wss4j/dom/action/
ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ...
Author: coheigea
Date: Tue Oct 18 15:20:57 2016
New Revision: 1765463
URL: http://svn.apache.org/viewvc?rev=1765463&view=rev
Log:
Modifying last commit for 2.1.x
Modified:
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinAKI.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java
webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java Tue Oct 18 15:20:57 2016
@@ -157,7 +157,7 @@ public class CertificateStore extends Cr
* @param subjectCertConstraints A set of constraints on the Subject DN of the certificates
* @throws WSSecurityException if the certificate chain is invalid
*/
- protected void verifyTrust(
+ public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation,
Collection<Pattern> subjectCertConstraints
@@ -272,15 +272,6 @@ public class CertificateStore extends Cr
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
}
-
- @Override
- public void verifyTrust(X509Certificate[] certs, boolean enableRevocation, Collection<Pattern> subjectCertConstraints,
- Collection<Pattern> issuerCertConstraints) throws WSSecurityException {
- verifyTrust(certs, enableRevocation, subjectCertConstraints);
- if (!matchesIssuerDnPattern(certs[0], issuerCertConstraints)) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
- }
- }
/**
* Evaluate whether a given public key should be trusted.
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java Tue Oct 18 15:20:57 2016
@@ -197,15 +197,22 @@ public interface Crypto {
* @param certs Certificate chain to validate
* @param enableRevocation whether to enable CRL verification or not
* @param subjectCertConstraints A set of constraints on the Subject DN of the certificates
- * @param issuerCertConstraints A set of constraints on the Issuer DN of the certificates
* @throws WSSecurityException if the certificate chain is invalid
*/
void verifyTrust(
X509Certificate[] certs, boolean enableRevocation,
- Collection<Pattern> subjectCertConstraints,Collection<Pattern> issuerCertConstraints
+ Collection<Pattern> subjectCertConstraints
) throws WSSecurityException;
/**
+ * Evaluate whether a given public key should be trusted directly (located
+ *
+ * @param certs Certificate chain to validate
+ * @throws WSSecurityException if the certificate chain is invalid
+ */
+ void verifyDirectTrust(X509Certificate[] certs) throws WSSecurityException;
+
+ /**
* Evaluate whether a given public key should be trusted.
*
* @param publicKey The PublicKey to be evaluated
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java Tue Oct 18 15:20:57 2016
@@ -295,6 +295,11 @@ public abstract class CryptoBase impleme
}
return certs;
}
+
+ @Override
+ public void verifyDirectTrust(X509Certificate[] certs) throws WSSecurityException {
+ verifyTrust(certs, true, null);
+ }
protected Object createBCX509Name(String s) {
if (BC_509CLASS_CONS != null) {
@@ -329,23 +334,6 @@ public abstract class CryptoBase impleme
}
/**
- * @return true if the certificate's Issuer DN matches the constraints defined in the
- * subject DNConstraints; false, otherwise. The certificate subject DN only
- * has to match ONE of the subject cert constraints (not all).
- */
- protected boolean
- matchesIssuerDnPattern(
- final X509Certificate cert, final Collection<Pattern> issuerDNPatterns
- ) {
- if (cert == null) {
- LOG.debug("The certificate is null so no constraints matching was possible");
- return false;
- }
- String issuerDn = cert.getIssuerDN().getName();
- return matchesName(issuerDn, issuerDNPatterns);
- }
-
- /**
* @return true if the provided name matches the constraints defined in the
* subject DNConstraints; false, otherwise. The certificate (subject) DN only
* has to match ONE of the (subject) cert constraints (not all).
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java Tue Oct 18 15:20:57 2016
@@ -779,7 +779,7 @@ public class Merlin extends CryptoBase {
*
* @throws WSSecurityException if the certificate chain is invalid
*/
- protected void verifyTrust(
+ public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation,
Collection<Pattern> subjectCertConstraints
@@ -952,16 +952,6 @@ public class Merlin extends CryptoBase {
}
}
- @Override
- public void verifyTrust(X509Certificate[] certs, boolean enableRevocation,
- Collection<Pattern> subjectCertConstraints,
- Collection<Pattern> issuerCertConstraints) throws WSSecurityException {
- verifyTrust(certs, enableRevocation, subjectCertConstraints);
- if (!matchesIssuerDnPattern(certs[0], issuerCertConstraints)) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
- }
- }
-
// Separated out to allow subclasses to override it
protected PKIXParameters createPKIXParameters(
Set<TrustAnchor> trustAnchors, boolean enableRevocation
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinAKI.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinAKI.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinAKI.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/MerlinAKI.java Tue Oct 18 15:20:57 2016
@@ -81,7 +81,7 @@ public class MerlinAKI extends Merlin {
* @throws WSSecurityException if the certificate chain is invalid
*/
@Override
- protected void verifyTrust(
+ public void verifyTrust(
X509Certificate[] certs,
boolean enableRevocation,
Collection<Pattern> subjectCertConstraints
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java Tue Oct 18 15:20:57 2016
@@ -80,7 +80,7 @@ public class EncryptionAction implements
cryptoType.setAlias(encryptionToken.getUser());
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
if (certs != null && certs.length > 0) {
- crypto.verifyTrust(certs, enableRevocation, null, null);
+ crypto.verifyTrust(certs, enableRevocation, null);
}
}
if (encryptionToken.getParts().size() > 0) {
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java Tue Oct 18 15:20:57 2016
@@ -22,6 +22,7 @@ package org.apache.wss4j.dom.validate;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
+import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.wss4j.common.crypto.Crypto;
@@ -106,13 +107,18 @@ public class SignatureTrustValidator imp
//
Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
Collection<Pattern> issuerCertConstraints = data.getIssuerDNPatterns();
- crypto.verifyTrust(certificates, enableRevocation, subjectCertConstraints,issuerCertConstraints);
+ crypto.verifyTrust(certificates, enableRevocation, subjectCertConstraints);
if (LOG.isDebugEnabled()) {
String subjectString = certificates[0].getSubjectX500Principal().getName();
LOG.debug(
"Certificate path has been verified for certificate with subject " + subjectString
);
}
+
+ // Now verify Issuer DN constraints
+ if (!matchesIssuerDnPattern(certificates[0], issuerCertConstraints)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
}
/**
@@ -124,4 +130,54 @@ public class SignatureTrustValidator imp
crypto.verifyTrust(publicKey);
}
+
+ /**
+ * @return true if the certificate's Issuer DN matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate subject DN only
+ * has to match ONE of the subject cert constraints (not all).
+ */
+ protected boolean
+ matchesIssuerDnPattern(
+ final X509Certificate cert, final Collection<Pattern> issuerDNPatterns
+ ) {
+ if (cert == null) {
+ LOG.debug("The certificate is null so no constraints matching was possible");
+ return false;
+ }
+ String issuerDn = cert.getIssuerDN().getName();
+ return matchesName(issuerDn, issuerDNPatterns);
+ }
+
+ /**
+ * @return true if the provided name matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate (subject) DN only
+ * has to match ONE of the (subject) cert constraints (not all).
+ */
+ private boolean
+ matchesName(
+ final String name, final Collection<Pattern> patterns
+ ) {
+ if (patterns != null && !patterns.isEmpty()) {
+ if (name == null || name.isEmpty()) {
+ LOG.debug("The name is null so no constraints matching was possible");
+ return false;
+ }
+ boolean subjectMatch = false;
+ for (Pattern subjectDNPattern : patterns) {
+ final Matcher matcher = subjectDNPattern.matcher(name);
+ if (matcher.matches()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Name " + name + " matches with pattern " + subjectDNPattern);
+ }
+ subjectMatch = true;
+ break;
+ }
+ }
+ if (!subjectMatch) {
+ return false;
+ }
+ }
+
+ return true;
+ }
}
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java Tue Oct 18 15:20:57 2016
@@ -26,6 +26,7 @@ import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
+import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.crypto.spec.SecretKeySpec;
@@ -56,6 +57,9 @@ import org.opensaml.saml.common.SAMLVers
public class SamlSecurityTokenImpl extends AbstractInboundSecurityToken implements SamlSecurityToken {
+ private static final transient org.slf4j.Logger LOG =
+ org.slf4j.LoggerFactory.getLogger(SamlSecurityTokenImpl.class);
+
private final SamlAssertionWrapper samlAssertionWrapper;
private InboundSecurityToken subjectSecurityToken;
private Crypto crypto;
@@ -212,7 +216,12 @@ public class SamlSecurityTokenImpl exten
issuerCertConstraints = securityProperties.getIssuerDNConstraints();
}
- crypto.verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints, issuerCertConstraints);
+ crypto.verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints);
+
+ // Now verify Issuer DN constraints
+ if (!matchesIssuerDnPattern(x509Certificates[0], issuerCertConstraints)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
}
PublicKey publicKey = getPublicKey();
if (publicKey != null) {
@@ -220,6 +229,56 @@ public class SamlSecurityTokenImpl exten
}
}
}
+
+ /**
+ * @return true if the certificate's Issuer DN matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate subject DN only
+ * has to match ONE of the subject cert constraints (not all).
+ */
+ protected boolean
+ matchesIssuerDnPattern(
+ final X509Certificate cert, final Collection<Pattern> issuerDNPatterns
+ ) {
+ if (cert == null) {
+ LOG.debug("The certificate is null so no constraints matching was possible");
+ return false;
+ }
+ String issuerDn = cert.getIssuerDN().getName();
+ return matchesName(issuerDn, issuerDNPatterns);
+ }
+
+ /**
+ * @return true if the provided name matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate (subject) DN only
+ * has to match ONE of the (subject) cert constraints (not all).
+ */
+ private boolean
+ matchesName(
+ final String name, final Collection<Pattern> patterns
+ ) {
+ if (patterns != null && !patterns.isEmpty()) {
+ if (name == null || name.isEmpty()) {
+ LOG.debug("The name is null so no constraints matching was possible");
+ return false;
+ }
+ boolean subjectMatch = false;
+ for (Pattern subjectDNPattern : patterns) {
+ final Matcher matcher = subjectDNPattern.matcher(name);
+ if (matcher.matches()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Name " + name + " matches with pattern " + subjectDNPattern);
+ }
+ subjectMatch = true;
+ break;
+ }
+ }
+ if (!subjectMatch) {
+ return false;
+ }
+ }
+
+ return true;
+ }
@Override
public WSSecurityTokenConstants.TokenType getTokenType() {
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java Tue Oct 18 15:20:57 2016
@@ -119,8 +119,63 @@ public abstract class X509SecurityTokenI
subjectCertConstraints = securityProperties.getSubjectCertConstraints();
issuerCertConstraints = securityProperties.getIssuerDNConstraints();
}
- getCrypto().verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints, issuerCertConstraints);
+ getCrypto().verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints);
+
+ // Now verify Issuer DN constraints
+ if (!matchesIssuerDnPattern(x509Certificates[0], issuerCertConstraints)) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+ }
+ }
+ }
+
+ /**
+ * @return true if the certificate's Issuer DN matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate subject DN only
+ * has to match ONE of the subject cert constraints (not all).
+ */
+ protected boolean
+ matchesIssuerDnPattern(
+ final X509Certificate cert, final Collection<Pattern> issuerDNPatterns
+ ) {
+ if (cert == null) {
+ LOG.debug("The certificate is null so no constraints matching was possible");
+ return false;
}
+ String issuerDn = cert.getIssuerDN().getName();
+ return matchesName(issuerDn, issuerDNPatterns);
+ }
+
+ /**
+ * @return true if the provided name matches the constraints defined in the
+ * subject DNConstraints; false, otherwise. The certificate (subject) DN only
+ * has to match ONE of the (subject) cert constraints (not all).
+ */
+ private boolean
+ matchesName(
+ final String name, final Collection<Pattern> patterns
+ ) {
+ if (patterns != null && !patterns.isEmpty()) {
+ if (name == null || name.isEmpty()) {
+ LOG.debug("The name is null so no constraints matching was possible");
+ return false;
+ }
+ boolean subjectMatch = false;
+ for (Pattern subjectDNPattern : patterns) {
+ final Matcher matcher = subjectDNPattern.matcher(name);
+ if (matcher.matches()) {
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Name " + name + " matches with pattern " + subjectDNPattern);
+ }
+ subjectMatch = true;
+ break;
+ }
+ }
+ if (!subjectMatch) {
+ return false;
+ }
+ }
+
+ return true;
}
/**
Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java?rev=1765463&r1=1765462&r2=1765463&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java (original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-stax/src/main/java/org/apache/wss4j/stax/setup/OutboundWSSec.java Tue Oct 18 15:20:57 2016
@@ -405,7 +405,7 @@ public class OutboundWSSec {
// Check for Revocation
if (securityProperties.isEnableRevocation() && x509Certificates != null) {
Crypto crypto = securityProperties.getEncryptionCrypto();
- crypto.verifyTrust(x509Certificates, true, null, null);
+ crypto.verifyTrust(x509Certificates, true, null);
}
// Create a new outbound EncryptedKey token for the cert