Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 35efd0b88 -> 168e1884d
Fixed [CXF-6223]: Support message property for encryption certificate Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/168e1884 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/168e1884 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/168e1884 Branch: refs/heads/3.0.x-fixes Commit: 168e1884ded96778c719fcb8b1d3691f6b90fc4e Parents: 35efd0b Author: Andrei Shakirin <andrei.shaki...@gmail.com> Authored: Tue Jan 27 14:47:06 2015 +0100 Committer: Andrei Shakirin <andrei.shaki...@gmail.com> Committed: Tue Jan 27 15:58:13 2015 +0100 ---------------------------------------------------------------------- .../cxf/ws/security/SecurityConstants.java | 8 ++++++ .../policyhandlers/AbstractBindingBuilder.java | 27 ++++++++++++++++---- 2 files changed, 30 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/168e1884/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java index a0608c7..0516853 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java @@ -129,6 +129,14 @@ public final class SecurityConstants { */ public static final String ENCRYPT_CRYPTO = "ws-security.encryption.crypto"; + /** + * A message property for prepared X509 certificate to be used for encryption. + * If this is not defined, then the certificate will be either loaded from the + * keystore {@link ENCRYPT_PROPERTIES} or extracted from request + * (if {@link ENCRYPT_USERNAME} has value "useReqSigCert"). + */ + public static final String ENCRYPT_CERT = "ws-security.encryption.certificate"; + // // Boolean WS-Security configuration tags, e.g. the value should be "true" or "false". // http://git-wip-us.apache.org/repos/asf/cxf/blob/168e1884/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index a697e41..fd09a0d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -1397,13 +1397,11 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle encrKey.prepare(saaj.getSOAPPart(), crypto); if (alsoIncludeToken) { - CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); - cryptoType.setAlias(encrUser); - X509Certificate[] certs = crypto.getX509Certificates(cryptoType); + X509Certificate encCert = getEncryptCert(crypto, encrUser); BinarySecurity bstToken = new X509Security(saaj.getSOAPPart()); - ((X509Security) bstToken).setX509Certificate(certs[0]); + ((X509Security) bstToken).setX509Certificate(encCert); bstToken.addWSUNamespace(); - bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", certs[0])); + bstToken.setID(wssConfig.getIdAllocator().createSecureId("X509-", encCert)); WSSecurityUtil.prependChildElement( secHeader.getSecurityHeader(), bstToken.getElement() ); @@ -1413,6 +1411,18 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return encrKey; } + private X509Certificate getEncryptCert(Crypto crypto, String encrUser) throws WSSecurityException { + // Check for prepared encryption certificate + X509Certificate encrCert = (X509Certificate)message.getContextualProperty(SecurityConstants.ENCRYPT_CERT); + if (encrCert != null) { + return encrCert; + } + CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); + cryptoType.setAlias(encrUser); + X509Certificate[] certs = crypto.getX509Certificates(cryptoType); + return certs[0]; + } + public Crypto getSignatureCrypto(AbstractTokenWrapper wrapper) throws WSSecurityException { return getCrypto(wrapper, SecurityConstants.SIGNATURE_CRYPTO, SecurityConstants.SIGNATURE_PROPERTIES); @@ -1582,6 +1592,13 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle public String setEncryptionUser(WSSecEncryptedKey encrKeyBuilder, AbstractTokenWrapper token, boolean sign, Crypto crypto) { + // Check for prepared certificate property + X509Certificate encrCert = (X509Certificate)message.getContextualProperty(SecurityConstants.ENCRYPT_CERT); + if (encrCert != null) { + encrKeyBuilder.setUseThisCert(encrCert); + return null; + } + String encrUser = (String)message.getContextualProperty(sign ? SecurityConstants.SIGNATURE_USERNAME : SecurityConstants.ENCRYPT_USERNAME);