Author: coheigea
Date: Mon May 30 13:47:25 2011
New Revision: 1129173
URL: http://svn.apache.org/viewvc?rev=1129173&view=rev
Log:
[WSS-278] - Add support for CRL's to WSS4J.
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem
webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem
webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer
webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt (with props)
webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks (with props)
webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem
webservices/wss4j/trunk/src/test/resources/wss40rev.properties
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
webservices/wss4j/trunk/src/test/resources/keys/ca.db.index
webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial
webservices/wss4j/trunk/src/test/resources/wss40CA.properties
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
Mon May 30 13:47:25 2011
@@ -139,7 +139,23 @@ public class CertificateStore extends Cr
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
+ @Deprecated
public boolean verifyTrust(X509Certificate[] certs) throws
WSSecurityException {
+ return verifyTrust(certs, false);
+ }
+
+ /**
+ * Evaluate whether a given certificate chain should be trusted.
+ *
+ * @param certs Certificate chain to validate
+ * @param enableRevocation whether to enable CRL verification or not
+ * @return true if the certificate chain is valid, false otherwise
+ * @throws WSSecurityException
+ */
+ public boolean verifyTrust(
+ X509Certificate[] certs,
+ boolean enableRevocation
+ ) throws WSSecurityException {
try {
// Generate cert path
List<X509Certificate> certList = Arrays.asList(certs);
@@ -155,9 +171,7 @@ public class CertificateStore extends Cr
}
PKIXParameters param = new PKIXParameters(set);
-
- // Do not check a revocation list
- param.setRevocationEnabled(false);
+ param.setRevocationEnabled(enableRevocation);
// Verify the trust path using the above settings
String provider = getCryptoProvider();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
Mon May 30 13:47:25 2011
@@ -185,9 +185,22 @@ public interface Crypto {
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
+ @Deprecated
public boolean verifyTrust(X509Certificate[] certs) throws
WSSecurityException;
/**
+ * Evaluate whether a given certificate chain should be trusted.
+ *
+ * @param certs Certificate chain to validate
+ * @param enableRevocation whether to enable CRL verification or not
+ * @return true if the certificate chain is valid, false otherwise
+ * @throws WSSecurityException
+ */
+ public boolean verifyTrust(
+ X509Certificate[] certs, boolean enableRevocation
+ ) throws WSSecurityException;
+
+ /**
* Evaluate whether a given public key should be trusted.
*
* @param publicKey The PublicKey to be evaluated
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
Mon May 30 13:47:25 2011
@@ -39,14 +39,18 @@ import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
+import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
+import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
+import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
@@ -102,6 +106,12 @@ public class Merlin extends CryptoBase {
public static final String TRUSTSTORE_TYPE =
"org.apache.ws.security.crypto.merlin.truststore.type";
+ /*
+ * CRL configuration
+ */
+ public static final String X509_CRL_FILE =
+ "org.apache.ws.security.crypto.merlin.x509crl.file";
+
private static final org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(Merlin.class);
private static final boolean doDebug = log.isDebugEnabled();
@@ -110,6 +120,7 @@ public class Merlin extends CryptoBase {
protected Properties properties = null;
protected KeyStore keystore = null;
protected KeyStore truststore = null;
+ protected CertStore crlCertStore = null;
public Merlin() {
// default constructor
@@ -246,7 +257,48 @@ public class Merlin extends CryptoBase {
}
}
}
-
+ //
+ // Load the CRL file
+ //
+ String crlLocation = properties.getProperty(X509_CRL_FILE);
+ if (crlLocation != null) {
+ crlLocation = crlLocation.trim();
+ InputStream is = loadInputStream(loader, crlLocation);
+
+ try {
+ CertificateFactory cf = getCertificateFactory();
+ X509CRL crl = (X509CRL)cf.generateCRL(is);
+
+ if (provider == null || provider.length() == 0) {
+ crlCertStore =
+ CertStore.getInstance(
+ "Collection",
+ new
CollectionCertStoreParameters(Collections.singletonList(crl))
+ );
+ } else {
+ crlCertStore =
+ CertStore.getInstance(
+ "Collection",
+ new
CollectionCertStoreParameters(Collections.singletonList(crl)),
+ provider
+ );
+ }
+ if (doDebug) {
+ log.debug(
+ "The CRL " + crlLocation + " has been loaded"
+ );
+ }
+ } catch (Exception e) {
+ if (doDebug) {
+ log.debug(e.getMessage(), e);
+ }
+ throw new CredentialException(CredentialException.IO_ERROR,
"ioError00", e);
+ } finally {
+ if (is != null) {
+ is.close();
+ }
+ }
+ }
}
@@ -362,6 +414,26 @@ public class Merlin extends CryptoBase {
}
/**
+ * Set the CertStore from which to obtain a list of CRLs for Certificate
Revocation
+ * checking.
+ * @param crlCertStore the CertStore from which to obtain a list of CRLs
for Certificate
+ * Revocation checking.
+ */
+ public void setCRLCertStore(CertStore crlCertStore) {
+ this.crlCertStore = crlCertStore;
+ }
+
+ /**
+ * Get the CertStore from which to obtain a list of CRLs for Certificate
Revocation
+ * checking.
+ * @return the CertStore from which to obtain a list of CRLs for
Certificate
+ * Revocation checking.
+ */
+ public CertStore getCRLCertStore() {
+ return crlCertStore;
+ }
+
+ /**
* Singleton certificate factory for this Crypto instance.
* <p/>
*
@@ -646,7 +718,24 @@ public class Merlin extends CryptoBase {
* @return true if the certificate chain is valid, false otherwise
* @throws WSSecurityException
*/
+ @Deprecated
public boolean verifyTrust(X509Certificate[] certs) throws
WSSecurityException {
+ return verifyTrust(certs, false);
+ }
+
+ /**
+ * Evaluate whether a given certificate chain should be trusted.
+ * Uses the CertPath API to validate a given certificate chain.
+ *
+ * @param certs Certificate chain to validate
+ * @param enableRevocation whether to enable CRL verification or not
+ * @return true if the certificate chain is valid, false otherwise
+ * @throws WSSecurityException
+ */
+ public boolean verifyTrust(
+ X509Certificate[] certs,
+ boolean enableRevocation
+ ) throws WSSecurityException {
try {
// Generate cert path
List<X509Certificate> certList = Arrays.asList(certs);
@@ -683,9 +772,10 @@ public class Merlin extends CryptoBase {
}
PKIXParameters param = new PKIXParameters(set);
-
- // Do not check a revocation list
- param.setRevocationEnabled(false);
+ param.setRevocationEnabled(enableRevocation);
+ if (enableRevocation && crlCertStore != null) {
+ param.addCertStore(crlCertStore);
+ }
// Verify the trust path using the above settings
String provider = getCryptoProvider();
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
Mon May 30 13:47:25 2011
@@ -74,6 +74,7 @@ public class RequestData {
private boolean useDerivedKeyForMAC = true;
private boolean useSingleCert = true;
private CallbackHandler callback = null;
+ private boolean enableRevocation = false;
public void clear() {
soapConstants = null;
@@ -94,6 +95,7 @@ public class RequestData {
useDerivedKeyForMAC = true;
useSingleCert = true;
callback = null;
+ enableRevocation = false;
}
public Object getMsgContext() {
@@ -380,7 +382,22 @@ public class RequestData {
public boolean isUseSingleCert() {
return useSingleCert;
}
+
+ /**
+ * Set whether to enable CRL checking or not when verifying trust in a
certificate.
+ * @param enableRevocation whether to enable CRL checking
+ */
+ public void setEnableRevocation(boolean enableRevocation) {
+ this.enableRevocation = enableRevocation;
+ }
+ /**
+ * Get whether to enable CRL checking or not when verifying trust in a
certificate.
+ * @return whether to enable CRL checking
+ */
+ public boolean isRevocationEnabled() {
+ return enableRevocation;
+ }
/**
* Sets the CallbackHandler used for this request
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
Mon May 30 13:47:25 2011
@@ -1088,6 +1088,11 @@ public abstract class WSHandler {
if (reqData.getSigCrypto() == null) {
reqData.setSigCrypto(loadSignatureCrypto(reqData));
}
+ boolean enableRevocation =
+ decodeBooleanConfigValue(
+ reqData, WSHandlerConstants.ENABLE_REVOCATION, false
+ );
+ reqData.setEnableRevocation(enableRevocation);
}
/*
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
Mon May 30 13:47:25 2011
@@ -372,6 +372,12 @@ public class WSHandlerConstants {
= "allowNamespaceQualifiedPasswordTypes";
/**
+ * This variable controls whether to enable Certificate Revocation List
(CRL) checking
+ * or not when verifying trust in a certificate. The default value is
"false".
+ */
+ public static final String ENABLE_REVOCATION = "enableRevocation";
+
+ /**
* Set the value of this parameter to true to treat passwords as binary
values
* for Username Tokens. The default value is "false".
*
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
Mon May 30 13:47:25 2011
@@ -64,10 +64,11 @@ public class SignatureTrustValidator imp
if (certs != null && certs.length > 0) {
validateCertificates(certs);
boolean trust = false;
+ boolean enableRevocation = data.isRevocationEnabled();
if (certs.length == 1) {
- trust = verifyTrustInCert(certs[0], crypto);
+ trust = verifyTrustInCert(certs[0], crypto, enableRevocation);
} else {
- trust = verifyTrustInCerts(certs, crypto);
+ trust = verifyTrustInCerts(certs, crypto, enableRevocation);
}
if (trust) {
return credential;
@@ -124,8 +125,33 @@ public class SignatureTrustValidator imp
* @return true if the certificate is trusted, false if not
* @throws WSSecurityException
*/
+ @Deprecated
protected boolean verifyTrustInCert(X509Certificate cert, Crypto crypto)
throws WSSecurityException {
+ return verifyTrustInCert(cert, crypto, false);
+ }
+
+ /**
+ * Evaluate whether a given certificate should be trusted.
+ *
+ * Policy used in this implementation:
+ * 1. Search the keystore for the transmitted certificate
+ * 2. Search the keystore for a connection to the transmitted certificate
+ * (that is, search for certificate(s) of the issuer of the transmitted
certificate
+ * 3. Verify the trust path for those certificates found because the
search for the issuer
+ * might be fooled by a phony DN (String!)
+ *
+ * @param cert the certificate that should be validated against the
keystore
+ * @param crypto A crypto instance to use for trust validation
+ * @param enableRevocation Whether revocation is enabled or not
+ * @return true if the certificate is trusted, false if not
+ * @throws WSSecurityException
+ */
+ protected boolean verifyTrustInCert(
+ X509Certificate cert,
+ Crypto crypto,
+ boolean enableRevocation
+ ) throws WSSecurityException {
String subjectString = cert.getSubjectX500Principal().getName();
String issuerString = cert.getIssuerX500Principal().getName();
BigInteger issuerSerial = cert.getSerialNumber();
@@ -188,7 +214,7 @@ public class SignatureTrustValidator imp
// Use the validation method from the crypto to check whether the
subjects'
// certificate was really signed by the issuer stated in the
certificate
//
- if (crypto.verifyTrust(x509certs)) {
+ if (crypto.verifyTrust(x509certs, enableRevocation)) {
if (LOG.isDebugEnabled()) {
LOG.debug(
"Certificate path has been verified for certificate with
subject "
@@ -209,7 +235,7 @@ public class SignatureTrustValidator imp
/**
* Check to see if the certificate argument is in the keystore
- * @param crypto The Crypto instance to use
+ * @param crypto A Crypto instance to use for trust validation
* @param cert The certificate to check
* @return true if cert is in the keystore
* @throws WSSecurityException
@@ -250,18 +276,39 @@ public class SignatureTrustValidator imp
* Evaluate whether the given certificate chain should be trusted.
*
* @param certificates the certificate chain that should be validated
against the keystore
+ * @param crypto A Crypto instance to use for trust validation
* @return true if the certificate chain is trusted, false if not
* @throws WSSecurityException
*/
- protected boolean verifyTrustInCerts(X509Certificate[] certificates,
Crypto crypto)
- throws WSSecurityException {
+ @Deprecated
+ protected boolean verifyTrustInCerts(
+ X509Certificate[] certificates,
+ Crypto crypto
+ ) throws WSSecurityException {
+ return verifyTrustInCerts(certificates, crypto, false);
+ }
+
+ /**
+ * Evaluate whether the given certificate chain should be trusted.
+ *
+ * @param certificates the certificate chain that should be validated
against the keystore
+ * @param crypto A Crypto instance
+ * @param enableRevocation Whether revocation is enabled or not
+ * @return true if the certificate chain is trusted, false if not
+ * @throws WSSecurityException
+ */
+ protected boolean verifyTrustInCerts(
+ X509Certificate[] certificates,
+ Crypto crypto,
+ boolean enableRevocation
+ ) throws WSSecurityException {
String subjectString =
certificates[0].getSubjectX500Principal().getName();
//
// Use the validation method from the crypto to check whether the
subjects'
// certificate was really signed by the issuer stated in the
certificate
//
if (certificates != null && certificates.length > 1
- && crypto.verifyTrust(certificates)) {
+ && crypto.verifyTrust(certificates, enableRevocation)) {
if (LOG.isDebugEnabled()) {
LOG.debug(
"Certificate path has been verified for certificate with
subject "
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java?rev=1129173&view=auto
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
(added)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
Mon May 30 13:47:25 2011
@@ -0,0 +1,167 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message;
+
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * This is a test for Certificate Revocation List checking. A message is
signed and sent to the
+ * receiver. If Certificate Revocation is enabled, then signature trust
verification should
+ * fail as the message has been signed by the private key corresponding to a
revoked signature.
+ *
+ * Generate the client keypair, make a csr, sign it with the CA key
+ *
+ * keytool -genkey -validity 3650 -alias wss40rev -keyalg RSA -keystore
wss40rev.jks
+ * -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE"
+ * keytool -certreq -alias wss40rev -keystore wss40rev.jks -file wss40rev.cer
+ * openssl ca -config ca.config -policy policy_anything -days 3650 -out
wss40rev.pem
+ * -infiles wss40rev.cer
+ * openssl x509 -outform DER -in wss40rev.pem -out wss40rev.crt
+ *
+ * Import the CA cert into wss40.jks and import the new signed certificate
+ *
+ * keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40rev.jks
+ * keytool -import -file wss40rev.crt -alias wss40rev -keystore wss40rev.jks
+ *
+ * Generate a Revocation list
+ *
+ * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out
wss40CACRL.pem
+ * -config ca.config -crldays 3650
+ * openssl ca -revoke wss40rev.pem -keyfile wss40CAKey.pem -cert wss40CA.pem
-config ca.config
+ * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out
wss40CACRL.pem
+ * -config ca.config -crldays 3650
+ */
+public class SignatureCRLTest extends org.junit.Assert {
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(SignatureCRLTest.class);
+ private Crypto crypto = null;
+ private Crypto cryptoCA = null;
+
+ public SignatureCRLTest() throws Exception {
+ WSSConfig.init();
+ crypto = CryptoFactory.getInstance("wss40rev.properties");
+ cryptoCA = CryptoFactory.getInstance("wss40CA.properties");
+ }
+
+ /**
+ * Test signing a SOAP message using a BST. Revocation is not enabled and
so the test
+ * should pass.
+ */
+ @org.junit.Test
+ public void testSignatureDirectReference() throws Exception {
+ WSSecSignature sign = new WSSecSignature();
+ sign.setUserInfo("wss40rev", "security");
+ sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+ //
+ // Verify the signature
+ //
+ List<WSSecurityEngineResult> results = verify(signedDoc, cryptoCA,
false);
+ WSSecurityEngineResult result =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
+ X509Certificate cert =
+
(X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+ assertTrue (cert != null);
+ }
+
+ /**
+ * Test signing a SOAP message using a BST. Revocation is enabled and so
the test
+ * should fail.
+ */
+ @org.junit.Test
+ public void testSignatureDirectReferenceRevocation() throws Exception {
+ WSSecSignature sign = new WSSecSignature();
+ sign.setUserInfo("wss40rev", "security");
+ sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+ //
+ // Verify the signature
+ //
+ try {
+ verify(signedDoc, cryptoCA, true);
+ fail ("Failure expected on a revoked certificate");
+ } catch (Exception ex) {
+ assert ex.getMessage().contains("Certificate has been revoked");
+ }
+ }
+
+ /**
+ * Verifies the soap envelope
+ * <p/>
+ *
+ * @param doc
+ * @throws Exception Thrown when there is a problem in verification
+ */
+ private List<WSSecurityEngineResult>
+ verify(Document doc, Crypto crypto, boolean revocationEnabled) throws
WSSecurityException {
+ WSSecurityEngine secEngine = new WSSecurityEngine();
+ RequestData reqData = new RequestData();
+ reqData.setSigCrypto(crypto);
+ reqData.setEnableRevocation(revocationEnabled);
+ Element securityHeader = WSSecurityUtil.getSecurityHeader(doc, null);
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(securityHeader, reqData);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Verfied and decrypted message:");
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ return results;
+ }
+
+
+}
Added: webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem Mon May
30 13:47:25 2011
@@ -0,0 +1,65 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=DE, ST=Bayern, L=Munich, O=Home, OU=Apache WSS4J, CN=Werner
+ Validity
+ Not Before: May 30 11:47:54 2011 GMT
+ Not After : May 27 11:47:54 2021 GMT
+ Subject: C=IE, ST=Leinster, L=Dublin, O=Apache, OU=WSS4J, CN=Colm
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:8b:91:75:7f:57:33:5d:78:e3:cd:59:37:aa:e2:
+ 41:78:42:95:b6:7d:2d:ab:61:af:36:f0:4d:58:07:
+ 09:8a:65:13:ee:a8:a5:ea:da:1e:6d:49:cc:e9:52:
+ af:21:1b:02:b2:3a:bb:8b:5f:8e:33:7e:0d:07:25:
+ 00:cf:e3:e6:70:ce:31:45:08:5f:85:fe:89:3b:dd:
+ b1:22:d7:2c:64:73:db:f4:3c:24:00:07:bb:5b:6a:
+ 4c:7c:da:9a:1a:c8:29:3d:e0:a0:14:75:65:69:f3:
+ ba:ca:29:32:9d:fb:13:c8:bf:bc:73:dc:c1:53:b6:
+ ab:ea:84:bb:38:a4:5c:90:9f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 1A:D4:E0:CE:0D:61:0F:E3:A0:A4:43:47:67:F8:D7:5E:85:C2:C6:CA
+ X509v3 Authority Key Identifier:
+
keyid:56:17:EF:F6:6B:8B:59:FE:23:19:68:DE:78:C0:E1:4D:67:7D:D0:66
+ DirName:/C=DE/ST=Bayern/L=Munich/O=Home/OU=Apache
WSS4J/CN=Werner
+ serial:8D:E1:2C:0A:69:11:77:D2
+
+ Signature Algorithm: md5WithRSAEncryption
+ 98:43:b1:02:e3:9d:d2:af:7e:5b:6d:82:de:f4:4e:69:8a:18:
+ 47:5a:6d:b4:bd:95:0d:b2:96:e4:f3:b1:ce:cc:5c:c0:87:06:
+ d6:3a:00:93:04:ed:7d:f3:63:cd:1d:8d:79:b9:7a:74:05:b5:
+ f0:ba:97:ee:1d:fc:c9:0d:a1:e2:ef:f4:a7:ed:19:3b:ae:d7:
+ a9:94:c2:ab:a0:f5:62:ce:b5:63:7a:e3:5d:72:64:e7:5e:2e:
+ 8c:7a:ea:07:6b:7c:ef:94:ca:ec:21:be:33:80:5a:d4:07:f6:
+ 4c:39:82:04:d9:d0:11:21:be:f9:61:41:72:9b:7e:05:f2:57:
+ a2:b9
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAp2gAwIBAgIBGTANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUx
+FTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTExMDUz
+MDExNDc1NFoXDTIxMDUyNzExNDc1NFowYTELMAkGA1UEBhMCSUUxETAPBgNVBAgT
+CExlaW5zdGVyMQ8wDQYDVQQHEwZEdWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwG
+A1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYplE+6operaHm1J
+zOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGjgfYw
+gfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBrU4M4NYQ/joKRDR2f4116FwsbKMIGYBgNV
+HSMEgZAwgY2AFFYX7/Zri1n+Ixlo3njA4U1nfdBmoWqkaDBmMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhv
+bWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAjeEs
+CmkRd9IwDQYJKoZIhvcNAQEEBQADgYEAmEOxAuOd0q9+W22C3vROaYoYR1pttL2V
+DbKW5POxzsxcwIcG1joAkwTtffNjzR2Nebl6dAW18LqX7h38yQ2h4u/0p+0ZO67X
+qZTCq6D1Ys61Y3rjXXJk514ujHrqB2t875TK7CG+M4Ba1Af2TDmCBNnQESG++WFB
+cpt+BfJXork=
+-----END CERTIFICATE-----
Modified: webservices/wss4j/trunk/src/test/resources/keys/ca.db.index
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.index?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
Binary files - no diff available.
Modified: webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
Binary files - no diff available.
Added: webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem Mon May 30
13:47:25 2011
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBQTCBqzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsT
+DEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyFw0xMTA1MzAxMTU0MzFaFw0y
+MTA1MjcxMTU0MzFaMBQwEgIBGRcNMTEwNTMwMTE1MzU3WjANBgkqhkiG9w0BAQQF
+AAOBgQB0fgOhsp2l0wL/TYiXJqXuKbkhmzQv8LFXmKKCpLSVktrXvVNCBAM9TWVJ
+35SrZ9eqjoI1sQPsbWSDp+QSieasQf9VgC3P4SFhki6ZupeXqrFgdbzOsXEm0FIR
+uY1WJGFrF0Co/YUM00ee8jy89jX2rDCgmonKHrKBf7CkD+R2bw==
+-----END X509 CRL-----
Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer Mon May 30
13:47:25 2011
@@ -0,0 +1,10 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCSUUxETAPBgNVBAgTCExlaW5zdGVyMQ8wDQYDVQQHEwZE
+dWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwGA1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYpl
+E+6operaHm1JzOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGgADANBgkqhkiG9w0B
+AQUFAAOBgQBqturEYBeDMaxEJ4Wlc1yT7daDkBem747CEECZ8j4PT6XaEF/bgL3gGFxCjXjBWwxK
+z8TE9YhBIh1LoUiHqptVOaqXfRiBU+8bI9JDprhVm++CmnWaBFQa/zmtU0ZHOSkR1ZLPdUE9iQii
+V0R9c9TER5ctqmo0a/uOsatoDJzkAw==
+-----END NEW CERTIFICATE REQUEST-----
Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt?rev=1129173&view=auto
==============================================================================
Binary file - no diff available.
Propchange: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks?rev=1129173&view=auto
==============================================================================
Binary file - no diff available.
Propchange: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem Mon May 30
13:47:25 2011
@@ -0,0 +1,65 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 25 (0x19)
+ Signature Algorithm: md5WithRSAEncryption
+ Issuer: C=DE, ST=Bayern, L=Munich, O=Home, OU=Apache WSS4J, CN=Werner
+ Validity
+ Not Before: May 30 11:47:54 2011 GMT
+ Not After : May 27 11:47:54 2021 GMT
+ Subject: C=IE, ST=Leinster, L=Dublin, O=Apache, OU=WSS4J, CN=Colm
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (1024 bit)
+ Modulus (1024 bit):
+ 00:8b:91:75:7f:57:33:5d:78:e3:cd:59:37:aa:e2:
+ 41:78:42:95:b6:7d:2d:ab:61:af:36:f0:4d:58:07:
+ 09:8a:65:13:ee:a8:a5:ea:da:1e:6d:49:cc:e9:52:
+ af:21:1b:02:b2:3a:bb:8b:5f:8e:33:7e:0d:07:25:
+ 00:cf:e3:e6:70:ce:31:45:08:5f:85:fe:89:3b:dd:
+ b1:22:d7:2c:64:73:db:f4:3c:24:00:07:bb:5b:6a:
+ 4c:7c:da:9a:1a:c8:29:3d:e0:a0:14:75:65:69:f3:
+ ba:ca:29:32:9d:fb:13:c8:bf:bc:73:dc:c1:53:b6:
+ ab:ea:84:bb:38:a4:5c:90:9f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ Netscape Comment:
+ OpenSSL Generated Certificate
+ X509v3 Subject Key Identifier:
+ 1A:D4:E0:CE:0D:61:0F:E3:A0:A4:43:47:67:F8:D7:5E:85:C2:C6:CA
+ X509v3 Authority Key Identifier:
+
keyid:56:17:EF:F6:6B:8B:59:FE:23:19:68:DE:78:C0:E1:4D:67:7D:D0:66
+ DirName:/C=DE/ST=Bayern/L=Munich/O=Home/OU=Apache
WSS4J/CN=Werner
+ serial:8D:E1:2C:0A:69:11:77:D2
+
+ Signature Algorithm: md5WithRSAEncryption
+ 98:43:b1:02:e3:9d:d2:af:7e:5b:6d:82:de:f4:4e:69:8a:18:
+ 47:5a:6d:b4:bd:95:0d:b2:96:e4:f3:b1:ce:cc:5c:c0:87:06:
+ d6:3a:00:93:04:ed:7d:f3:63:cd:1d:8d:79:b9:7a:74:05:b5:
+ f0:ba:97:ee:1d:fc:c9:0d:a1:e2:ef:f4:a7:ed:19:3b:ae:d7:
+ a9:94:c2:ab:a0:f5:62:ce:b5:63:7a:e3:5d:72:64:e7:5e:2e:
+ 8c:7a:ea:07:6b:7c:ef:94:ca:ec:21:be:33:80:5a:d4:07:f6:
+ 4c:39:82:04:d9:d0:11:21:be:f9:61:41:72:9b:7e:05:f2:57:
+ a2:b9
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAp2gAwIBAgIBGTANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUx
+FTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTExMDUz
+MDExNDc1NFoXDTIxMDUyNzExNDc1NFowYTELMAkGA1UEBhMCSUUxETAPBgNVBAgT
+CExlaW5zdGVyMQ8wDQYDVQQHEwZEdWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwG
+A1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYplE+6operaHm1J
+zOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGjgfYw
+gfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBrU4M4NYQ/joKRDR2f4116FwsbKMIGYBgNV
+HSMEgZAwgY2AFFYX7/Zri1n+Ixlo3njA4U1nfdBmoWqkaDBmMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhv
+bWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAjeEs
+CmkRd9IwDQYJKoZIhvcNAQEEBQADgYEAmEOxAuOd0q9+W22C3vROaYoYR1pttL2V
+DbKW5POxzsxcwIcG1joAkwTtffNjzR2Nebl6dAW18LqX7h38yQ2h4u/0p+0ZO67X
+qZTCq6D1Ys61Y3rjXXJk514ujHrqB2t875TK7CG+M4Ba1Af2TDmCBNnQESG++WFB
+cpt+BfJXork=
+-----END CERTIFICATE-----
Modified: webservices/wss4j/trunk/src/test/resources/wss40CA.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40CA.properties?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40CA.properties (original)
+++ webservices/wss4j/trunk/src/test/resources/wss40CA.properties Mon May 30
13:47:25 2011
@@ -1,3 +1,4 @@
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.truststore.password=security
org.apache.ws.security.crypto.merlin.truststore.file=keys/wss40CA.jks
+org.apache.ws.security.crypto.merlin.x509crl.file=keys/wss40CACRL.pem
Added: webservices/wss4j/trunk/src/test/resources/wss40rev.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40rev.properties?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40rev.properties (added)
+++ webservices/wss4j/trunk/src/test/resources/wss40rev.properties Mon May 30
13:47:25 2011
@@ -0,0 +1,5 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=security
+org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40rev.jks
