Author: coheigea
Date: Mon Dec 22 08:19:46 2008
New Revision: 728720
URL: http://svn.apache.org/viewvc?rev=728720&view=rev
Log:
[WSS-86][WSS-87] - Fix for "CryptoBase.splitAndTrim does not take into account
the format of a DN constructed by different providers"
- Applied (some) of the patch attached to WSS-86
- Note that this change does not work with JDK 1.3, as X500Principal didn't
exist before 1.4. Given that our code hasn't compiled with JDK 1.3 for a few
years, I think this is ok though.
Added:
webservices/wss4j/trunk/keys/wss86.keystore (with props)
webservices/wss4j/trunk/test/wss86.properties (with props)
webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
webservices/wss4j/trunk/src/org/apache/ws/security/saml/SAMLUtil.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew15.java
Added: webservices/wss4j/trunk/keys/wss86.keystore
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/keys/wss86.keystore?rev=728720&view=auto
==============================================================================
Binary file - no diff available.
Propchange: webservices/wss4j/trunk/keys/wss86.keystore
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=728720&r1=728719&r2=728720&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
Mon Dec 22 08:19:46 2008
@@ -43,6 +43,7 @@
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
+import javax.security.auth.x500.X500Principal;
/**
* Created by IntelliJ IDEA.
@@ -208,9 +209,9 @@
private String getAliasForX509Cert(String issuer, BigInteger serialNumber,
boolean useSerialNumber)
throws WSSecurityException {
- Vector issuerRDN = splitAndTrim(issuer);
- X509Certificate x509cert = null;
- Vector certRDN = null;
+ X500Principal issuerRDN = new X500Principal(issuer);
+ X509Certificate x509cert;
+ X500Principal certRDN;
Certificate cert = null;
try {
@@ -232,7 +233,7 @@
x509cert = (X509Certificate) cert;
if (!useSerialNumber ||
useSerialNumber &&
x509cert.getSerialNumber().compareTo(serialNumber) == 0) {
- certRDN = splitAndTrim(x509cert.getIssuerDN().getName());
+ certRDN = new
X500Principal(x509cert.getIssuerDN().getName());
if (certRDN.equals(issuerRDN)) {
return alias;
}
@@ -522,7 +523,7 @@
public String[] getAliasesForDN(String subjectDN) throws
WSSecurityException {
// The DN to search the keystore for
- Vector subjectRDN = splitAndTrim(subjectDN);
+ X500Principal subjectRDN = new X500Principal(subjectDN);
Vector aliases = getAlias(subjectRDN, keystore);
//If we can't find the issuer in the keystore then look at cacerts
@@ -694,7 +695,7 @@
return true;
}
- private Vector getAlias(Vector subjectRDN, KeyStore store) throws
WSSecurityException {
+ private Vector getAlias(X500Principal subjectRDN, KeyStore store) throws
WSSecurityException {
// Store the aliases found
Vector aliases = new Vector();
@@ -716,7 +717,7 @@
cert = certs[0];
}
if (cert instanceof X509Certificate) {
- Vector foundRDN = splitAndTrim(((X509Certificate)
cert).getSubjectDN().getName());
+ X500Principal foundRDN = ((X509Certificate)
cert).getSubjectX500Principal();
if (subjectRDN.equals(foundRDN)) {
aliases.add(alias);
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java?rev=728720&r1=728719&r2=728720&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/EnvelopeIdResolver.java
Mon Dec 22 08:19:46 2008
@@ -88,7 +88,7 @@
* Identifies a node-set containing the element with ID attribute
* value 'chapter1' of the XML resource containing the signature.
* XML Signature (and its applications) modify this node-set to
- * include the element plus all descendents including namespaces and
+ * include the element plus all descendants including namespaces and
* attributes -- but not comments.
*/
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/saml/SAMLUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/saml/SAMLUtil.java?rev=728720&r1=728719&r2=728720&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/saml/SAMLUtil.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/saml/SAMLUtil.java Mon
Dec 22 08:19:46 2008
@@ -83,7 +83,7 @@
//First ask the cb whether it can provide the secret
WSPasswordCallback pwcb = new WSPasswordCallback(assertion.getId(),
WSPasswordCallback.CUSTOM_TOKEN);
- if(cb != null) {
+ if (cb != null) {
try {
cb.handle(new Callback[]{pwcb});
} catch (Exception e1) {
@@ -94,7 +94,7 @@
byte[] key = pwcb.getKey();
- if(key != null) {
+ if (key != null) {
return new SAMLKeyInfo(assertion, key);
} else {
Iterator statements = assertion.getStatements();
@@ -108,25 +108,25 @@
NodeList children = kiElem.getChildNodes();
int len = children.getLength();
- for(int i = 0; i < len; i++) {
+ for (int i = 0; i < len; i++) {
Node child = children.item(i);
if (child.getNodeType() != Node.ELEMENT_NODE) {
continue;
}
QName el = new QName(child.getNamespaceURI(),
child.getLocalName());
- if(el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
+ if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) {
EncryptedKeyProcessor proc = new
EncryptedKeyProcessor();
proc.handleEncryptedKey((Element)child, cb,
crypto, null);
return new SAMLKeyInfo(assertion,
proc.getDecryptedBytes());
- } else if(el.equals(new QName(WSConstants.WST_NS,
"BinarySecret"))) {
+ } else if (el.equals(new QName(WSConstants.WST_NS,
"BinarySecret"))) {
Text txt = (Text)child.getFirstChild();
return new SAMLKeyInfo(assertion,
Base64.decode(txt.getData()));
}
}
- } else if( stmt instanceof SAMLAuthenticationStatement) {
+ } else if (stmt instanceof SAMLAuthenticationStatement) {
SAMLAuthenticationStatement authStmt =
(SAMLAuthenticationStatement)stmt;
SAMLSubject samlSubj = authStmt.getSubject();
if (samlSubj == null) {
Added: webservices/wss4j/trunk/test/wss86.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wss86.properties?rev=728720&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wss86.properties (added)
+++ webservices/wss4j/trunk/test/wss86.properties Mon Dec 22 08:19:46 2008
@@ -0,0 +1,6 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=security
+org.apache.ws.security.crypto.merlin.keystore.alias=wss86
+org.apache.ws.security.crypto.merlin.alias.password=security
+org.apache.ws.security.crypto.merlin.file=keys/wss86.keystore
Propchange: webservices/wss4j/trunk/test/wss86.properties
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wss86.properties
------------------------------------------------------------------------------
svn:keywords = Rev Date
Propchange: webservices/wss4j/trunk/test/wss86.properties
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew15.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew15.java?rev=728720&r1=728719&r2=728720&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew15.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew15.java Mon Dec 22
08:19:46 2008
@@ -54,7 +54,7 @@
/**
* Test that encrypt and decrypt a WS-Security envelope.
*
- * This test uses the RSA_15 alogrithm to transport (wrap) the symmetric key.
+ * This test uses the RSA_15 algorithm to transport (wrap) the symmetric key.
* The test case creates a ReferenceList element that references EncryptedData
* elements. The ReferencesList element is put into the Security header, not
* as child of the EncryptedKey. The EncryptedData elements contain a KeyInfo
Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java?rev=728720&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java Mon Dec 22
08:19:46 2008
@@ -0,0 +1,209 @@
+/*
+ * Copyright 2003-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package wssec;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+import org.apache.axis.Message;
+import org.apache.axis.MessageContext;
+import org.apache.axis.client.AxisClient;
+import org.apache.axis.configuration.NullProvider;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.axis.utils.XMLUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecHeader;
+import org.w3c.dom.Document;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+
+/**
+ * This is a test for WSS-86 - "CryptoBase.splitAndTrim does not take into
account the format of a
+ * DN constructed by different providers":
+ * http://issues.apache.org/jira/browse/WSS-86
+ *
+ * Keystore: keys\wss86.keystore
+ * Password: security
+ * Generated by:
+ *
+ * keytool -genkey -alias wss86 -keyalg RSA -keystore wss86.keystore
+ * -dname
"1.2.840.113549.1.9.1=#16125765726e6572406578616d706c652e636f6d,CN=Werner,
+ * OU=WSS4J,O=Apache,L=Munich,ST=Bayern,C=DE"
+ */
+public class TestWSSecurityWSS86 extends TestCase implements CallbackHandler {
+ private static Log log = LogFactory.getLog(TestWSSecurityWSS86.class);
+ static final String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<SOAP-ENV:Envelope
xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\";
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\";
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\";>" + "<SOAP-ENV:Body>" +
"<add xmlns=\"http://ws.apache.org/counter/counter_port_type\";>" + "<value
xmlns=\"\">15</value>" + "</add>" + "</SOAP-ENV:Body>\r\n \r\n" +
"</SOAP-ENV:Envelope>";
+ static final WSSecurityEngine secEngine = new WSSecurityEngine();
+ static final Crypto crypto = CryptoFactory.getInstance("wss86.properties");
+ MessageContext msgContext;
+ Message message;
+
+ /**
+ * TestWSSecurity constructor
+ * <p/>
+ *
+ * @param name name of the test
+ */
+ public TestWSSecurityWSS86(String name) {
+ super(name);
+ }
+
+ /**
+ * JUnit suite
+ * <p/>
+ *
+ * @return a junit test suite
+ */
+ public static Test suite() {
+ return new TestSuite(TestWSSecurityWSS86.class);
+ }
+
+ /**
+ * Main method
+ * <p/>
+ *
+ * @param args command line args
+ */
+ public static void main(String[] args) {
+ junit.textui.TestRunner.run(suite());
+ }
+
+ /**
+ * Setup method
+ * <p/>
+ *
+ * @throws Exception Thrown when there is a problem in setup
+ */
+ protected void setUp() throws Exception {
+ AxisClient tmpEngine = new AxisClient(new NullProvider());
+ msgContext = new MessageContext(tmpEngine);
+ message = getSOAPMessage();
+ }
+
+ /**
+ * Constructs a soap envelope
+ * <p/>
+ *
+ * @return soap envelope
+ * @throws Exception if there is any problem constructing the soap envelope
+ */
+ protected Message getSOAPMessage() throws Exception {
+ InputStream in = new ByteArrayInputStream(soapMsg.getBytes());
+ Message msg = new Message(in);
+ msg.setMessageContext(msgContext);
+ return msg;
+ }
+
+ /**
+ * A unit test...
+ */
+ public void testGetAliasWithPlainIssuer() throws Exception {
+ String issuer =
"[email protected],CN=Werner,OU=WSS4J,O=Apache,L=Munich,ST=Bayern,C=DE";
+ String alias = crypto.getAliasForX509Cert(issuer);
+ assertNotNull("Alias not found using plain issuer only", alias);
+ }
+
+ /**
+ * A unit test...
+ */
+ public void testGetAliasWithEncodedIssuer() throws Exception {
+ String issuer =
"1.2.840.113549.1.9.1=#16125765726e6572406578616d706c652e636f6d,CN=Werner,OU=WSS4J,O=Apache,L=Munich,ST=Bayern,C=DE";
+ String alias = crypto.getAliasForX509Cert(issuer);
+ assertNotNull("Alias not found using encoded issuer only", alias);
+ }
+
+ /**
+ * A unit test...
+ */
+ public void testGetAliasWithMicrosoftState() throws Exception {
+ String issuer =
"[email protected],CN=Werner,OU=WSS4J,O=Apache,L=Munich,S=Bayern,C=DE";
+ String alias = crypto.getAliasForX509Cert(issuer);
+ assertNotNull("Alias not found using Microsoft style states (S=
instead of ST=)", alias);
+ }
+
+ /**
+ * Test signing a SOAP message using a cert with an OID
+ */
+ public void testSignatureOID() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ WSSecSignature sign = new WSSecSignature();
+ sign.setUserInfo("wss86", "security");
+ sign.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+
+ Document doc = unsignedEnvelope.getAsDocument();
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ Message signedMsg = SOAPUtil.toAxisMessage(signedDoc);
+ if (log.isDebugEnabled()) {
+
XMLUtils.PrettyElementToWriter(signedMsg.getSOAPEnvelope().getAsDOM(), new
PrintWriter(System.out));
+ }
+ signedDoc = signedMsg.getSOAPEnvelope().getAsDocument();
+
+ verify(signedDoc);
+ }
+
+ /**
+ * Verifies the soap envelope
+ * <p/>
+ *
+ * @param doc
+ * @throws Exception Thrown when there is a problem in verification
+ */
+ private void verify(Document doc) throws Exception {
+ secEngine.processSecurityHeader(doc, null, this, crypto);
+ SOAPUtil.updateSOAPMessage(doc, message);
+ if (log.isDebugEnabled()) {
+ log.debug("Verfied and decrypted message:");
+
XMLUtils.PrettyElementToWriter(message.getSOAPEnvelope().getAsDOM(), new
PrintWriter(System.out));
+ }
+ }
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ /*
+ * here call a function/method to lookup the password for
+ * the given identifier (e.g. a user name or keystore alias)
+ * e.g.:
pc.setPassword(passStore.getPassword(pc.getIdentfifier))
+ * for Testing we supply a fixed name here.
+ */
+ pc.setPassword("security");
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i],
"Unrecognized Callback");
+ }
+ }
+ }
+}
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityWSS86.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
