ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1129173 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/components/crypto/ main/java/org/apache/ws/security/handler/ main/java/org/apache/ws/security/validate/ test/java/org/apache/ws/security/message/ test/resources/ t...
Date Mon, 30 May 2011 13:47:25 GMT
Author: coheigea
Date: Mon May 30 13:47:25 2011
New Revision: 1129173

URL: http://svn.apache.org/viewvc?rev=1129173&view=rev
Log:
[WSS-278] - Add support for CRL's to WSS4J.

Added:
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
    webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem
    webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem
    webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer
    webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt   (with props)
    webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks   (with props)
    webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem
    webservices/wss4j/trunk/src/test/resources/wss40rev.properties
Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
    webservices/wss4j/trunk/src/test/resources/keys/ca.db.index
    webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial
    webservices/wss4j/trunk/src/test/resources/wss40CA.properties

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/CertificateStore.java
Mon May 30 13:47:25 2011
@@ -139,7 +139,23 @@ public class CertificateStore extends Cr
      * @return true if the certificate chain is valid, false otherwise
      * @throws WSSecurityException
      */
+    @Deprecated
     public boolean verifyTrust(X509Certificate[] certs) throws WSSecurityException {
+        return verifyTrust(certs, false);
+    }
+    
+    /**
+     * Evaluate whether a given certificate chain should be trusted.
+     *
+     * @param certs Certificate chain to validate
+     * @param enableRevocation whether to enable CRL verification or not
+     * @return true if the certificate chain is valid, false otherwise
+     * @throws WSSecurityException
+     */
+    public boolean verifyTrust(
+        X509Certificate[] certs, 
+        boolean enableRevocation
+    ) throws WSSecurityException {
         try {
             // Generate cert path
             List<X509Certificate> certList = Arrays.asList(certs);
@@ -155,9 +171,7 @@ public class CertificateStore extends Cr
             }
 
             PKIXParameters param = new PKIXParameters(set);
-            
-            // Do not check a revocation list
-            param.setRevocationEnabled(false);
+            param.setRevocationEnabled(enableRevocation);
 
             // Verify the trust path using the above settings
             String provider = getCryptoProvider();

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Crypto.java
Mon May 30 13:47:25 2011
@@ -185,9 +185,22 @@ public interface Crypto {
      * @return true if the certificate chain is valid, false otherwise
      * @throws WSSecurityException
      */
+    @Deprecated
     public boolean verifyTrust(X509Certificate[] certs) throws WSSecurityException;
     
     /**
+     * Evaluate whether a given certificate chain should be trusted.
+     *
+     * @param certs Certificate chain to validate
+     * @param enableRevocation whether to enable CRL verification or not
+     * @return true if the certificate chain is valid, false otherwise
+     * @throws WSSecurityException
+     */
+    public boolean verifyTrust(
+        X509Certificate[] certs, boolean enableRevocation
+    ) throws WSSecurityException;
+    
+    /**
      * Evaluate whether a given public key should be trusted.
      * 
      * @param publicKey The PublicKey to be evaluated

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/components/crypto/Merlin.java
Mon May 30 13:47:25 2011
@@ -39,14 +39,18 @@ import java.security.PublicKey;
 import java.security.UnrecoverableKeyException;
 import java.security.cert.CertPath;
 import java.security.cert.CertPathValidator;
+import java.security.cert.CertStore;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
 import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
+import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
@@ -102,6 +106,12 @@ public class Merlin extends CryptoBase {
     public static final String TRUSTSTORE_TYPE =
         "org.apache.ws.security.crypto.merlin.truststore.type";
     
+    /*
+     * CRL configuration
+     */
+    public static final String X509_CRL_FILE = 
+        "org.apache.ws.security.crypto.merlin.x509crl.file";
+    
     private static final org.apache.commons.logging.Log log = 
         org.apache.commons.logging.LogFactory.getLog(Merlin.class);
     private static final boolean doDebug = log.isDebugEnabled();
@@ -110,6 +120,7 @@ public class Merlin extends CryptoBase {
     protected Properties properties = null;
     protected KeyStore keystore = null;
     protected KeyStore truststore = null;
+    protected CertStore crlCertStore = null;
     
     public Merlin() {
         // default constructor
@@ -246,7 +257,48 @@ public class Merlin extends CryptoBase {
                 }
             }
         }
-        
+        //
+        // Load the CRL file
+        //
+        String crlLocation = properties.getProperty(X509_CRL_FILE);
+        if (crlLocation != null) {
+            crlLocation = crlLocation.trim();
+            InputStream is = loadInputStream(loader, crlLocation);
+
+            try {
+                CertificateFactory cf = getCertificateFactory();
+                X509CRL crl = (X509CRL)cf.generateCRL(is);
+                
+                if (provider == null || provider.length() == 0) {
+                    crlCertStore = 
+                        CertStore.getInstance(
+                            "Collection",
+                            new CollectionCertStoreParameters(Collections.singletonList(crl))
+                        );
+                } else {
+                    crlCertStore = 
+                        CertStore.getInstance(
+                            "Collection",
+                            new CollectionCertStoreParameters(Collections.singletonList(crl)),
+                            provider
+                        );
+                }
+                if (doDebug) {
+                    log.debug(
+                        "The CRL " + crlLocation + " has been loaded"
+                    );
+                }
+            } catch (Exception e) {
+                if (doDebug) {
+                    log.debug(e.getMessage(), e);
+                }
+                throw new CredentialException(CredentialException.IO_ERROR, "ioError00",
e);
+            } finally {
+                if (is != null) {
+                    is.close();
+                }
+            }
+        }
     }
 
     
@@ -362,6 +414,26 @@ public class Merlin extends CryptoBase {
     }
     
     /**
+     * Set the CertStore from which to obtain a list of CRLs for Certificate Revocation
+     * checking.
+     * @param crlCertStore the CertStore from which to obtain a list of CRLs for Certificate

+     * Revocation checking.
+     */
+    public void setCRLCertStore(CertStore crlCertStore) {
+        this.crlCertStore = crlCertStore;
+    }
+    
+    /**
+     * Get the CertStore from which to obtain a list of CRLs for Certificate Revocation
+     * checking.
+     * @return the CertStore from which to obtain a list of CRLs for Certificate 
+     * Revocation checking.
+     */
+    public CertStore getCRLCertStore() {
+        return crlCertStore;
+    }
+    
+    /**
      * Singleton certificate factory for this Crypto instance.
      * <p/>
      *
@@ -646,7 +718,24 @@ public class Merlin extends CryptoBase {
      * @return true if the certificate chain is valid, false otherwise
      * @throws WSSecurityException
      */
+    @Deprecated
     public boolean verifyTrust(X509Certificate[] certs) throws WSSecurityException {
+        return verifyTrust(certs, false);
+    }
+    
+    /**
+     * Evaluate whether a given certificate chain should be trusted.
+     * Uses the CertPath API to validate a given certificate chain.
+     *
+     * @param certs Certificate chain to validate
+     * @param enableRevocation whether to enable CRL verification or not
+     * @return true if the certificate chain is valid, false otherwise
+     * @throws WSSecurityException
+     */
+    public boolean verifyTrust(
+        X509Certificate[] certs, 
+        boolean enableRevocation
+    ) throws WSSecurityException {
         try {
             // Generate cert path
             List<X509Certificate> certList = Arrays.asList(certs);
@@ -683,9 +772,10 @@ public class Merlin extends CryptoBase {
             }
 
             PKIXParameters param = new PKIXParameters(set);
-            
-            // Do not check a revocation list
-            param.setRevocationEnabled(false);
+            param.setRevocationEnabled(enableRevocation);
+            if (enableRevocation && crlCertStore != null) {
+                param.addCertStore(crlCertStore);
+            }
 
             // Verify the trust path using the above settings
             String provider = getCryptoProvider();

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/RequestData.java
Mon May 30 13:47:25 2011
@@ -74,6 +74,7 @@ public class RequestData {
     private boolean useDerivedKeyForMAC = true;
     private boolean useSingleCert = true;
     private CallbackHandler callback = null;
+    private boolean enableRevocation = false;
 
     public void clear() {
         soapConstants = null;
@@ -94,6 +95,7 @@ public class RequestData {
         useDerivedKeyForMAC = true;
         useSingleCert = true;
         callback = null;
+        enableRevocation = false;
     }
 
     public Object getMsgContext() {
@@ -380,7 +382,22 @@ public class RequestData {
     public boolean isUseSingleCert() {
         return useSingleCert;
     }
+
+    /**
+     * Set whether to enable CRL checking or not when verifying trust in a certificate.
+     * @param enableRevocation whether to enable CRL checking 
+     */
+    public void setEnableRevocation(boolean enableRevocation) {
+        this.enableRevocation = enableRevocation;
+    }
     
+    /**
+     * Get whether to enable CRL checking or not when verifying trust in a certificate.
+     * @return whether to enable CRL checking
+     */
+    public boolean isRevocationEnabled() {
+        return enableRevocation;
+    }
     
     /**
      * Sets the CallbackHandler used for this request

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandler.java Mon
May 30 13:47:25 2011
@@ -1088,6 +1088,11 @@ public abstract class WSHandler {
         if (reqData.getSigCrypto() == null) {
             reqData.setSigCrypto(loadSignatureCrypto(reqData));
         }
+        boolean enableRevocation = 
+            decodeBooleanConfigValue(
+                reqData, WSHandlerConstants.ENABLE_REVOCATION, false
+            );
+        reqData.setEnableRevocation(enableRevocation);
     }
 
     /*

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/handler/WSHandlerConstants.java
Mon May 30 13:47:25 2011
@@ -372,6 +372,12 @@ public class WSHandlerConstants {
         = "allowNamespaceQualifiedPasswordTypes";
     
     /**
+     * This variable controls whether to enable Certificate Revocation List (CRL) checking
+     * or not when verifying trust in a certificate. The default value is "false".
+     */
+    public static final String ENABLE_REVOCATION = "enableRevocation";
+    
+    /**
      * Set the value of this parameter to true to treat passwords as binary values
      * for Username Tokens. The default value is "false".
      * 

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/validate/SignatureTrustValidator.java
Mon May 30 13:47:25 2011
@@ -64,10 +64,11 @@ public class SignatureTrustValidator imp
         if (certs != null && certs.length > 0) {
             validateCertificates(certs);
             boolean trust = false;
+            boolean enableRevocation = data.isRevocationEnabled();
             if (certs.length == 1) {
-                trust = verifyTrustInCert(certs[0], crypto);
+                trust = verifyTrustInCert(certs[0], crypto, enableRevocation);
             } else {
-                trust = verifyTrustInCerts(certs, crypto);
+                trust = verifyTrustInCerts(certs, crypto, enableRevocation);
             }
             if (trust) {
                 return credential;
@@ -124,8 +125,33 @@ public class SignatureTrustValidator imp
      * @return true if the certificate is trusted, false if not
      * @throws WSSecurityException
      */
+    @Deprecated
     protected boolean verifyTrustInCert(X509Certificate cert, Crypto crypto) 
         throws WSSecurityException {
+        return verifyTrustInCert(cert, crypto, false);
+    }
+    
+    /**
+     * Evaluate whether a given certificate should be trusted.
+     * 
+     * Policy used in this implementation:
+     * 1. Search the keystore for the transmitted certificate
+     * 2. Search the keystore for a connection to the transmitted certificate
+     * (that is, search for certificate(s) of the issuer of the transmitted certificate
+     * 3. Verify the trust path for those certificates found because the search for the issuer

+     * might be fooled by a phony DN (String!)
+     *
+     * @param cert the certificate that should be validated against the keystore
+     * @param crypto A crypto instance to use for trust validation
+     * @param enableRevocation Whether revocation is enabled or not
+     * @return true if the certificate is trusted, false if not
+     * @throws WSSecurityException
+     */
+    protected boolean verifyTrustInCert(
+        X509Certificate cert, 
+        Crypto crypto,
+        boolean enableRevocation
+    ) throws WSSecurityException {
         String subjectString = cert.getSubjectX500Principal().getName();
         String issuerString = cert.getIssuerX500Principal().getName();
         BigInteger issuerSerial = cert.getSerialNumber();
@@ -188,7 +214,7 @@ public class SignatureTrustValidator imp
         // Use the validation method from the crypto to check whether the subjects' 
         // certificate was really signed by the issuer stated in the certificate
         //
-        if (crypto.verifyTrust(x509certs)) {
+        if (crypto.verifyTrust(x509certs, enableRevocation)) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug(
                     "Certificate path has been verified for certificate with subject " 
@@ -209,7 +235,7 @@ public class SignatureTrustValidator imp
     
     /**
      * Check to see if the certificate argument is in the keystore
-     * @param crypto The Crypto instance to use
+     * @param crypto A Crypto instance to use for trust validation
      * @param cert The certificate to check
      * @return true if cert is in the keystore
      * @throws WSSecurityException
@@ -250,18 +276,39 @@ public class SignatureTrustValidator imp
      * Evaluate whether the given certificate chain should be trusted.
      * 
      * @param certificates the certificate chain that should be validated against the keystore
+     * @param crypto  A Crypto instance to use for trust validation
      * @return true if the certificate chain is trusted, false if not
      * @throws WSSecurityException
      */
-    protected boolean verifyTrustInCerts(X509Certificate[] certificates, Crypto crypto)
-        throws WSSecurityException {
+    @Deprecated
+    protected boolean verifyTrustInCerts(
+        X509Certificate[] certificates, 
+        Crypto crypto
+    ) throws WSSecurityException {
+        return verifyTrustInCerts(certificates, crypto, false);
+    }
+    
+    /**
+     * Evaluate whether the given certificate chain should be trusted.
+     * 
+     * @param certificates the certificate chain that should be validated against the keystore
+     * @param crypto A Crypto instance
+     * @param enableRevocation Whether revocation is enabled or not
+     * @return true if the certificate chain is trusted, false if not
+     * @throws WSSecurityException
+     */
+    protected boolean verifyTrustInCerts(
+        X509Certificate[] certificates, 
+        Crypto crypto,
+        boolean enableRevocation
+    ) throws WSSecurityException {
         String subjectString = certificates[0].getSubjectX500Principal().getName();
         //
         // Use the validation method from the crypto to check whether the subjects' 
         // certificate was really signed by the issuer stated in the certificate
         //
         if (certificates != null && certificates.length > 1
-            && crypto.verifyTrust(certificates)) {
+            && crypto.verifyTrust(certificates, enableRevocation)) {
             if (LOG.isDebugEnabled()) {
                 LOG.debug(
                     "Certificate path has been verified for certificate with subject " 

Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
(added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureCRLTest.java
Mon May 30 13:47:25 2011
@@ -0,0 +1,167 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message;
+
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.handler.RequestData;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * This is a test for Certificate Revocation List checking. A message is signed and sent
to the
+ * receiver. If Certificate Revocation is enabled, then signature trust verification should
+ * fail as the message has been signed by the private key corresponding to a revoked signature.

+ * 
+ * Generate the client keypair, make a csr, sign it with the CA key
+ * 
+ * keytool -genkey -validity 3650 -alias wss40rev -keyalg RSA -keystore wss40rev.jks 
+ * -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE"
+ * keytool -certreq -alias wss40rev -keystore wss40rev.jks -file wss40rev.cer
+ * openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40rev.pem 
+ * -infiles wss40rev.cer
+ * openssl x509 -outform DER -in wss40rev.pem -out wss40rev.crt
+ * 
+ * Import the CA cert into wss40.jks and import the new signed certificate
+ * 
+ * keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40rev.jks
+ * keytool -import -file wss40rev.crt -alias wss40rev -keystore wss40rev.jks
+ * 
+ * Generate a Revocation list
+ * 
+ * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out wss40CACRL.pem 
+ * -config ca.config -crldays 3650
+ * openssl ca -revoke wss40rev.pem -keyfile wss40CAKey.pem -cert wss40CA.pem -config ca.config
+ * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out wss40CACRL.pem 
+ * -config ca.config -crldays 3650
+ */
+public class SignatureCRLTest extends org.junit.Assert {
+    private static final org.apache.commons.logging.Log LOG = 
+        org.apache.commons.logging.LogFactory.getLog(SignatureCRLTest.class);
+    private Crypto crypto = null;
+    private Crypto cryptoCA = null;
+    
+    public SignatureCRLTest() throws Exception {
+        WSSConfig.init();
+        crypto = CryptoFactory.getInstance("wss40rev.properties");
+        cryptoCA = CryptoFactory.getInstance("wss40CA.properties");
+    }
+
+    /**
+     * Test signing a SOAP message using a BST. Revocation is not enabled and so the test
+     * should pass.
+     */
+    @org.junit.Test
+    public void testSignatureDirectReference() throws Exception {
+        WSSecSignature sign = new WSSecSignature();
+        sign.setUserInfo("wss40rev", "security");
+        sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        Document signedDoc = sign.build(doc, crypto, secHeader);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug(outputString);
+        }
+        //
+        // Verify the signature
+        //
+        List<WSSecurityEngineResult> results = verify(signedDoc, cryptoCA, false);
+        WSSecurityEngineResult result = 
+            WSSecurityUtil.fetchActionResult(results, WSConstants.SIGN);
+        X509Certificate cert = 
+            (X509Certificate)result.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
+        assertTrue (cert != null);
+    }
+    
+    /**
+     * Test signing a SOAP message using a BST. Revocation is enabled and so the test
+     * should fail.
+     */
+    @org.junit.Test
+    public void testSignatureDirectReferenceRevocation() throws Exception {
+        WSSecSignature sign = new WSSecSignature();
+        sign.setUserInfo("wss40rev", "security");
+        sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+        Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        Document signedDoc = sign.build(doc, crypto, secHeader);
+        
+        if (LOG.isDebugEnabled()) {
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+            LOG.debug(outputString);
+        }
+        //
+        // Verify the signature
+        //
+        try {
+            verify(signedDoc, cryptoCA, true);
+            fail ("Failure expected on a revoked certificate");
+        } catch (Exception ex) {
+            assert ex.getMessage().contains("Certificate has been revoked");
+        }
+    }
+    
+    /**
+     * Verifies the soap envelope
+     * <p/>
+     * 
+     * @param doc 
+     * @throws Exception Thrown when there is a problem in verification
+     */
+    private List<WSSecurityEngineResult> 
+    verify(Document doc, Crypto crypto, boolean revocationEnabled) throws WSSecurityException
{
+        WSSecurityEngine secEngine = new WSSecurityEngine();
+        RequestData reqData = new RequestData();
+        reqData.setSigCrypto(crypto);
+        reqData.setEnableRevocation(revocationEnabled);
+        Element securityHeader = WSSecurityUtil.getSecurityHeader(doc, null);
+        List<WSSecurityEngineResult> results = 
+            secEngine.processSecurityHeader(securityHeader, reqData);
+        if (LOG.isDebugEnabled()) {
+            LOG.debug("Verfied and decrypted message:");
+            String outputString = 
+                org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+            LOG.debug(outputString);
+        }
+        return results;
+    }
+
+    
+}

Added: webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/ca.db.certs/19.pem Mon May 30 13:47:25
2011
@@ -0,0 +1,65 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 25 (0x19)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=DE, ST=Bayern, L=Munich, O=Home, OU=Apache WSS4J, CN=Werner
+        Validity
+            Not Before: May 30 11:47:54 2011 GMT
+            Not After : May 27 11:47:54 2021 GMT
+        Subject: C=IE, ST=Leinster, L=Dublin, O=Apache, OU=WSS4J, CN=Colm
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:8b:91:75:7f:57:33:5d:78:e3:cd:59:37:aa:e2:
+                    41:78:42:95:b6:7d:2d:ab:61:af:36:f0:4d:58:07:
+                    09:8a:65:13:ee:a8:a5:ea:da:1e:6d:49:cc:e9:52:
+                    af:21:1b:02:b2:3a:bb:8b:5f:8e:33:7e:0d:07:25:
+                    00:cf:e3:e6:70:ce:31:45:08:5f:85:fe:89:3b:dd:
+                    b1:22:d7:2c:64:73:db:f4:3c:24:00:07:bb:5b:6a:
+                    4c:7c:da:9a:1a:c8:29:3d:e0:a0:14:75:65:69:f3:
+                    ba:ca:29:32:9d:fb:13:c8:bf:bc:73:dc:c1:53:b6:
+                    ab:ea:84:bb:38:a4:5c:90:9f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1A:D4:E0:CE:0D:61:0F:E3:A0:A4:43:47:67:F8:D7:5E:85:C2:C6:CA
+            X509v3 Authority Key Identifier: 
+                keyid:56:17:EF:F6:6B:8B:59:FE:23:19:68:DE:78:C0:E1:4D:67:7D:D0:66
+                DirName:/C=DE/ST=Bayern/L=Munich/O=Home/OU=Apache WSS4J/CN=Werner
+                serial:8D:E1:2C:0A:69:11:77:D2
+
+    Signature Algorithm: md5WithRSAEncryption
+        98:43:b1:02:e3:9d:d2:af:7e:5b:6d:82:de:f4:4e:69:8a:18:
+        47:5a:6d:b4:bd:95:0d:b2:96:e4:f3:b1:ce:cc:5c:c0:87:06:
+        d6:3a:00:93:04:ed:7d:f3:63:cd:1d:8d:79:b9:7a:74:05:b5:
+        f0:ba:97:ee:1d:fc:c9:0d:a1:e2:ef:f4:a7:ed:19:3b:ae:d7:
+        a9:94:c2:ab:a0:f5:62:ce:b5:63:7a:e3:5d:72:64:e7:5e:2e:
+        8c:7a:ea:07:6b:7c:ef:94:ca:ec:21:be:33:80:5a:d4:07:f6:
+        4c:39:82:04:d9:d0:11:21:be:f9:61:41:72:9b:7e:05:f2:57:
+        a2:b9
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAp2gAwIBAgIBGTANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUx
+FTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTExMDUz
+MDExNDc1NFoXDTIxMDUyNzExNDc1NFowYTELMAkGA1UEBhMCSUUxETAPBgNVBAgT
+CExlaW5zdGVyMQ8wDQYDVQQHEwZEdWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwG
+A1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYplE+6operaHm1J
+zOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGjgfYw
+gfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBrU4M4NYQ/joKRDR2f4116FwsbKMIGYBgNV
+HSMEgZAwgY2AFFYX7/Zri1n+Ixlo3njA4U1nfdBmoWqkaDBmMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhv
+bWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAjeEs
+CmkRd9IwDQYJKoZIhvcNAQEEBQADgYEAmEOxAuOd0q9+W22C3vROaYoYR1pttL2V
+DbKW5POxzsxcwIcG1joAkwTtffNjzR2Nebl6dAW18LqX7h38yQ2h4u/0p+0ZO67X
+qZTCq6D1Ys61Y3rjXXJk514ujHrqB2t875TK7CG+M4Ba1Af2TDmCBNnQESG++WFB
+cpt+BfJXork=
+-----END CERTIFICATE-----

Modified: webservices/wss4j/trunk/src/test/resources/keys/ca.db.index
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.index?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
Binary files - no diff available.

Modified: webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/ca.db.serial?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
Binary files - no diff available.

Added: webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40CACRL.pem Mon May 30 13:47:25 2011
@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBQTCBqzANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEPMA0GA1UECBMG
+QmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUxFTATBgNVBAsT
+DEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyFw0xMTA1MzAxMTU0MzFaFw0y
+MTA1MjcxMTU0MzFaMBQwEgIBGRcNMTEwNTMwMTE1MzU3WjANBgkqhkiG9w0BAQQF
+AAOBgQB0fgOhsp2l0wL/TYiXJqXuKbkhmzQv8LFXmKKCpLSVktrXvVNCBAM9TWVJ
+35SrZ9eqjoI1sQPsbWSDp+QSieasQf9VgC3P4SFhki6ZupeXqrFgdbzOsXEm0FIR
+uY1WJGFrF0Co/YUM00ee8jy89jX2rDCgmonKHrKBf7CkD+R2bw==
+-----END X509 CRL-----

Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40rev.cer Mon May 30 13:47:25 2011
@@ -0,0 +1,10 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIBoTCCAQoCAQAwYTELMAkGA1UEBhMCSUUxETAPBgNVBAgTCExlaW5zdGVyMQ8wDQYDVQQHEwZE
+dWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwGA1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8w
+DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYpl
+E+6operaHm1JzOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGgADANBgkqhkiG9w0B
+AQUFAAOBgQBqturEYBeDMaxEJ4Wlc1yT7daDkBem747CEECZ8j4PT6XaEF/bgL3gGFxCjXjBWwxK
+z8TE9YhBIh1LoUiHqptVOaqXfRiBU+8bI9JDprhVm++CmnWaBFQa/zmtU0ZHOSkR1ZLPdUE9iQii
+V0R9c9TER5ctqmo0a/uOsatoDJzkAw==
+-----END NEW CERTIFICATE REQUEST-----

Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt?rev=1129173&view=auto
==============================================================================
Binary file - no diff available.

Propchange: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.crt
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks?rev=1129173&view=auto
==============================================================================
Binary file - no diff available.

Propchange: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem (added)
+++ webservices/wss4j/trunk/src/test/resources/keys/wss40rev.pem Mon May 30 13:47:25 2011
@@ -0,0 +1,65 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 25 (0x19)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: C=DE, ST=Bayern, L=Munich, O=Home, OU=Apache WSS4J, CN=Werner
+        Validity
+            Not Before: May 30 11:47:54 2011 GMT
+            Not After : May 27 11:47:54 2021 GMT
+        Subject: C=IE, ST=Leinster, L=Dublin, O=Apache, OU=WSS4J, CN=Colm
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (1024 bit)
+                Modulus (1024 bit):
+                    00:8b:91:75:7f:57:33:5d:78:e3:cd:59:37:aa:e2:
+                    41:78:42:95:b6:7d:2d:ab:61:af:36:f0:4d:58:07:
+                    09:8a:65:13:ee:a8:a5:ea:da:1e:6d:49:cc:e9:52:
+                    af:21:1b:02:b2:3a:bb:8b:5f:8e:33:7e:0d:07:25:
+                    00:cf:e3:e6:70:ce:31:45:08:5f:85:fe:89:3b:dd:
+                    b1:22:d7:2c:64:73:db:f4:3c:24:00:07:bb:5b:6a:
+                    4c:7c:da:9a:1a:c8:29:3d:e0:a0:14:75:65:69:f3:
+                    ba:ca:29:32:9d:fb:13:c8:bf:bc:73:dc:c1:53:b6:
+                    ab:ea:84:bb:38:a4:5c:90:9f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                1A:D4:E0:CE:0D:61:0F:E3:A0:A4:43:47:67:F8:D7:5E:85:C2:C6:CA
+            X509v3 Authority Key Identifier: 
+                keyid:56:17:EF:F6:6B:8B:59:FE:23:19:68:DE:78:C0:E1:4D:67:7D:D0:66
+                DirName:/C=DE/ST=Bayern/L=Munich/O=Home/OU=Apache WSS4J/CN=Werner
+                serial:8D:E1:2C:0A:69:11:77:D2
+
+    Signature Algorithm: md5WithRSAEncryption
+        98:43:b1:02:e3:9d:d2:af:7e:5b:6d:82:de:f4:4e:69:8a:18:
+        47:5a:6d:b4:bd:95:0d:b2:96:e4:f3:b1:ce:cc:5c:c0:87:06:
+        d6:3a:00:93:04:ed:7d:f3:63:cd:1d:8d:79:b9:7a:74:05:b5:
+        f0:ba:97:ee:1d:fc:c9:0d:a1:e2:ef:f4:a7:ed:19:3b:ae:d7:
+        a9:94:c2:ab:a0:f5:62:ce:b5:63:7a:e3:5d:72:64:e7:5e:2e:
+        8c:7a:ea:07:6b:7c:ef:94:ca:ec:21:be:33:80:5a:d4:07:f6:
+        4c:39:82:04:d9:d0:11:21:be:f9:61:41:72:9b:7e:05:f2:57:
+        a2:b9
+-----BEGIN CERTIFICATE-----
+MIIDNDCCAp2gAwIBAgIBGTANBgkqhkiG9w0BAQQFADBmMQswCQYDVQQGEwJERTEP
+MA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhvbWUx
+FTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyMB4XDTExMDUz
+MDExNDc1NFoXDTIxMDUyNzExNDc1NFowYTELMAkGA1UEBhMCSUUxETAPBgNVBAgT
+CExlaW5zdGVyMQ8wDQYDVQQHEwZEdWJsaW4xDzANBgNVBAoTBkFwYWNoZTEOMAwG
+A1UECxMFV1NTNEoxDTALBgNVBAMTBENvbG0wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+MIGJAoGBAIuRdX9XM114481ZN6riQXhClbZ9LathrzbwTVgHCYplE+6operaHm1J
+zOlSryEbArI6u4tfjjN+DQclAM/j5nDOMUUIX4X+iTvdsSLXLGRz2/Q8JAAHu1tq
+THzamhrIKT3goBR1ZWnzusopMp37E8i/vHPcwVO2q+qEuzikXJCfAgMBAAGjgfYw
+gfMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
+Q2VydGlmaWNhdGUwHQYDVR0OBBYEFBrU4M4NYQ/joKRDR2f4116FwsbKMIGYBgNV
+HSMEgZAwgY2AFFYX7/Zri1n+Ixlo3njA4U1nfdBmoWqkaDBmMQswCQYDVQQGEwJE
+RTEPMA0GA1UECBMGQmF5ZXJuMQ8wDQYDVQQHEwZNdW5pY2gxDTALBgNVBAoTBEhv
+bWUxFTATBgNVBAsTDEFwYWNoZSBXU1M0SjEPMA0GA1UEAxMGV2VybmVyggkAjeEs
+CmkRd9IwDQYJKoZIhvcNAQEEBQADgYEAmEOxAuOd0q9+W22C3vROaYoYR1pttL2V
+DbKW5POxzsxcwIcG1joAkwTtffNjzR2Nebl6dAW18LqX7h38yQ2h4u/0p+0ZO67X
+qZTCq6D1Ys61Y3rjXXJk514ujHrqB2t875TK7CG+M4Ba1Af2TDmCBNnQESG++WFB
+cpt+BfJXork=
+-----END CERTIFICATE-----

Modified: webservices/wss4j/trunk/src/test/resources/wss40CA.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40CA.properties?rev=1129173&r1=1129172&r2=1129173&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40CA.properties (original)
+++ webservices/wss4j/trunk/src/test/resources/wss40CA.properties Mon May 30 13:47:25 2011
@@ -1,3 +1,4 @@
 org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
 org.apache.ws.security.crypto.merlin.truststore.password=security
 org.apache.ws.security.crypto.merlin.truststore.file=keys/wss40CA.jks
+org.apache.ws.security.crypto.merlin.x509crl.file=keys/wss40CACRL.pem

Added: webservices/wss4j/trunk/src/test/resources/wss40rev.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/resources/wss40rev.properties?rev=1129173&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/resources/wss40rev.properties (added)
+++ webservices/wss4j/trunk/src/test/resources/wss40rev.properties Mon May 30 13:47:25 2011
@@ -0,0 +1,5 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=security
+org.apache.ws.security.crypto.merlin.keystore.alias=wss40rev
+org.apache.ws.security.crypto.merlin.keystore.file=keys/wss40rev.jks



Mime
View raw message