ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1579695 - in /webservices/wss4j/trunk: ws-security-common/src/main/java/org/apache/wss4j/common/crypto/ ws-security-dom/src/main/java/org/apache/wss4j/dom/action/ ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/ ws-security-sta...
Date Thu, 20 Mar 2014 17:45:31 GMT
Author: coheigea
Date: Thu Mar 20 17:45:31 2014
New Revision: 1579695

URL: http://svn.apache.org/r1579695
Log:
Refactored Crypto.verifyTrust

Modified:
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
    webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CertificateStore.java
Thu Mar 20 17:45:31 2014
@@ -31,9 +31,11 @@ import java.security.cert.PKIXParameters
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.x500.X500Principal;
@@ -143,11 +145,13 @@ public class CertificateStore extends Cr
      *
      * @param certs Certificate chain to validate
      * @param enableRevocation whether to enable CRL verification or not
+     * @param subjectCertConstraints A set of constraints on the Subject DN of the certificates
      * @throws WSSecurityException if the certificate chain is invalid
      */
     public void verifyTrust(
         X509Certificate[] certs, 
-        boolean enableRevocation
+        boolean enableRevocation,
+        Collection<Pattern> subjectCertConstraints
     ) throws WSSecurityException {
         //
         // FIRST step - Search the trusted certs for the transmitted certificate
@@ -269,6 +273,11 @@ public class CertificateStore extends Cr
                     e.getMessage()
                 );
         }
+        
+        // Finally check Cert Constraints
+        if (!matches(certs[0], subjectCertConstraints)) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
     }
     
     /**

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Crypto.java
Thu Mar 20 17:45:31 2014
@@ -23,6 +23,8 @@ import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
+import java.util.regex.Pattern;
 
 import javax.security.auth.callback.CallbackHandler;
 
@@ -183,14 +185,16 @@ public interface Crypto {
      *
      * @param certs Certificate chain to validate
      * @param enableRevocation whether to enable CRL verification or not
+     * @param subjectCertConstraints A set of constraints on the Subject DN of the certificates
      * @throws WSSecurityException if the certificate chain is invalid
      */
     void verifyTrust(
-        X509Certificate[] certs, boolean enableRevocation
+        X509Certificate[] certs, boolean enableRevocation,
+        Collection<Pattern> subjectCertConstraints
     ) throws WSSecurityException;
     
     /**
-     * Evaluate whether a given public key should be trusted directly (located inside trust
repository).
+     * Evaluate whether a given public key should be trusted directly (located 
      * 
      * @param certs Certificate chain to validate
      * @throws WSSecurityException if the certificate chain is invalid

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/CryptoBase.java
Thu Mar 20 17:45:31 2014
@@ -30,10 +30,14 @@ import java.security.cert.CertificateExc
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
 import javax.security.auth.x500.X500Principal;
 
 import org.apache.wss4j.common.ext.WSSecurityException;
@@ -52,6 +56,9 @@ public abstract class CryptoBase impleme
      */
     public static final String NAME_CONSTRAINTS_OID = "2.5.29.30";
     
+    private static final org.slf4j.Logger LOG = 
+        org.slf4j.LoggerFactory.getLogger(CryptoBase.class);
+                    
     private static final Constructor<?> BC_509CLASS_CONS;
 
     protected Map<String, CertificateFactory> certFactMap = 
@@ -290,7 +297,7 @@ public abstract class CryptoBase impleme
 
     @Override
     public void verifyDirectTrust(X509Certificate[] certs) throws WSSecurityException {
-    	verifyTrust(certs, true);
+    	verifyTrust(certs, true, null);
     }
     
     protected Object createBCX509Name(String s) {
@@ -304,4 +311,39 @@ public abstract class CryptoBase impleme
         return new X500Principal(s);
     }
     
+    /**
+     * @return      true if the certificate's SubjectDN matches the constraints defined in
the
+     *              subject DNConstraints; false, otherwise. The certificate subject DN only
+     *              has to match ONE of the subject cert constraints (not all).
+     */
+    protected boolean
+    matches(
+        final X509Certificate cert, final Collection<Pattern> subjectDNPatterns
+    ) {
+        if (subjectDNPatterns.isEmpty()) {
+            LOG.warn("No Subject DN Certificate Constraints were defined. This could be a
security issue");
+        }
+        if (!subjectDNPatterns.isEmpty()) {
+            if (cert == null) {
+                LOG.debug("The certificate is null so no constraints matching was possible");
+                return false;
+            }
+            String subjectName = cert.getSubjectX500Principal().getName();
+            boolean subjectMatch = false;
+            for (Pattern subjectDNPattern : subjectDNPatterns) {
+                final Matcher matcher = subjectDNPattern.matcher(subjectName);
+                if (matcher.matches()) {
+                    LOG.debug("Subject DN " + subjectName + " matches with pattern " + subjectDNPattern);
+                    subjectMatch = true;
+                    break;
+                }
+            }
+            if (!subjectMatch) {
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
(original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/crypto/Merlin.java
Thu Mar 20 17:45:31 2014
@@ -46,12 +46,14 @@ import java.security.cert.TrustAnchor;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Properties;
 import java.util.Set;
+import java.util.regex.Pattern;
 
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -777,11 +779,14 @@ public class Merlin extends CryptoBase {
      *
      * @param certs Certificate chain to validate
      * @param enableRevocation whether to enable CRL verification or not
+     * @param subjectCertConstraints A set of constraints on the Subject DN of the certificates
+     * 
      * @throws WSSecurityException if the certificate chain is invalid
      */
     public void verifyTrust(
         X509Certificate[] certs, 
-        boolean enableRevocation
+        boolean enableRevocation,
+        Collection<Pattern> subjectCertConstraints
     ) throws WSSecurityException {
         //
         // FIRST step - Search the keystore for the transmitted certificate
@@ -938,6 +943,11 @@ public class Merlin extends CryptoBase {
                     WSSecurityException.ErrorCode.FAILURE, "certpath", e
                 );
         }
+        
+        // Finally check Cert Constraints
+        if (!matches(certs[0], subjectCertConstraints)) {
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
+        }
     }
     
     /**

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
Thu Mar 20 17:45:31 2014
@@ -79,7 +79,7 @@ public class EncryptionAction implements
             cryptoType.setAlias(encryptionToken.getUser());
             X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
             if (certs != null && certs.length > 0) {
-                crypto.verifyTrust(certs, enableRevocation);
+                crypto.verifyTrust(certs, enableRevocation, null);
             }
         }
         if (encryptionToken.getParts().size() > 0) {

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/validate/SignatureTrustValidator.java
Thu Mar 20 17:45:31 2014
@@ -24,7 +24,6 @@ import java.security.cert.CertificateExp
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
-import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import org.apache.wss4j.common.crypto.Crypto;
@@ -79,7 +78,6 @@ public class SignatureTrustValidator imp
         return data.getSigVerCrypto();
     }
 
-
     /**
      * Validate the certificates by checking the validity of each cert
      * @throws WSSecurityException
@@ -120,17 +118,14 @@ public class SignatureTrustValidator imp
         // Use the validation method from the crypto to check whether the subjects' 
         // certificate was really signed by the issuer stated in the certificate
         //
-        crypto.verifyTrust(certificates, enableRevocation);
+        Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
+        crypto.verifyTrust(certificates, enableRevocation, subjectCertConstraints);
         if (LOG.isDebugEnabled()) {
             String subjectString = certificates[0].getSubjectX500Principal().getName();
             LOG.debug(
                 "Certificate path has been verified for certificate with subject " + subjectString
             );
         }
-        Collection<Pattern> subjectCertConstraints = data.getSubjectCertConstraints();
-        if (!matches(certificates[0], subjectCertConstraints)) {
-            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
-        }
     }
     
     /**
@@ -142,39 +137,4 @@ public class SignatureTrustValidator imp
         crypto.verifyTrust(publicKey);
     }
     
-    /**
-     * @return      true if the certificate's SubjectDN matches the constraints defined in
the
-     *              subject DNConstraints; false, otherwise. The certificate subject DN only
-     *              has to match ONE of the subject cert constraints (not all).
-     */
-    protected boolean
-    matches(
-        final X509Certificate cert, final Collection<Pattern> subjectDNPatterns
-    ) {
-        if (subjectDNPatterns.isEmpty()) {
-            LOG.warn("No Subject DN Certificate Constraints were defined. This could be a
security issue");
-        }
-        if (!subjectDNPatterns.isEmpty()) {
-            if (cert == null) {
-                LOG.debug("The certificate is null so no constraints matching was possible");
-                return false;
-            }
-            String subjectName = cert.getSubjectX500Principal().getName();
-            boolean subjectMatch = false;
-            for (Pattern subjectDNPattern : subjectDNPatterns) {
-                final Matcher matcher = subjectDNPattern.matcher(subjectName);
-                if (matcher.matches()) {
-                    LOG.debug("Subject DN " + subjectName + " matches with pattern " + subjectDNPattern);
-                    subjectMatch = true;
-                    break;
-                }
-            }
-            if (!subjectMatch) {
-                return false;
-            }
-        }
-        
-        return true;
-    }
-    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/OutboundWSSec.java
Thu Mar 20 17:45:31 2014
@@ -546,7 +546,7 @@ public class OutboundWSSec {
         // Check for Revocation
         if (securityProperties.isEnableRevocation()) {
             Crypto crypto = securityProperties.getEncryptionCrypto();
-            crypto.verifyTrust(x509Certificates, true);
+            crypto.verifyTrust(x509Certificates, true, null);
         }
 
         // Create a new outbound EncryptedKey token for the cert

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/SamlSecurityTokenImpl.java
Thu Mar 20 17:45:31 2014
@@ -26,7 +26,9 @@ import java.security.PublicKey;
 import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.security.cert.X509Certificate;
+import java.util.Collection;
 import java.util.List;
+import java.util.regex.Pattern;
 
 import javax.crypto.spec.SecretKeySpec;
 import javax.security.auth.Subject;
@@ -204,10 +206,12 @@ public class SamlSecurityTokenImpl exten
                     //todo I don't think the checkValidity is necessary because the CertPathChecker
                     x509Certificates[0].checkValidity();
                     boolean enableRevocation = false;
+                    Collection<Pattern> subjectCertConstraints = null;
                     if (securityProperties != null) {
                         enableRevocation = securityProperties.isEnableRevocation();
+                        subjectCertConstraints = securityProperties.getSubjectCertConstraints();
                     }
-                    crypto.verifyTrust(x509Certificates, enableRevocation);
+                    crypto.verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints);
                 }
                 PublicKey publicKey = getPublicKey();
                 if (publicKey != null) {

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java?rev=1579695&r1=1579694&r2=1579695&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/X509SecurityTokenImpl.java
Thu Mar 20 17:45:31 2014
@@ -117,15 +117,12 @@ public abstract class X509SecurityTokenI
                 x509Certificates[0].checkValidity();
                 
                 boolean enableRevocation = false;
+                Collection<Pattern> subjectCertConstraints = null;
                 if (securityProperties != null) {
                     enableRevocation = securityProperties.isEnableRevocation();
+                    subjectCertConstraints = securityProperties.getSubjectCertConstraints();
                 }
-                getCrypto().verifyTrust(x509Certificates, enableRevocation);
-                
-                Collection<Pattern> subjectCertConstraints = securityProperties.getSubjectCertConstraints();
-                if (!matches(x509Certificates[0], subjectCertConstraints)) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
-                }
+                getCrypto().verifyTrust(x509Certificates, enableRevocation, subjectCertConstraints);
             }
         } catch (CertificateExpiredException e) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
e);



Mime
View raw message