/** Test to validate an invalid X.509 token */
@org.junit.Test
public void testValidateInvalidX509Token() throws Exception {
TokenValidateOperation validateOperation = new TokenValidateOperation();
// Add Token Validator
List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
validatorList.add(new X509TokenValidator());
validateOperation.setTokenValidators(validatorList);
// Add STSProperties object
STSPropertiesMBean stsProperties = new StaticSTSProperties();
Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
stsProperties.setEncryptionCrypto(crypto);
stsProperties.setSignatureCrypto(crypto);
stsProperties.setEncryptionUsername("myservicekey");
stsProperties.setSignatureUsername("mystskey");
stsProperties.setCallbackHandler(new PasswordCallbackHandler());
stsProperties.setIssuer("STS");
validateOperation.setStsProperties(stsProperties);
// Mock up a request
RequestSecurityTokenType request = new RequestSecurityTokenType();
JAXBElement<String> tokenType =
new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, STSConstants.STATUS);
request.getAny().add(tokenType);
// Create a BinarySecurityToken
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("eve");
Crypto eveCrypto = CryptoFactory.getInstance(getEveCryptoProperties());
X509Certificate[] certs = eveCrypto.getX509Certificates(cryptoType);
assertTrue(certs != null && certs.length > 0);
JAXBElement<BinarySecurityTokenType> binarySecurityTokenType =
createBinarySecurityToken(certs[0]);
ValidateTargetType validateTarget = new ValidateTargetType();
validateTarget.setAny(binarySecurityTokenType);
JAXBElement<ValidateTargetType> validateTargetType =
new JAXBElement<ValidateTargetType>(
QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget);
request.getAny().add(validateTargetType);
// Mock up message context
MessageImpl msg = new MessageImpl();
WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
Principal principal = new CustomTokenPrincipal("alice");
msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));
// Validate a token
RequestSecurityTokenResponseType response =
validateOperation.validate(request, principal, msgCtx);
assertFalse(validateResponse(response));
}
/** Test a valid certificate */
@org.junit.Test
public void testValidCertificate() throws Exception {
TokenValidator x509TokenValidator = new X509TokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of an X509Certificate
BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
JAXBElement<BinarySecurityTokenType> tokenType =
new JAXBElement<BinarySecurityTokenType>(
QNameConstants.BINARY_SECURITY_TOKEN,
BinarySecurityTokenType.class,
binarySecurityToken);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myclientkey");
Crypto crypto = validatorParameters.getStsProperties().getSignatureCrypto();
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertTrue(certs != null && certs.length > 0);
binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
// It can't handle the token as the value type is not set
assertFalse(x509TokenValidator.canHandleToken(validateTarget));
binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
assertTrue(x509TokenValidator.canHandleToken(validateTarget));
// This will fail as the encoding type is not set
TokenValidatorResponse validatorResponse = null;
validatorResponse = x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
validatorResponse = x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.VALID);
Principal principal = validatorResponse.getPrincipal();
assertTrue(principal != null && principal.getName() != null);
}
/**
* Try to get certificate locally. First try using the supplied CryptoType. If this does not work,
* and if the supplied CryptoType is a ALIAS, then try again with SUBJECT_DN in case the supplied
* Alias is actually a Certificate's Subject DN
*
* @param cryptoType
* @return if found certificate otherwise null returned
*/
private X509Certificate[] getCertificateLocaly(CryptoType cryptoType) {
// This only applies if we've configured a local Crypto instance...
if (fallbackCrypto == null) {
return null;
}
// First try using the supplied CryptoType instance
X509Certificate[] localCerts = null;
try {
localCerts = fallbackCrypto.getX509Certificates(cryptoType);
} catch (Exception e) {
LOG.info(
"Certificate is not found in local keystore using desired CryptoType: "
+ cryptoType.getType().name());
}
if (localCerts == null && cryptoType.getType() == CryptoType.TYPE.ALIAS) {
// If none found then try using either the Subject DN. This is because an
// Encryption username in CXF is configured as an Alias in WSS4J, but may in fact
// be a Subject DN
CryptoType newCryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
newCryptoType.setSubjectDN(cryptoType.getAlias());
try {
localCerts = fallbackCrypto.getX509Certificates(newCryptoType);
} catch (Exception e) {
LOG.info(
"Certificate is not found in local keystore and will be requested from "
+ "XKMS (first trying the cache): "
+ cryptoType.getAlias());
}
}
return localCerts;
}
private X509Certificate[] getX509(CryptoType cryptoType) {
// Try to get X509 certificate from local keystore if it is configured
if (allowX509FromJKS && fallbackCrypto != null) {
X509Certificate[] localCerts = getCertificateLocaly(cryptoType);
if (localCerts != null && localCerts.length > 0) {
return localCerts;
}
}
CryptoType.TYPE type = cryptoType.getType();
if (type == TYPE.SUBJECT_DN) {
return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
} else if (type == TYPE.ENDPOINT) {
return getX509FromXKMSByEndpoint(cryptoType.getEndpoint());
} else if (type == TYPE.ALIAS) {
Applications appId = null;
boolean isServiceName = isServiceName(cryptoType);
if (!isServiceName) {
appId = Applications.PKIX;
} else {
appId = Applications.SERVICE_NAME;
}
return getX509FromXKMSByID(appId, cryptoType.getAlias());
} else if (type == TYPE.ISSUER_SERIAL) {
return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
}
throw new IllegalArgumentException("Unsupported type " + type);
}
@org.junit.Test
public void testCreateSignedJWT() throws Exception {
TokenProvider jwtTokenProvider = new JWTTokenProvider();
((JWTTokenProvider) jwtTokenProvider).setSignToken(true);
TokenProviderParameters providerParameters = createProviderParameters();
assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
assertTrue(providerResponse != null);
assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);
String token = (String) providerResponse.getToken();
assertNotNull(token);
assertTrue(token.split("\\.").length == 3);
// Validate the token
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
JwtToken jwt = jwtConsumer.getJwtToken();
Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
Assert.assertEquals(
providerResponse.getCreated().getTime() / 1000L,
jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
Assert.assertEquals(
providerResponse.getExpires().getTime() / 1000L, jwt.getClaim(JwtConstants.CLAIM_EXPIRY));
// Verify Signature
Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertNotNull(certs);
assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
}
/** Test an invalid certificate */
@org.junit.Test
public void testInvalidCertificate() throws Exception {
TokenValidator x509TokenValidator = new X509TokenValidator();
TokenValidatorParameters validatorParameters = createValidatorParameters();
TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();
// Create a ValidateTarget consisting of an X509Certificate
BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
JAXBElement<BinarySecurityTokenType> tokenType =
new JAXBElement<BinarySecurityTokenType>(
QNameConstants.BINARY_SECURITY_TOKEN,
BinarySecurityTokenType.class,
binarySecurityToken);
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("eve");
Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
assertTrue(certs != null && certs.length > 0);
binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");
ReceivedToken validateTarget = new ReceivedToken(tokenType);
tokenRequirements.setValidateTarget(validateTarget);
validatorParameters.setToken(validateTarget);
assertTrue(x509TokenValidator.canHandleToken(validateTarget));
TokenValidatorResponse validatorResponse =
x509TokenValidator.validateToken(validatorParameters);
assertTrue(validatorResponse != null);
assertTrue(validatorResponse.getToken() != null);
assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
}
@Override
public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
if (LOG.isLoggable(Level.INFO)) {
LOG.info(
String.format(
"XKMS Runtime: getting public certificate for alias: %s; issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
}
X509Certificate[] certs = getX509(cryptoType);
if (certs == null) {
LOG.warning(
String.format(
"Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s",
cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
}
return certs;
}
/**
* Service Aliases contain namespace
*
* @param cryptoType
* @return
*/
private boolean isServiceName(CryptoType cryptoType) {
return cryptoType.getAlias().contains("{");
}
