Exemplo n.º 1
0
  /** Test to validate an invalid X.509 token */
  @org.junit.Test
  public void testValidateInvalidX509Token() throws Exception {
    TokenValidateOperation validateOperation = new TokenValidateOperation();

    // Add Token Validator
    List<TokenValidator> validatorList = new ArrayList<TokenValidator>();
    validatorList.add(new X509TokenValidator());
    validateOperation.setTokenValidators(validatorList);

    // Add STSProperties object
    STSPropertiesMBean stsProperties = new StaticSTSProperties();
    Crypto crypto = CryptoFactory.getInstance(getEncryptionProperties());
    stsProperties.setEncryptionCrypto(crypto);
    stsProperties.setSignatureCrypto(crypto);
    stsProperties.setEncryptionUsername("myservicekey");
    stsProperties.setSignatureUsername("mystskey");
    stsProperties.setCallbackHandler(new PasswordCallbackHandler());
    stsProperties.setIssuer("STS");
    validateOperation.setStsProperties(stsProperties);

    // Mock up a request
    RequestSecurityTokenType request = new RequestSecurityTokenType();
    JAXBElement<String> tokenType =
        new JAXBElement<String>(QNameConstants.TOKEN_TYPE, String.class, STSConstants.STATUS);
    request.getAny().add(tokenType);

    // Create a BinarySecurityToken
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("eve");
    Crypto eveCrypto = CryptoFactory.getInstance(getEveCryptoProperties());
    X509Certificate[] certs = eveCrypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);

    JAXBElement<BinarySecurityTokenType> binarySecurityTokenType =
        createBinarySecurityToken(certs[0]);
    ValidateTargetType validateTarget = new ValidateTargetType();
    validateTarget.setAny(binarySecurityTokenType);

    JAXBElement<ValidateTargetType> validateTargetType =
        new JAXBElement<ValidateTargetType>(
            QNameConstants.VALIDATE_TARGET, ValidateTargetType.class, validateTarget);
    request.getAny().add(validateTargetType);

    // Mock up message context
    MessageImpl msg = new MessageImpl();
    WrappedMessageContext msgCtx = new WrappedMessageContext(msg);
    Principal principal = new CustomTokenPrincipal("alice");
    msgCtx.put(SecurityContext.class.getName(), createSecurityContext(principal));

    // Validate a token
    RequestSecurityTokenResponseType response =
        validateOperation.validate(request, principal, msgCtx);
    assertFalse(validateResponse(response));
  }
Exemplo n.º 2
0
  /** Test a valid certificate */
  @org.junit.Test
  public void testValidCertificate() throws Exception {
    TokenValidator x509TokenValidator = new X509TokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of an X509Certificate
    BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
    JAXBElement<BinarySecurityTokenType> tokenType =
        new JAXBElement<BinarySecurityTokenType>(
            QNameConstants.BINARY_SECURITY_TOKEN,
            BinarySecurityTokenType.class,
            binarySecurityToken);
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("myclientkey");
    Crypto crypto = validatorParameters.getStsProperties().getSignatureCrypto();
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);
    binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    // It can't handle the token as the value type is not set
    assertFalse(x509TokenValidator.canHandleToken(validateTarget));

    binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
    assertTrue(x509TokenValidator.canHandleToken(validateTarget));

    // This will fail as the encoding type is not set
    TokenValidatorResponse validatorResponse = null;
    validatorResponse = x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);

    binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");

    validatorResponse = x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.VALID);

    Principal principal = validatorResponse.getPrincipal();
    assertTrue(principal != null && principal.getName() != null);
  }
Exemplo n.º 3
0
  /**
   * Try to get certificate locally. First try using the supplied CryptoType. If this does not work,
   * and if the supplied CryptoType is a ALIAS, then try again with SUBJECT_DN in case the supplied
   * Alias is actually a Certificate's Subject DN
   *
   * @param cryptoType
   * @return if found certificate otherwise null returned
   */
  private X509Certificate[] getCertificateLocaly(CryptoType cryptoType) {
    // This only applies if we've configured a local Crypto instance...
    if (fallbackCrypto == null) {
      return null;
    }

    // First try using the supplied CryptoType instance
    X509Certificate[] localCerts = null;
    try {
      localCerts = fallbackCrypto.getX509Certificates(cryptoType);
    } catch (Exception e) {
      LOG.info(
          "Certificate is not found in local keystore using desired CryptoType: "
              + cryptoType.getType().name());
    }

    if (localCerts == null && cryptoType.getType() == CryptoType.TYPE.ALIAS) {
      // If none found then try using either the Subject DN. This is because an
      // Encryption username in CXF is configured as an Alias in WSS4J, but may in fact
      // be a Subject DN
      CryptoType newCryptoType = new CryptoType(CryptoType.TYPE.SUBJECT_DN);
      newCryptoType.setSubjectDN(cryptoType.getAlias());

      try {
        localCerts = fallbackCrypto.getX509Certificates(newCryptoType);
      } catch (Exception e) {
        LOG.info(
            "Certificate is not found in local keystore and will be requested from "
                + "XKMS (first trying the cache): "
                + cryptoType.getAlias());
      }
    }
    return localCerts;
  }
Exemplo n.º 4
0
  private X509Certificate[] getX509(CryptoType cryptoType) {
    // Try to get X509 certificate from local keystore if it is configured
    if (allowX509FromJKS && fallbackCrypto != null) {
      X509Certificate[] localCerts = getCertificateLocaly(cryptoType);
      if (localCerts != null && localCerts.length > 0) {
        return localCerts;
      }
    }
    CryptoType.TYPE type = cryptoType.getType();
    if (type == TYPE.SUBJECT_DN) {
      return getX509FromXKMSByID(Applications.PKIX, cryptoType.getSubjectDN());
    } else if (type == TYPE.ENDPOINT) {
      return getX509FromXKMSByEndpoint(cryptoType.getEndpoint());
    } else if (type == TYPE.ALIAS) {
      Applications appId = null;
      boolean isServiceName = isServiceName(cryptoType);
      if (!isServiceName) {
        appId = Applications.PKIX;
      } else {
        appId = Applications.SERVICE_NAME;
      }
      return getX509FromXKMSByID(appId, cryptoType.getAlias());

    } else if (type == TYPE.ISSUER_SERIAL) {
      return getX509FromXKMSByIssuerSerial(cryptoType.getIssuer(), cryptoType.getSerial());
    }
    throw new IllegalArgumentException("Unsupported type " + type);
  }
Exemplo n.º 5
0
  @org.junit.Test
  public void testCreateSignedJWT() throws Exception {
    TokenProvider jwtTokenProvider = new JWTTokenProvider();
    ((JWTTokenProvider) jwtTokenProvider).setSignToken(true);

    TokenProviderParameters providerParameters = createProviderParameters();

    assertTrue(jwtTokenProvider.canHandleToken(JWTTokenProvider.JWT_TOKEN_TYPE));
    TokenProviderResponse providerResponse = jwtTokenProvider.createToken(providerParameters);
    assertTrue(providerResponse != null);
    assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null);

    String token = (String) providerResponse.getToken();
    assertNotNull(token);
    assertTrue(token.split("\\.").length == 3);

    // Validate the token
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(token);
    JwtToken jwt = jwtConsumer.getJwtToken();
    Assert.assertEquals("alice", jwt.getClaim(JwtConstants.CLAIM_SUBJECT));
    Assert.assertEquals(providerResponse.getTokenId(), jwt.getClaim(JwtConstants.CLAIM_JWT_ID));
    Assert.assertEquals(
        providerResponse.getCreated().getTime() / 1000L,
        jwt.getClaim(JwtConstants.CLAIM_ISSUED_AT));
    Assert.assertEquals(
        providerResponse.getExpires().getTime() / 1000L, jwt.getClaim(JwtConstants.CLAIM_EXPIRY));

    // Verify Signature
    Crypto crypto = providerParameters.getStsProperties().getSignatureCrypto();
    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias(providerParameters.getStsProperties().getSignatureUsername());
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertNotNull(certs);

    assertTrue(jwtConsumer.verifySignatureWith(certs[0], SignatureAlgorithm.RS256));
  }
Exemplo n.º 6
0
  /** Test an invalid certificate */
  @org.junit.Test
  public void testInvalidCertificate() throws Exception {
    TokenValidator x509TokenValidator = new X509TokenValidator();
    TokenValidatorParameters validatorParameters = createValidatorParameters();
    TokenRequirements tokenRequirements = validatorParameters.getTokenRequirements();

    // Create a ValidateTarget consisting of an X509Certificate
    BinarySecurityTokenType binarySecurityToken = new BinarySecurityTokenType();
    JAXBElement<BinarySecurityTokenType> tokenType =
        new JAXBElement<BinarySecurityTokenType>(
            QNameConstants.BINARY_SECURITY_TOKEN,
            BinarySecurityTokenType.class,
            binarySecurityToken);

    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
    cryptoType.setAlias("eve");
    Crypto crypto = CryptoFactory.getInstance(getEveCryptoProperties());
    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
    assertTrue(certs != null && certs.length > 0);

    binarySecurityToken.setValue(Base64.getMimeEncoder().encodeToString(certs[0].getEncoded()));
    binarySecurityToken.setValueType(X509TokenValidator.X509_V3_TYPE);
    binarySecurityToken.setEncodingType(WSConstants.SOAPMESSAGE_NS + "#Base64Binary");

    ReceivedToken validateTarget = new ReceivedToken(tokenType);
    tokenRequirements.setValidateTarget(validateTarget);
    validatorParameters.setToken(validateTarget);

    assertTrue(x509TokenValidator.canHandleToken(validateTarget));

    TokenValidatorResponse validatorResponse =
        x509TokenValidator.validateToken(validatorParameters);
    assertTrue(validatorResponse != null);
    assertTrue(validatorResponse.getToken() != null);
    assertTrue(validatorResponse.getToken().getState() == STATE.INVALID);
  }
Exemplo n.º 7
0
 @Override
 public X509Certificate[] getX509Certificates(CryptoType cryptoType) throws WSSecurityException {
   if (LOG.isLoggable(Level.INFO)) {
     LOG.info(
         String.format(
             "XKMS Runtime: getting public certificate for alias: %s; issuer: %s; subjectDN: %s",
             cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
   }
   X509Certificate[] certs = getX509(cryptoType);
   if (certs == null) {
     LOG.warning(
         String.format(
             "Cannot find certificate for alias: %s, issuer: %s; subjectDN: %s",
             cryptoType.getAlias(), cryptoType.getIssuer(), cryptoType.getSubjectDN()));
   }
   return certs;
 }
Exemplo n.º 8
0
 /**
  * Service Aliases contain namespace
  *
  * @param cryptoType
  * @return
  */
 private boolean isServiceName(CryptoType cryptoType) {
   return cryptoType.getAlias().contains("{");
 }