View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.stax.test;
20  
21  import java.io.ByteArrayInputStream;
22  import java.io.ByteArrayOutputStream;
23  import java.io.IOException;
24  import java.io.InputStream;
25  import java.util.Enumeration;
26  import java.util.Map;
27  import java.util.Properties;
28  
29  import javax.xml.stream.XMLStreamReader;
30  import javax.xml.transform.TransformerException;
31  import javax.xml.transform.dom.DOMSource;
32  import javax.xml.transform.stream.StreamResult;
33  
34  import org.apache.wss4j.common.ext.WSSecurityException;
35  import org.apache.wss4j.dom.handler.RequestData;
36  import org.apache.wss4j.dom.handler.WSHandlerConstants;
37  import org.apache.wss4j.stax.ext.WSSConstants;
38  import org.apache.wss4j.stax.ext.WSSSecurityProperties;
39  import org.apache.wss4j.stax.setup.InboundWSSec;
40  import org.apache.wss4j.stax.setup.WSSec;
41  import org.apache.wss4j.stax.test.utils.StAX2DOM;
42  import org.junit.jupiter.api.Test;
43  import org.w3c.dom.Document;
44  import org.w3c.dom.NodeList;
45  
46  import static org.junit.jupiter.api.Assertions.assertEquals;
47  import static org.junit.jupiter.api.Assertions.assertNotNull;
48  import static org.junit.jupiter.api.Assertions.assertTrue;
49  import static org.junit.jupiter.api.Assertions.fail;
50  
51  /**
52   * This is a test for Certificate Revocation List checking. A message is signed and sent to the
53   * receiver. If Certificate Revocation is enabled, then signature trust verification should
54   * fail as the message has been signed by the private key corresponding to a revoked signature.
55   *
56   * Generate the client keypair, make a csr, sign it with the CA key
57   *
58   * keytool -genkey -validity 3650 -alias wss40rev -keyalg RSA -keystore wss40rev.jks
59   * -dname "CN=Colm,OU=WSS4J,O=Apache,L=Dublin,ST=Leinster,C=IE"
60   * keytool -certreq -alias wss40rev -keystore wss40rev.jks -file wss40rev.cer
61   * openssl ca -config ca.config -policy policy_anything -days 3650 -out wss40rev.pem
62   * -infiles wss40rev.cer
63   * openssl x509 -outform DER -in wss40rev.pem -out wss40rev.crt
64   *
65   * Import the CA cert into wss40.jks and import the new signed certificate
66   *
67   * keytool -import -file wss40CA.crt -alias wss40CA -keystore wss40rev.jks
68   * keytool -import -file wss40rev.crt -alias wss40rev -keystore wss40rev.jks
69   *
70   * Generate a Revocation list
71   *
72   * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out wss40CACRL.pem
73   * -config ca.config -crldays 3650
74   * openssl ca -revoke wss40rev.pem -keyfile wss40CAKey.pem -cert wss40CA.pem -config ca.config
75   * openssl ca -gencrl -keyfile wss40CAKey.pem -cert wss40CA.pem -out wss40CACRL.pem
76   * -config ca.config -crldays 3650
77   */
78  public class SignatureCRLTest extends AbstractTestBase {
79  
80      /**
81       * Test signing a SOAP message using a BST. Revocation is not enabled and so the test
82       * should pass.
83       * TODO Re-enable once CRL issue fixed
84       */
85      @Test
86      @org.junit.jupiter.api.Disabled
87      public void testSignatureDirectReference() throws Exception {
88          ByteArrayOutputStream baos = new ByteArrayOutputStream();
89          {
90              InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
91              String action = WSHandlerConstants.SIGNATURE;
92              Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, new Properties());
93  
94              //some test that we can really sure we get what we want from WSS4J
95              NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
96              assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
97  
98              javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
99              transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
100         }
101 
102         //done signature; now test sig-verification: This should pass as revocation is not enabled
103         {
104             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
105             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("keys/wss40rev.jks"), "security".toCharArray());
106             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
107             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
108 
109             Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
110 
111             //header element must still be there
112             NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(), WSSConstants.TAG_dsig_Signature.getLocalPart());
113             assertEquals(nodeList.getLength(), 1);
114             assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_WSSE_SECURITY.getLocalPart());
115         }
116 
117         //done signature; now test sig-verification: This should fail as revocation is enabled
118         {
119             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
120             securityProperties.setEnableRevocation(true);
121             securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("wss40rev.jks"), "security".toCharArray());
122             securityProperties.loadCRLCertStore(this.getClass().getClassLoader().getResource("keys/wss40CACRL.pem"));
123             InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
124             XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
125 
126             try {
127                 StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
128                 fail("Expected failure on a revocation check");
129             } catch (Exception ex) {
130                 assertNotNull(ex.getCause());
131                 assertTrue(ex.getCause() instanceof WSSecurityException);
132             }
133         }
134     }
135 
136     @Override
137     protected Map<String, Object> doOutboundSecurityWithWSS4J_1(
138         InputStream sourceDocument, String action, final Properties properties
139     ) throws WSSecurityException, TransformerException, IOException {
140         CustomWSS4JHandler wss4JHandler = new CustomWSS4JHandler();
141         final Map<String, Object> messageContext = getMessageContext(sourceDocument);
142         messageContext.put(WSHandlerConstants.ACTION, action);
143         messageContext.put(WSHandlerConstants.USER, "wss40rev");
144         messageContext.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
145 
146         Properties sigProperties = new Properties();
147         sigProperties.setProperty("org.apache.wss4j.crypto.provider", "org.apache.wss4j.common.crypto.Merlin");
148         sigProperties.setProperty("org.apache.wss4j.crypto.merlin.keystore.file", "keys/wss40rev.jks");
149         sigProperties.setProperty("org.apache.wss4j.crypto.merlin.keystore.password", "security");
150         sigProperties.setProperty("org.apache.wss4j.crypto.merlin.keystore.alias", "wss40rev");
151         sigProperties.setProperty("org.apache.wss4j.crypto.merlin.x509crl.file", "keys/wss40CACRL.pem");
152         wss4JHandler.setPassword(messageContext, "security");
153         messageContext.put(WSHandlerConstants.SIG_PROP_REF_ID, "" + sigProperties.hashCode());
154         messageContext.put("" + sigProperties.hashCode(), sigProperties);
155 
156         Enumeration<?> enumeration = properties.propertyNames();
157         while (enumeration.hasMoreElements()) {
158             String s = (String) enumeration.nextElement();
159             messageContext.put(s, properties.get(s));
160         }
161 
162         RequestData requestData = new RequestData();
163         requestData.setMsgContext(messageContext);
164         requestData.setCallbackHandler(new WSS4JCallbackHandlerImpl());
165 
166         wss4JHandler.doSender(messageContext, requestData, true);
167 
168         return messageContext;
169     }
170 
171 }