3:13 p.m.
Author: sguilhen(a)redhat.com
Date: 2009-10-27 16:13:07 -0400 (Tue, 27 Oct 2009)
New Revision: 876
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTSConfiguration.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/STSConfiguration.java
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java
Log:
JBID-138: added logic to create a KeyInfo with a certificate when assymetric proof of
possession tokens are to be used
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTSConfiguration.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTSConfiguration.java 2009-10-27
17:28:26 UTC (rev 875)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/JBossSTSConfiguration.java 2009-10-27
20:13:07 UTC (rev 876)
@@ -23,6 +23,7 @@
import java.security.KeyPair;
import java.security.PublicKey;
+import java.security.cert.Certificate;
import java.util.HashMap;
import java.util.Map;
@@ -33,6 +34,7 @@
import org.jboss.identity.federation.core.config.ServiceProvidersType;
import org.jboss.identity.federation.core.config.TokenProviderType;
import org.jboss.identity.federation.core.config.TokenProvidersType;
+import org.jboss.identity.federation.core.interfaces.TrustKeyConfigurationException;
import org.jboss.identity.federation.core.interfaces.TrustKeyManager;
/**
@@ -92,7 +94,7 @@
// create and initialize the token provider.
SecurityTokenProvider tokenProvider =
serviceFactory.createTokenProvider(provider.getProviderClass());
Map<String, String> properties = new HashMap<String, String>();
- for(PropertyType propertyType : provider.getProperty())
+ for (PropertyType propertyType : provider.getProperty())
properties.put(propertyType.getName(), propertyType.getValue());
tokenProvider.initialize(properties);
// token providers can be keyed by the token type and by token element +
namespace.
@@ -213,7 +215,7 @@
{
return this.tokenProviders.get(tokenLocalName + "$" + tokenNamespace);
}
-
+
/*
* (non-Javadoc)
*
@@ -240,12 +242,12 @@
{
// try using the truststore alias from the service provider metadata.
ServiceProviderType provider = this.spMetadata.get(serviceName);
- if(provider != null && provider.getTruststoreAlias() != null)
+ if (provider != null && provider.getTruststoreAlias() != null)
{
key = this.trustManager.getPublicKey(provider.getTruststoreAlias());
}
// if there was no truststore alias or no PKC under that alias, use the
KeyProvider mapping.
- if(key == null)
+ if (key == null)
{
key = this.trustManager.getValidatingKey(serviceName);
}
@@ -279,4 +281,23 @@
return keyPair;
}
+ /*
+ * (non-Javadoc)
+ * @see
org.jboss.identity.federation.core.wstrust.STSConfiguration#getCertificate(java.lang.String)
+ */
+ public Certificate getCertificate(String alias)
+ {
+ Certificate certificate = null;
+ if(this.trustManager != null)
+ {
+ try{
+ certificate = trustManager.getCertificate(alias);
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException("Error obtaining public key
certificate", e);
+ }
+ }
+ return certificate;
+ }
}
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/STSConfiguration.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/STSConfiguration.java 2009-10-27
17:28:26 UTC (rev 875)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/STSConfiguration.java 2009-10-27
20:13:07 UTC (rev 876)
@@ -23,6 +23,7 @@
import java.security.KeyPair;
import java.security.PublicKey;
+import java.security.cert.Certificate;
/**
* <p>
@@ -151,4 +152,14 @@
* @return a reference to the provider's {@code PublicKey}
*/
public PublicKey getServiceProviderPublicKey(String serviceName);
+
+ /**
+ * <p>
+ * Obtains the certificate identified by the specified alias.
+ * </p>
+ *
+ * @param alias the alias associated with the certificate in the keystore.
+ * @return the {@code Certificate} obtained from the keystore, or {@code null} if no
certificate was found.
+ */
+ public Certificate getCertificate(String alias);
}
Modified:
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java
===================================================================
---
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java 2009-10-27
17:28:26 UTC (rev 875)
+++
identity-federation/trunk/jboss-identity-fed-core/src/main/java/org/jboss/identity/federation/core/wstrust/StandardRequestHandler.java 2009-10-27
20:13:07 UTC (rev 876)
@@ -27,6 +27,7 @@
import java.security.PublicKey;
import java.security.cert.Certificate;
+import javax.xml.bind.JAXBElement;
import javax.xml.crypto.dsig.DigestMethod;
import javax.xml.crypto.dsig.SignatureMethod;
@@ -42,6 +43,8 @@
import org.jboss.identity.federation.ws.trust.RequestedProofTokenType;
import org.jboss.identity.federation.ws.trust.RequestedSecurityTokenType;
import org.jboss.identity.federation.ws.trust.StatusType;
+import org.jboss.identity.federation.ws.trust.UseKeyType;
+import org.jboss.identity.xmlsec.w3.xmldsig.KeyInfoType;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -83,9 +86,9 @@
public RequestSecurityTokenResponse issue(RequestSecurityToken request, Principal
callerPrincipal)
throws WSTrustException
{
- if(trace)
+ if (trace)
log.trace("Issuing token for principal " + callerPrincipal);
-
+
Document rstDocument = request.getRSTDocument();
if (rstDocument == null)
throw new IllegalArgumentException("Request does not contain the DOM
Document");
@@ -134,7 +137,7 @@
URI keyType = request.getKeyType();
if (keyType == null)
{
- if(log.isDebugEnabled())
+ if (log.isDebugEnabled())
log.debug("No key type could be found in the request. Using the
default BEARER type.");
keyType = URI.create(WSTrustConstants.KEY_TYPE_BEARER);
request.setKeyType(keyType);
@@ -199,10 +202,23 @@
}
else if (WSTrustConstants.KEY_TYPE_PUBLIC.equalsIgnoreCase(keyType.toString()))
{
- // TODO: get the client certificate from a metadata provider or from the
UseKey section of the WS-T request.
- Certificate certificate = null;
+ // try to locate the client cert in the keystore using the caller principal
as the alias.
+ Certificate certificate =
this.configuration.getCertificate(callerPrincipal.getName());
if (certificate != null)
requestContext.setProofTokenInfo(WSTrustUtil.createKeyInfo(certificate));
+ // if no certificate was found in the keystore, check the UseKey contents.
+ else if (request.getUseKey() != null)
+ {
+ UseKeyType useKeyType = request.getUseKey();
+ Object value = useKeyType.getAny();
+ if (value instanceof JAXBElement<?> || value instanceof Element)
+ {
+ //TODO: parse the token properly. If it is a X509 cert, we should
create a X509DataType with it.
+ KeyInfoType keyInfo = new KeyInfoType();
+ keyInfo.getContent().add(value);
+ requestContext.setProofTokenInfo(keyInfo);
+ }
+ }
else
throw new WSTrustException("Unable to locate client public
key");
}
@@ -386,11 +402,11 @@
}
else
{
- if(trace)
- log.trace("Security Token digital signature has NOT been verified.
Either the STS has been configured" +
- "not to sign tokens or the STS key pair has not been properly
specified.");
+ if (trace)
+ log.trace("Security Token digital signature has NOT been verified.
Either the STS has been configured"
+ + "not to sign tokens or the STS key pair has not been properly
specified.");
}
-
+
// if the signature is valid, then let the provider perform any additional
validation checks.
if (status == null)
{