Author: alessio.soldano(a)jboss.com Date: 2008-02-19 11:47:20 -0500 (Tue, 19 Feb 2008) New Revision: 5735 Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityStore.java stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SignatureVerificationOperation.java stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd Log: [JBWS-1814] Fixing issue Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java 2008-02-19 16:46:08 UTC (rev 5734) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/Constants.java 2008-02-19 16:47:20 UTC (rev 5735) @@ -71,4 +71,6 @@ public static final String XENC_CONTENT_TYPE = EncryptionConstants.TYPE_CONTENT; public static final QName WSSE_HEADER_QNAME = new QName(WSSE_NS, "Security"); + + public static final String SIGNATURE_KEYS = "org.jboss.ws.wsse.signaturePublicKeys"; } Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java 2008-02-19 16:46:08 UTC (rev 5734) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java 2008-02-19 16:47:20 UTC (rev 5735) @@ -23,6 +23,7 @@ import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.HashMap; import java.util.List; @@ -36,6 +37,7 @@ import org.apache.xml.security.encryption.XMLCipher; import org.apache.xml.security.exceptions.XMLSecurityException; import org.jboss.util.NotImplementedException; +import org.jboss.ws.core.soap.MessageContextAssociation; import org.jboss.ws.extensions.security.element.EncryptedKey; import org.jboss.ws.extensions.security.element.Reference; import org.jboss.ws.extensions.security.element.ReferenceList; @@ -159,8 +161,8 @@ for (Target target : targets) processTarget(cipher, message, target, list, secretKey); } - - X509Certificate cert = store.getCertificate(alias); + + X509Certificate cert = getCertificate(alias); X509Token token = (X509Token) header.getSharedToken(cert); // Can we reuse an existing token? @@ -175,7 +177,30 @@ header.addSecurityProcess(eKey); } + @SuppressWarnings("unchecked") + private X509Certificate getCertificate(String alias) throws WSSecurityException + { + X509Certificate cert = null; + if (alias != null) + { + cert = store.getCertificate(alias); + if (cert == null) + throw new WSSecurityException("Cannot load certificate from keystore; alias = " + alias); + } + else + { + List<PublicKey> publicKeys = (List<PublicKey>)MessageContextAssociation.peekMessageContext().get(Constants.SIGNATURE_KEYS); + if (publicKeys != null && publicKeys.size() == 1) + cert = store.getCertificateByPublicKey(publicKeys.iterator().next()); + if (cert == null) + throw new WSSecurityException("Cannot get the certificate for message encryption! Verify the keystore contents, " + + "considering the certificate is obtained through the alias specified in the encrypt configuration element " + + "or (server side only) through a single key used to sign the incoming message."); + } + return cert; + } + public static boolean probeUnlimitedCrypto() throws WSSecurityException { try Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityStore.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityStore.java 2008-02-19 16:46:08 UTC (rev 5734) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SecurityStore.java 2008-02-19 16:47:20 UTC (rev 5735) @@ -35,6 +35,7 @@ import java.security.KeyStore; import java.security.KeyStoreException; import java.security.PrivateKey; +import java.security.PublicKey; import java.security.cert.CertPath; import java.security.cert.CertPathValidator; import java.security.cert.CertPathValidatorException; @@ -333,7 +334,38 @@ return cert; } + + public X509Certificate getCertificateByPublicKey(PublicKey key) throws WSSecurityException + { + if (key == null) + return null; + + if (keyStore == null) + { + throw new WSSecurityException("KeyStore not set."); + } + + try + { + Enumeration<String> i = keyStore.aliases(); + while (i.hasMoreElements()) + { + String alias = (String)i.nextElement(); + Certificate cert = keyStore.getCertificate(alias); + if (!(cert instanceof X509Certificate)) + continue; + if (cert.getPublicKey().equals(key)) + return (X509Certificate)cert; + } + return null; + } + catch (KeyStoreException e) + { + throw new WSSecurityException("Problems retrieving cert: " + e.getMessage(), e); + } + } + public X509Certificate getCertificateBySubjectKeyIdentifier(byte[] identifier) throws WSSecurityException { if (identifier == null) Modified: stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SignatureVerificationOperation.java =================================================================== --- stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SignatureVerificationOperation.java 2008-02-19 16:46:08 UTC (rev 5734) +++ stack/native/trunk/src/main/java/org/jboss/ws/extensions/security/SignatureVerificationOperation.java 2008-02-19 16:47:20 UTC (rev 5735) @@ -21,13 +21,18 @@ */ package org.jboss.ws.extensions.security; +import java.security.PublicKey; import java.util.ArrayList; import java.util.Collection; +import java.util.LinkedList; +import java.util.List; import org.apache.xml.security.exceptions.XMLSecurityException; import org.apache.xml.security.signature.SignedInfo; import org.apache.xml.security.signature.XMLSignature; import org.apache.xml.security.signature.XMLSignatureException; +import org.jboss.ws.core.CommonMessageContext; +import org.jboss.ws.core.soap.MessageContextAssociation; import org.jboss.ws.extensions.security.element.SecurityHeader; import org.jboss.ws.extensions.security.element.SecurityProcess; import org.jboss.ws.extensions.security.element.Signature; @@ -59,6 +64,8 @@ { if (! xmlSig.checkSignatureValue(signature.getPublicKey())) throw new FailedCheckException("Signature is invalid."); + + savePublicKey(signature.getPublicKey()); } catch (XMLSignatureException e) { @@ -88,4 +95,24 @@ return processed; } + + /** + * Save the public key the incoming message was signed with into the context; + * this way it could be retrieved and used by the encryption operation + * when handling the outbound message. + * + * @param key + */ + @SuppressWarnings("unchecked") + private void savePublicKey(PublicKey key) + { + CommonMessageContext ctx = MessageContextAssociation.peekMessageContext(); + List<PublicKey> pkList = (List<PublicKey>)ctx.get(Constants.SIGNATURE_KEYS); + if (pkList == null) + { + pkList = new LinkedList<PublicKey>(); + ctx.put(Constants.SIGNATURE_KEYS, pkList); + } + pkList.add(key); + } } Modified: stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd =================================================================== --- stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd 2008-02-19 16:46:08 UTC (rev 5734) +++ stack/native/trunk/src/main/resources/schema/jboss-ws-security_1_0.xsd 2008-02-19 16:47:20 UTC (rev 5735) @@ -165,7 +165,7 @@ </xs:restriction> </xs:simpleType> </xs:attribute> - <xs:attribute name="alias" type="xs:string" use="required"> + <xs:attribute name="alias" type="xs:string"> <xs:annotation> <xs:documentation>The name of the certificate to use.</xs:documentation> </xs:annotation>