Merge pull request #124 from CyberSource/future

mahendya1002 · web-flow · commit 575e19004d82 · 2019-05-28T17:22:49.000+05:30
Future
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,6 @@
 language: java
-"dist": "precise"
+"dist": "trusty"
+
 jdk:
-  - oraclejdk8
-  - oraclejdk7
-  - openjdk7
-  - openjdk6
+   - openjdk7
+   - oraclejdk8
diff --git a/README.md b/README.md
@@ -10,7 +10,7 @@ To install the `cybersource-sdk-java` from central repository, add dependency to
 <dependency>
   <groupId>com.cybersource</groupId>
   <artifactId>cybersource-sdk-java</artifactId>
-  <version>6.2.6</version>
+  <version>6.2.7</version>
 </dependency> 
 ```
 Run `mvn install` to install dependency
@@ -183,6 +183,19 @@ Retry Pattern allows to retry sending a failed request and it will only work wit
 
 ## Changes
 
+Version Cybersource-sdk-java 6.2.7 (MAR,2019)
+_______________________________
+
+1) Fixed security vulnerabilities found in the jar dependencies. 1)xmlsec 2)opensaml 3)bcprov
+xmlsec jar :-upgraded from version 1.4.3 to version 2.0.7
+opensaml jar :- Removed this jar as its not impacting our code base
+bcprov jar :- upgraded from version 1.54 to version 1.61
+
+2) Fixed reseller issue. Now using keyfile password to store/load p12 certs. 
+
+
+_______________________________
+
 Version Cybersource-sdk-java 6.2.6 (MAY,2018)
 _______________________________
   1) Added certificateCacheEnabled optional feature. certificateCacheEnabled parameter is set to false (default is true), the p12 certificate of a merchant will be reloaded from filesystem every time a transaction is made.If the certificateCacheEnabled is true then only at the first time certificate of a merchant will loaded from filesystem.
diff --git a/java/pom.xml b/java/pom.xml
@@ -188,7 +188,7 @@
         <dependency>
     		<groupId>org.apache.santuario</groupId>
     		<artifactId>xmlsec</artifactId>
-    		<version>1.4.3</version>
+    		<version>2.0.7</version>
 		</dependency>
         <dependency>
             <groupId>commons-httpclient</groupId>
@@ -204,12 +204,18 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.54</version>
+            <version>1.61</version>
         </dependency>
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
             <version>1.6.19</version>
+	        <exclusions>
+                <exclusion>
+                    <groupId>org.opensaml</groupId>
+                    <artifactId>opensaml</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>     
         <dependency>
             <groupId>org.apache.commons</groupId>
diff --git a/java/src/main/java/com/cybersource/ws/client/Identity.java b/java/src/main/java/com/cybersource/ws/client/Identity.java
@@ -40,7 +40,9 @@ public class Identity {
 	private long lastModifiedDate;
     
     private static final String SERVER_ALIAS = "CyberSource_SJC_US";
-    
+
+    private char[] pswd;
+
     private Logger logger = null;
     
     /**
@@ -122,11 +124,8 @@ public Identity(MerchantConfig merchantConfig,X509Certificate x509Certificate, P
     */
     
 	public boolean isValid(File keyFile) {
-		
 		boolean changeKeyFileStatus=(this.lastModifiedDate == keyFile.lastModified());
-
 		if (!changeKeyFileStatus) {
-
 			logger.log(Logger.LT_INFO, "Key file changed");
 			logger.log(Logger.LT_INFO, "Timestamp of current key file:"+keyFile.lastModified());	
 		}
@@ -142,6 +141,7 @@ private void setUpMerchant() throws SignException {
                     throw new SignException("Exception while obtaining private key from KeyStore with alias, '" + merchantConfig.getKeyAlias() + "'");
                 }
                 name = merchantConfig.getMerchantID();
+                pswd = merchantConfig.getKeyPassword().toCharArray();
                 serialNumber = subjectDNrray[1];
                 keyAlias = "serialNumber=" + serialNumber + ",CN=" + name;
             } else {
@@ -197,8 +197,11 @@ public String getSerialNumber() {
         
         return serialNumber;
     }
-    
-    
+
+    public char[] getPswd() {
+        return pswd;
+    }
+
     public void setSerialNumber(String serialNumber) {
         this.serialNumber = serialNumber;
     }
diff --git a/java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java b/java/src/main/java/com/cybersource/ws/client/MessageHandlerKeyStore.java
@@ -26,7 +26,7 @@ public void addIdentityToKeyStore(Identity id, Logger logger) throws SignEncrypt
         try {
             if (privateKey != null) {
                 X509Certificate[] certChain = {certificate};
-                getKeyStore().setKeyEntry(id.getKeyAlias(), privateKey, id.getName().toCharArray(), certChain);
+                getKeyStore().setKeyEntry(id.getKeyAlias(), privateKey, id.getPswd(), certChain);
             } else {
                 getKeyStore().setCertificateEntry(id.getKeyAlias(), certificate);
             }
diff --git a/java/src/main/java/com/cybersource/ws/client/Utility.java b/java/src/main/java/com/cybersource/ws/client/Utility.java
@@ -48,7 +48,7 @@ private Utility() {
     /**
      * Version number of this release.
      */
-    public static final String VERSION = "6.2.6";
+    public static final String VERSION = "6.2.7";
 
     /**
      * If in the Request map, a key called "_has_escapes" is present and is set
diff --git a/java/src/test/java/com/cybersource/ws/client/IdentityTest.java b/java/src/test/java/com/cybersource/ws/client/IdentityTest.java
@@ -30,7 +30,7 @@ public void setUp() throws Exception {
     }
 
     @Test
-    public void testSetUpMerchant() throws InstantiationException, IllegalAccessException, SignException, ConfigException{
+    public void testSetUpMerchant() throws SignException, ConfigException{
     	File p12file = Mockito.mock(File.class);
     	MerchantConfig mc = Mockito.mock(MerchantConfig.class);
     	
@@ -43,9 +43,11 @@ public void testSetUpMerchant() throws InstantiationException, IllegalAccessExce
     	Mockito.when(principal.getName()).thenReturn(keyAlias);
     	
     	Mockito.when(mc.getKeyFile()).thenReturn(p12file);
+		Mockito.when(mc.getKeyPassword()).thenReturn("testPwd");
     	Identity identity = new Identity(mc,x509Cert,pkey,logger);
     	assertEquals(identity.getName(), mc.getMerchantID());
     	assertEquals(identity.getSerialNumber(), "400000009910179089277");
+		assertEquals(String.valueOf(identity.getPswd()), "testPwd");
     	assertNotNull(identity.getPrivateKey());
     }
     
diff --git a/java/src/test/java/com/cybersource/ws/client/SecurityUtilIT.java b/java/src/test/java/com/cybersource/ws/client/SecurityUtilIT.java
@@ -163,13 +163,20 @@ public void testMerchantIdentityToKeyStore() throws Exception{
         
     	Mockito.when(identity.getPrivateKey()).thenReturn(newPkay);
     	Mockito.when(identity.getX509Cert()).thenReturn(x509Cert);
-    	Mockito.when(identity.getName()).thenReturn("MahenCertTest");
     	Mockito.when(identity.getKeyAlias()).thenReturn("MahenCertTest");
+        Mockito.when(identity.getPswd()).thenReturn("testPwd".toCharArray());
     	
     	MessageHandlerKeyStore mhKeyStore= new MessageHandlerKeyStore();    	
+
     	MessageHandlerKeyStore spyMhKeyStore = Mockito.spy(mhKeyStore);
     	Mockito.when(spyMhKeyStore.getKeyStore()).thenReturn(myKeystore);
     	spyMhKeyStore.addIdentityToKeyStore(identity,logger);
+
+    	Mockito.verify(identity,times(1)).getKeyAlias();
+        Mockito.verify(identity,times(1)).getPrivateKey();
+        Mockito.verify(identity,times(1)).getPswd();
+        Mockito.verify(identity,times(1)).getX509Cert();
+
     }
     
 	@Test  
diff --git a/java/src/test/java/com/cybersource/ws/client/UtilityTest.java b/java/src/test/java/com/cybersource/ws/client/UtilityTest.java
@@ -16,7 +16,7 @@ public class UtilityTest extends BaseTest {
 
     @Before
     public void setUp() {
-        URL fileUrl = Thread.currentThread().getContextClassLoader().getResource("test_cybs.properties");
+     URL fileUrl = Thread.currentThread().getContextClassLoader().getResource("test_cybs.properties");
         String filepath = "";
         if(fileUrl != null) {
             propertiesFilename = fileUrl.getFile();
diff --git a/pom.xml b/pom.xml
@@ -4,16 +4,6 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
     <modelVersion>4.0.0</modelVersion>
-
-    <name>cybersource-sdk-java-master</name>
-
-    <modules>
-        <module>zip</module>
-        <module>java</module>
-    </modules>
-
-    <packaging>pom</packaging>
-
     <parent>
         <groupId>org.sonatype.oss</groupId>
         <artifactId>oss-parent</artifactId>
@@ -22,7 +12,12 @@
 
     <groupId>com.cybersource</groupId>
     <artifactId>cybersource-sdk-master</artifactId>
-    <version>6.2.7</version>
-
+    <version>6.2.7-SNAPSHOT</version>
+    <name>cybersource-sdk-java-master</name>
+    <packaging>pom</packaging>
 
+    <modules>
+        <module>zip</module>
+        <module>java</module>
+    </modules>
 </project>
diff --git a/samples/nvp/compileSample.bat b/samples/nvp/compileSample.bat
@@ -2,15 +2,15 @@
 
 set LOCAL_CP=
 rem ----------------------------------------------------------------------------
-rem Replace this with cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+rem Replace this with cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 rem If using this scripts outside zip package then give maven clean install. 
 rem This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 rem ----------------------------------------------------------------------------
 
-if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.6.jar
+if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.7.jar
 if not exist ../../lib (
 	if not exist target goto error
-	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.6.jar
+	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.7.jar
 )
 
 if not exist classes mkdir classes
diff --git a/samples/nvp/compileSample.sh b/samples/nvp/compileSample.sh
@@ -2,13 +2,13 @@
 
 LOCAL_CP=
 # -----------------------------------------------------------------------------
-# Replace this with cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+# Replace this with cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 # If using this scripts outside zip package then give maven clean install.
 # This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 # -----------------------------------------------------------------------------
 
 if test -d ../../lib
-then LOCAL_CP=$LOCAL_CP:../../lib/cybersource-sdk-java-6.2.6.jar
+then LOCAL_CP=$LOCAL_CP:../../lib/cybersource-sdk-java-6.2.7.jar
 fi
 
 if test ! -d ../../lib
@@ -19,7 +19,7 @@ then
 		echo "Execute maven clean install , This will generate all required dependencies under target/dependencies!!"
 		exit 1
 	fi
-LOCAL_CP=$LOCAL_CP:target/dependencies/cybersource-sdk-java-6.2.6.jar
+LOCAL_CP=$LOCAL_CP:target/dependencies/cybersource-sdk-java-6.2.7.jar
 fi
 
 if test ! -d ./classes
diff --git a/samples/nvp/pom.xml b/samples/nvp/pom.xml
@@ -7,11 +7,14 @@
     <version>1.0.0</version>
     <name>RunSample</name>
     <url>http://maven.apache.org</url>
+     <properties>
+      <javasdk.version>[6.2.0, 6.2.8-SNAPSHOT]</javasdk.version>
+    </properties>
     <dependencies>
         <dependency>
             <groupId>com.cybersource</groupId>
             <artifactId>cybersource-sdk-java</artifactId>
-            <version>6.2.6</version>
+            <version>${javasdk.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-httpclient</groupId>
@@ -27,12 +30,18 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.54</version>
+            <version>1.61</version>
         </dependency>
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
             <version>1.6.19</version>
+	<exclusions>
+                <exclusion>
+                    <groupId>org.opensaml</groupId>
+                    <artifactId>opensaml</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
diff --git a/samples/nvp/runSample.bat b/samples/nvp/runSample.bat
@@ -4,7 +4,7 @@ set LOCAL_CP=
 set LOCAL_CP=%LOCAL_CP%;classes
 
 rem ----------------------------------------------------------------------------
-rem Replace cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+rem Replace cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 rem If using this scripts outside zip package then give maven clean install. 
 rem This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 rem ----------------------------------------------------------------------------
diff --git a/samples/nvp/runSample.sh b/samples/nvp/runSample.sh
@@ -4,7 +4,7 @@ LOCAL_CP=
 LOCAL_CP=$LOCAL_CP:./classes
 
 # -----------------------------------------------------------------------------
-# Replace this with cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+# Replace this with cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 # If using this scripts outside zip package then give maven clean install.
 # This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 # -----------------------------------------------------------------------------
diff --git a/samples/xml/compileSample.bat b/samples/xml/compileSample.bat
@@ -2,15 +2,15 @@
 
 set LOCAL_CP=
 rem ----------------------------------------------------------------------------
-rem Replace this with cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+rem Replace this with cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 rem If using this scripts outside zip package then give maven clean install. 
 rem This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 rem ----------------------------------------------------------------------------
 
-if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.6.jar
+if exist ../../lib set LOCAL_CP=%LOCAL_CP%;../../lib/cybersource-sdk-java-6.2.7.jar
 if not exist ../../lib (
 	if not exist target goto error
-	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.6.jar
+	set LOCAL_CP=%LOCAL_CP%;target/dependencies/cybersource-sdk-java-6.2.7.jar
 )
 
 if not exist classes mkdir classes
diff --git a/samples/xml/compileSample.sh b/samples/xml/compileSample.sh
@@ -2,13 +2,13 @@
 
 LOCAL_CP=
 # -----------------------------------------------------------------------------
-# Replace this with cybersource-sdk-java-6.2.6.jar when using Java SDK 1.6 or later.
+# Replace this with cybersource-sdk-java-6.2.7.jar when using Java SDK 1.6 or later.
 # If using this scripts outside zip package then give maven clean install.
 # This will generate all required dependencies under target/dependencies.These dependencies are used in CLASSPATH.
 # -----------------------------------------------------------------------------
 
 if test -d ../../lib
-then LOCAL_CP=$LOCAL_CP:../../lib/cybersource-sdk-java-6.2.6.jar
+then LOCAL_CP=$LOCAL_CP:../../lib/cybersource-sdk-java-6.2.7.jar
 fi
 
 if test ! -d ../../lib
@@ -19,7 +19,7 @@ then
 		echo "Execute maven clean install , This will generate all required dependencies under target/dependencies!!"
 		exit 1
 	fi
-LOCAL_CP=$LOCAL_CP:target/dependencies/cybersource-sdk-java-6.2.6.jar
+LOCAL_CP=$LOCAL_CP:target/dependencies/cybersource-sdk-java-6.2.7.jar
 fi
 
 if test ! -d ./classes
diff --git a/samples/xml/pom.xml b/samples/xml/pom.xml
@@ -7,11 +7,14 @@
     <version>1.0.0</version>
     <name>RunSample</name>
     <url>http://maven.apache.org</url>
+    <properties>
+      <javasdk.version>[6.2.0, 6.2.8-SNAPSHOT]</javasdk.version>
+    </properties>
     <dependencies>
         <dependency>
             <groupId>com.cybersource</groupId>
             <artifactId>cybersource-sdk-java</artifactId>
-            <version>6.2.6</version>
+            <version>${javasdk.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-httpclient</groupId>
@@ -27,12 +30,18 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.54</version>
+            <version>1.61</version>
         </dependency>
         <dependency>
             <groupId>org.apache.ws.security</groupId>
             <artifactId>wss4j</artifactId>
             <version>1.6.19</version>
+	  <exclusions>
+                <exclusion>
+                    <groupId>org.opensaml</groupId>
+                    <artifactId>opensaml</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
diff --git a/samples/xml/runSample.bat b/samples/xml/runSample.bat
diff --git a/samples/xml/runSample.sh b/samples/xml/runSample.sh
diff --git a/zip/pom.xml b/zip/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ public void addIdentityToKeyStore(Identity id, Logger logger) throws SignEncrypt`
`26`	`26`	`try {`
`27`	`27`	`if (privateKey != null) {`
`28`	`28`	`X509Certificate[] certChain = {certificate};`
`29`		`- getKeyStore().setKeyEntry(id.getKeyAlias(), privateKey, id.getName().toCharArray(), certChain);`
	`29`	`+ getKeyStore().setKeyEntry(id.getKeyAlias(), privateKey, id.getPswd(), certChain);`
`30`	`30`	`} else {`
`31`	`31`	`getKeyStore().setCertificateEntry(id.getKeyAlias(), certificate);`
`32`	`32`	`}`