ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1468925 - in /webservices/wss4j/trunk/ws-security-stax/src: main/java/org/apache/wss4j/stax/impl/processor/input/ test/java/org/apache/wss4j/stax/test/
Date Wed, 17 Apr 2013 14:13:20 GMT
Author: coheigea
Date: Wed Apr 17 14:13:20 2013
New Revision: 1468925

URL: http://svn.apache.org/r1468925
Log:
Added functionality + tests to StaX code to set required signature + encryption algorithms
on the inbound side via properties

Modified:
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSEncryptedKeyInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java
    webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java?rev=1468925&r1=1468924&r2=1468925&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/DecryptInputProcessor.java
Wed Apr 17 14:13:20 2013
@@ -59,6 +59,9 @@ import org.apache.xml.security.stax.secu
  */
 public class DecryptInputProcessor extends AbstractDecryptInputProcessor {
 
+    private static final transient org.slf4j.Logger log =
+        org.slf4j.LoggerFactory.getLogger(DecryptInputProcessor.class);
+        
     private static final Long maximumAllowedDecompressedBytes =
             Long.valueOf(ConfigurationProperties.getProperty("MaximumAllowedDecompressedBytes"));
 
@@ -160,7 +163,16 @@ public class DecryptInputProcessor exten
             boolean encryptedHeader, XMLSecStartElement xmlSecStartElement, EncryptedDataType
encryptedDataType,
             InboundSecurityToken inboundSecurityToken, InboundSecurityContext inboundSecurityContext)
throws XMLSecurityException {
 
+        // Check encryption algorithm against the required algorithm, if defined
         String encryptionAlgorithm = encryptedDataType.getEncryptionMethod().getAlgorithm();
+        if (this.getSecurityProperties().getEncryptionSymAlgorithm() != null
+            && !this.getSecurityProperties().getEncryptionSymAlgorithm().equals(encryptionAlgorithm))
{
+            log.debug(
+                "The Key encryption method does not match the requirement"
+            );
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+        }
+        
         if (!WSSConstants.NS_XENC_TRIPLE_DES.equals(encryptionAlgorithm)
                 && !WSSConstants.NS_XENC_AES128.equals(encryptionAlgorithm)
                 && !WSSConstants.NS_XENC11_AES128_GCM.equals(encryptionAlgorithm)

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSEncryptedKeyInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSEncryptedKeyInputHandler.java?rev=1468925&r1=1468924&r2=1468925&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSEncryptedKeyInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSEncryptedKeyInputHandler.java
Wed Apr 17 14:13:20 2013
@@ -22,6 +22,7 @@ import org.apache.wss4j.binding.wss10.Ob
 import org.apache.wss4j.binding.wss10.ReferenceType;
 import org.apache.wss4j.binding.wss10.SecurityTokenReferenceType;
 import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
 import org.apache.xml.security.binding.xmldsig.KeyInfoType;
 import org.apache.xml.security.binding.xmlenc.EncryptedKeyType;
@@ -39,9 +40,26 @@ import org.apache.wss4j.stax.ext.WSSSecu
  */
 public class WSSEncryptedKeyInputHandler extends XMLEncryptedKeyInputHandler {
 
+    private static final transient org.slf4j.Logger log =
+        org.slf4j.LoggerFactory.getLogger(WSSEncryptedKeyInputHandler.class);
+    
     @Override
     public void handle(InputProcessorChain inputProcessorChain, EncryptedKeyType encryptedKeyType,
XMLSecEvent responsibleXMLSecStartXMLEvent, XMLSecurityProperties securityProperties) throws
XMLSecurityException {
         checkBSPCompliance(inputProcessorChain, encryptedKeyType);
+        
+        // Check encryption algorithm against the required algorithm, if defined
+        EncryptionMethodType encryptionMethodType = encryptedKeyType.getEncryptionMethod();
+        if (securityProperties.getEncryptionKeyTransportAlgorithm() != null 
+            && encryptionMethodType != null) {
+            String encryptionMethod = encryptionMethodType.getAlgorithm();
+            if (!securityProperties.getEncryptionKeyTransportAlgorithm().equals(encryptionMethod))
{
+                log.debug(
+                    "The Key transport method does not match the requirement"
+                );
+                throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+            }
+        }
+        
         super.handle(inputProcessorChain, encryptedKeyType, responsibleXMLSecStartXMLEvent,
securityProperties);
     }
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.java?rev=1468925&r1=1468924&r2=1468925&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/processor/input/WSSSignatureInputHandler.java
Wed Apr 17 14:13:20 2013
@@ -47,6 +47,9 @@ import java.util.Iterator;
 import java.util.List;
 
 public class WSSSignatureInputHandler extends AbstractSignatureInputHandler {
+    
+    private static final transient org.slf4j.Logger log =
+        org.slf4j.LoggerFactory.getLogger(WSSSignatureInputHandler.class);
 
     @Override
     protected SignatureVerifier newSignatureVerifier(
@@ -57,6 +60,15 @@ public class WSSSignatureInputHandler ex
             throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
         }
         checkBSPCompliance(inputProcessorChain, signatureType);
+        
+        String algorithm = signatureType.getSignedInfo().getSignatureMethod().getAlgorithm();
+        if (securityProperties.getSignatureAlgorithm() != null
+            && !securityProperties.getSignatureAlgorithm().equals(algorithm)) {
+            log.debug(
+                "The Signature method does not match the requirement"
+            );
+            throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+        }
 
         final WSInboundSecurityContext securityContext = (WSInboundSecurityContext) inputProcessorChain.getSecurityContext();
 

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java?rev=1468925&r1=1468924&r2=1468925&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/EncDecryptionTest.java
Wed Apr 17 14:13:20 2013
@@ -22,6 +22,7 @@ import org.apache.commons.compress.compr
 import org.apache.commons.compress.compressors.gzip.GzipCompressorOutputStream;
 import org.apache.wss4j.common.bsp.BSPRule;
 import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.stax.WSSec;
 import org.apache.wss4j.stax.ext.WSSConstants;
@@ -43,6 +44,7 @@ import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
 import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamException;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
@@ -2135,4 +2137,63 @@ public class EncDecryptionTest extends A
             Assert.assertEquals(nodeList.getLength(), 0);
         }
     }
+    
+    @Test
+    public void testInboundRequiredAlgorithms() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.ENCRYPT;
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
new Properties());
+
+            //some test that we can really sure we get what we want from WSS4J
+            XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
+            Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+            Assert.assertNotNull(node);
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+        //test streaming decryption
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSAOAEPMGF1P);
+            securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES128);
+            securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), null);
+        }
+        // This should fail as we are requiring another key transport algorithm
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setEncryptionKeyTransportAlgorithm(WSSConstants.NS_XENC_RSA15);
+            securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            try {
+                doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), null);
+                Assert.fail("Failure expected on the wrong key transport algorithm");
+            }  catch (XMLStreamException e) {
+                Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            }
+        }
+        // This should fail as we are requiring another symmetric encryption algorithm
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_TRIPLE_DES);
+            securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+            try {
+                doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), null);
+                Assert.fail("Failure expected on the wrong key transport algorithm");
+            }  catch (XMLStreamException e) {
+                Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            }
+        }
+    }
+    
 }

Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java?rev=1468925&r1=1468924&r2=1468925&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/wss4j/stax/test/SignatureTest.java
Wed Apr 17 14:13:20 2013
@@ -1254,4 +1254,55 @@ public class SignatureTest extends Abstr
             }
         }
     }
+    
+    @Test
+    public void testInboundRequiredAlgorithm() throws Exception {
+
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        {
+            InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+            String action = WSHandlerConstants.SIGNATURE;
+            Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action,
new Properties());
+
+            //some test that we can really sure we get what we want from WSS4J
+            NodeList nodeList = securedDocument.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+            javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+            transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+        }
+
+        //done signature; now test sig-verification:
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_RSASHA1);
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+            XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+            Document document = StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(),
xmlStreamReader);
+
+            //header element must still be there
+            NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_dsig_Signature.getNamespaceURI(),
WSSConstants.TAG_dsig_Signature.getLocalPart());
+            Assert.assertEquals(nodeList.getLength(), 1);
+            Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+        }
+        
+        // This should fail as we require another signature algorithm
+        {
+            WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+            securityProperties.setSignatureAlgorithm(WSSConstants.NS_XMLDSIG_HMACSHA1);
+            securityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+            InboundWSSec wsSecIn = WSSec.getInboundWSSec(securityProperties);
+
+            try {
+                XMLStreamReader xmlStreamReader = wsSecIn.processInMessage(xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+                StAX2DOM.readDoc(documentBuilderFactory.newDocumentBuilder(), xmlStreamReader);
+                Assert.fail("Failure expected on the wrong signature algorithm");
+            } catch (XMLStreamException e) {
+                Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            }
+        }
+    }
+    
 }



Mime
View raw message