ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gi...@apache.org
Subject svn commit: r1492093 - in /webservices/wss4j/trunk/ws-security-policy-stax/src: main/java/org/apache/wss4j/policy/stax/ main/java/org/apache/wss4j/policy/stax/assertionStates/ test/java/org/apache/wss4j/policy/stax/test/
Date Wed, 12 Jun 2013 07:35:40 GMT
Author: giger
Date: Wed Jun 12 07:35:39 2013
New Revision: 1492093

URL: http://svn.apache.org/r1492093
Log:
WSS-448 - OnlySignEntireHeadersAndBody policy validation is incorrect 

Modified:
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
    webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcer.java
Wed Jun 12 07:35:39 2013
@@ -123,10 +123,13 @@ public class PolicyEnforcer implements S
     private final Deque<SecurityEvent> securityEventQueue = new LinkedList<SecurityEvent>();
     private boolean operationSecurityEventOccured = false;
     private boolean initiator;
+    private String actorOrRole;
 
-    public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction,
boolean initiator) throws WSSPolicyException {
+    public PolicyEnforcer(List<OperationPolicy> operationPolicies, String soapAction,
boolean initiator,
+                          String actorOrRole) throws WSSPolicyException {
         this.operationPolicies = operationPolicies;
         this.initiator = initiator;
+        this.actorOrRole = actorOrRole;
         assertionStateMap = new LinkedList<Map<SecurityEventConstants.Event, Map<Assertion,
List<Assertable>>>>();
         failedAssertionStateMap = new LinkedList<Map<SecurityEventConstants.Event,
Map<Assertion, List<Assertable>>>>();
 
@@ -306,7 +309,8 @@ public class PolicyEnforcer implements S
                 assertableList.add(new ProtectionOrderAssertionState(abstractSymmetricAsymmetricBinding,
true));
                 assertableList.add(new SignatureProtectionAssertionState(abstractSymmetricAsymmetricBinding,
true));
                 if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody())
{
-                    assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion,
false));
+                    //initialized with asserted=true because we do negative matching
+                    assertableList.add(new OnlySignEntireHeadersAndBodyAssertionState(abstractSecurityAssertion,
true, actorOrRole));
                 }
                 assertableList.add(new TokenProtectionAssertionState(abstractSecurityAssertion,
true));
             }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/PolicyEnforcerFactory.java
Wed Jun 12 07:35:39 2013
@@ -416,7 +416,15 @@ public class PolicyEnforcerFactory {
         }
     }
 
-    public PolicyEnforcer newPolicyEnforcer(String soapAction, boolean initiator) throws
WSSPolicyException {
-        return new PolicyEnforcer(this.operationPolicies, soapAction, initiator);
+    /**
+     * creates a new PolicyEnforcer instance
+     * @param soapAction The requested soapAction of the actual request
+     * @param initiator Boolean flag to tell the engine if it is running in client or server
mode
+     * @param roleOrActor The actor or role of the security processing. Must be set to the
same value as WSSSecurityProperties#setActor()
+     * @return the newly created PolicyEnforcer instance
+     * @throws WSSPolicyException
+     */
+    public PolicyEnforcer newPolicyEnforcer(String soapAction, boolean initiator, String
roleOrActor) throws WSSPolicyException {
+        return new PolicyEnforcer(this.operationPolicies, soapAction, initiator, roleOrActor);
     }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/OnlySignEntireHeadersAndBodyAssertionState.java
Wed Jun 12 07:35:39 2013
@@ -21,61 +21,56 @@ package org.apache.wss4j.policy.stax.ass
 import org.apache.wss4j.policy.AssertionState;
 import org.apache.wss4j.policy.WSSPolicyException;
 import org.apache.wss4j.policy.model.AbstractSecurityAssertion;
-import org.apache.wss4j.policy.model.AbstractSymmetricAsymmetricBinding;
+import org.apache.xml.security.stax.securityEvent.AbstractSecuredElementSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEvent;
 import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
 import org.apache.wss4j.policy.stax.Assertable;
-import org.apache.wss4j.stax.ext.WSSConstants;
 import org.apache.wss4j.stax.ext.WSSUtils;
-import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
 import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
 
+import javax.xml.namespace.QName;
+import java.util.List;
+
 /**
  * WSP1.3, 6.6 Entire Header and Body Signatures Property
  */
 public class OnlySignEntireHeadersAndBodyAssertionState extends AssertionState implements
Assertable {
 
-    public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion,
boolean asserted) {
+    private String roleOrActor;
+
+    public OnlySignEntireHeadersAndBodyAssertionState(AbstractSecurityAssertion assertion,
boolean asserted, String roleOrActor) {
         super(assertion, asserted);
+        this.roleOrActor = roleOrActor;
     }
 
     @Override
     public SecurityEventConstants.Event[] getSecurityEventType() {
         return new SecurityEventConstants.Event[]{
-                WSSecurityEventConstants.SignedPart
+                WSSecurityEventConstants.SignedPart,
+                WSSecurityEventConstants.SignedElement
         };
     }
 
     @Override
     public boolean assertEvent(SecurityEvent securityEvent) throws WSSPolicyException {
-        SignedPartSecurityEvent signedPartSecurityEvent = (SignedPartSecurityEvent) securityEvent;
-        AbstractSymmetricAsymmetricBinding abstractSymmetricAsymmetricBinding = (AbstractSymmetricAsymmetricBinding)
getAssertion();
-        if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()
-                && WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(),
WSSConstants.SOAP_11_BODY_PATH, true, false)) {
-            if (signedPartSecurityEvent.isSigned()) {
+        AbstractSecuredElementSecurityEvent abstractSecuredElementSecurityEvent = (AbstractSecuredElementSecurityEvent)
securityEvent;
+        if (abstractSecuredElementSecurityEvent.isSigned()) {
+            List<QName> elementPath = abstractSecuredElementSecurityEvent.getElementPath();
+            if (elementPath.size() == 4 && WSSUtils.isInSecurityHeader(abstractSecuredElementSecurityEvent.getXmlSecEvent(),
elementPath, roleOrActor)) {
                 setAsserted(true);
                 return true;
-            } else {
-                setAsserted(false);
-                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath())
+ " must be signed");
-                return false;
             }
-        }
-        //body processed above. so this must be a header element
-        if (abstractSymmetricAsymmetricBinding.isOnlySignEntireHeadersAndBody()) {
-            if (signedPartSecurityEvent.isSigned()
-                    //todo revisit: the equality check for wsse_Security probably opens the
door
-                    //for a rewriting attack! If the Security Header is not signed then all
child
-                    //elements must be signed!
-                    // @see http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617840
-                    || WSSUtils.pathMatches(signedPartSecurityEvent.getElementPath(), WSSConstants.WSSE_SECURITY_HEADER_PATH,
true, false)) {
+            if (elementPath.size() == 3 && WSSUtils.isInSOAPHeader(elementPath))
{
+                setAsserted(true);
+                return true;
+            }
+            if (elementPath.size() == 2 && WSSUtils.isInSOAPBody(elementPath)) {
                 setAsserted(true);
                 return true;
-            } else {
-                setAsserted(false);
-                setErrorMessage("Element " + WSSUtils.pathAsString(signedPartSecurityEvent.getElementPath())
+ " must be signed");
-                return false;
             }
+            setAsserted(false);
+            setErrorMessage("OnlySignEntireHeadersAndBody not fulfilled, offending element:
" + WSSUtils.pathAsString(elementPath));
+            return false;
         }
         return true;
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/wss4j/policy/stax/assertionStates/TokenProtectionAssertionState.java
Wed Jun 12 07:35:39 2013
@@ -45,7 +45,8 @@ import java.util.List;
 public class TokenProtectionAssertionState extends AssertionState implements Assertable {
 
     private final List<SignedElementSecurityEvent> signedElementEvents = new LinkedList<SignedElementSecurityEvent>();
-    private final List<TokenSecurityEvent<?>> tokenSecurityEvents = new LinkedList<TokenSecurityEvent<?>>();
+    private final List<TokenSecurityEvent<? extends SecurityToken>> tokenSecurityEvents
=
+            new LinkedList<TokenSecurityEvent<? extends SecurityToken>>();
 
     public TokenProtectionAssertionState(Assertion assertion, boolean initialAssertionState)
{
         super(assertion, initialAssertionState);

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AbstractPolicyTestBase.java
Wed Jun 12 07:35:39 2013
@@ -92,7 +92,7 @@ public class AbstractPolicyTestBase exte
             element.appendChild(policyNode);
         }
         PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(document,
customAssertionBuilders);
-        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("", false);
+        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("", false,
null);
 
         return policyEnforcer;
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingIntegrationTest.java
Wed Jun 12 07:35:39 2013
@@ -1914,7 +1914,7 @@ public class AsymmetricBindingIntegratio
                         "                    <wsp:Policy>\n" +
                         "                        <sp:InitiatorToken>\n" +
                         "                            <wsp:Policy>\n" +
-                        "                                <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n"
+
+                        "                                <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n"
+
                         "                                    <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n"
+
                         "                                    <wsp:Policy>\n" +
                         "                                        <sp:WssX509V3Token11/>\n"
+
@@ -1924,7 +1924,7 @@ public class AsymmetricBindingIntegratio
                         "                        </sp:InitiatorToken>\n" +
                         "                        <sp:RecipientToken>\n" +
                         "                            <wsp:Policy>\n" +
-                        "                              <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n"
+
+                        "                              <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n"
+
                         "                                  <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n"
+
                         "                                  <wsp:Policy>\n" +
                         "                                      <sp:WssX509V3Token11/>\n"
+
@@ -1946,14 +1946,112 @@ public class AsymmetricBindingIntegratio
                         "                        <sp:OnlySignEntireHeadersAndBody/>\n"
+
                         "                    </wsp:Policy>\n" +
                         "                </sp:AsymmetricBinding>\n" +
-                        "                <sp:SignedParts>\n" +
+                        "                <sp:EncryptedParts>\n" +
                         "                    <sp:Body/>\n" +
-                        "                    <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n"
+
+                        "                    <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n"
+
                         "                    <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n"
+
-                        "                </sp:SignedParts>\n" +
-                        "                <sp:SignedElements>\n" +
+                        "                </sp:EncryptedParts>\n" +
+                        "                <sp:EncryptedElements>\n" +
                         "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n"
+
-                        "                </sp:SignedElements>\n" +
+                        "                </sp:EncryptedElements>\n" +
+                        "                <sp:ContentEncryptedElements>\n" +
+                        "                    <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n"
+
+                        "                </sp:ContentEncryptedElements>\n" +
+                        "            </wsp:All>\n" +
+                        "        </wsp:ExactlyOne>";
+
+        WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
+        outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        outSecurityProperties.setEncryptionUser("receiver");
+        outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+        outSecurityProperties.setSignatureUser("transmitter");
+        outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
+
+        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp,
SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/",
"definitions"), SecurePart.Modifier.Element));
+        outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created,
SecurePart.Modifier.Element));
+        outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires,
SecurePart.Modifier.Content));
+        outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap11_Body,
SecurePart.Modifier.Content));
+        WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP,
WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+        outSecurityProperties.setOutAction(actions);
+
+        InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+        ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
+
+        WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
+        inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+        inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+        inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
+
+        PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+        inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+
+        try {
+            Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()),
policyEnforcer);
+
+            //read the whole stream:
+            Transformer transformer = TransformerFactory.newInstance().newTransformer();
+            transformer.transform(new DOMSource(document), new StreamResult(
+                    new OutputStream() {
+                        @Override
+                        public void write(int b) throws IOException {
+                            // > /dev/null
+                        }
+                    }
+            ));
+            Assert.fail("Exception expected");
+        } catch (XMLStreamException e) {
+            Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+            Assert.assertEquals(e.getCause().getMessage(),
+                    "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+                            "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://schemas.xmlsoap.org/wsdl/}definitions");
+            Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
+        }
+    }
+
+    @Test
+    public void testEntireHeaderAndBodySignatureNegative2() throws Exception {
+
+        String policyString =
+                "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"
" +
+                        "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n"
+
+                        "            <wsp:All>\n" +
+                        "                <sp:AsymmetricBinding>\n" +
+                        "                    <wsp:Policy>\n" +
+                        "                        <sp:InitiatorToken>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                                <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n"
+
+                        "                                    <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n"
+
+                        "                                    <wsp:Policy>\n" +
+                        "                                        <sp:WssX509V3Token11/>\n"
+
+                        "                                    </wsp:Policy>\n" +
+                        "                                </sp:X509Token>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                        </sp:InitiatorToken>\n" +
+                        "                        <sp:RecipientToken>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                              <sp:X509Token sp:IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never\">\n"
+
+                        "                                  <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n"
+
+                        "                                  <wsp:Policy>\n" +
+                        "                                      <sp:WssX509V3Token11/>\n"
+
+                        "                                  </wsp:Policy>\n" +
+                        "                              </sp:X509Token>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                         </sp:RecipientToken>\n" +
+                        "                        <sp:AlgorithmSuite>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                                <sp:Basic256/>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                        </sp:AlgorithmSuite>\n" +
+                        "                        <sp:Layout>\n" +
+                        "                            <wsp:Policy>\n" +
+                        "                                <sp:Lax/>\n" +
+                        "                            </wsp:Policy>\n" +
+                        "                        </sp:Layout>\n" +
+                        "                        <sp:IncludeTimestamp/>\n" +
+                        "                        <sp:OnlySignEntireHeadersAndBody/>\n"
+
+                        "                    </wsp:Policy>\n" +
+                        "                </sp:AsymmetricBinding>\n" +
                         "                <sp:EncryptedParts>\n" +
                         "                    <sp:Body/>\n" +
                         "                    <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n"
+
@@ -1976,7 +2074,7 @@ public class AsymmetricBindingIntegratio
         outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"),
"default".toCharArray());
 
         outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp,
SecurePart.Modifier.Element));
-        outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap11_Body,
SecurePart.Modifier.Element));
+        outSecurityProperties.addSignaturePart(new SecurePart(new QName("http://schemas.xmlsoap.org/wsdl/",
"service"), SecurePart.Modifier.Element));
         outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created,
SecurePart.Modifier.Element));
         outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires,
SecurePart.Modifier.Content));
         outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap11_Body,
SecurePart.Modifier.Content));
@@ -2011,7 +2109,8 @@ public class AsymmetricBindingIntegratio
         } catch (XMLStreamException e) {
             Assert.assertTrue(e.getCause() instanceof WSSecurityException);
             Assert.assertEquals(e.getCause().getMessage(),
-                    "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://schemas.xmlsoap.org/wsdl/}definitions
must be signed");
+                    "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+                            "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://schemas.xmlsoap.org/wsdl/}definitions/{http://schemas.xmlsoap.org/wsdl/}service");
             Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.INVALID_SECURITY);
         }
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/AsymmetricBindingTest.java
Wed Jun 12 07:35:39 2013
@@ -26,6 +26,7 @@ import org.apache.wss4j.stax.securityTok
 import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
 import org.apache.wss4j.stax.securityEvent.*;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
 import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
 import org.apache.xml.security.stax.securityEvent.X509TokenSecurityEvent;
 import org.testng.Assert;
@@ -295,8 +296,14 @@ public class AsymmetricBindingTest exten
         headerPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
         encryptedElementSecurityEvent.setElementPath(headerPath);
         policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
-        SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
false, protectionOrder);
-        signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+
+        SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
true, protectionOrder);
+        QName elementName = new QName("http://www.example.com", "bodyChildElement");
+        signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName,
null, null));
+        List<QName> elementPath = new ArrayList<QName>();
+        elementPath.addAll(WSSConstants.SOAP_11_BODY_PATH);
+        elementPath.add(elementName);
+        signedPartSecurityEvent.setElementPath(elementPath);
         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
 
         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
@@ -307,8 +314,104 @@ public class AsymmetricBindingTest exten
         } catch (WSSecurityException e) {
             Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
             Assert.assertEquals(e.getCause().getMessage(),
-                    "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body
must be signed");
+                    "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+                            "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://www.example.com}bodyChildElement");
             Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
         }
     }
+
+    @Test
+    public void testPolicyNotWholeSecurityHeaderChildSigned() throws Exception {
+        String policyString =
+                "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\"
xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+                        "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n"
+
+                        "   <sp:AlgorithmSuite>\n" +
+                        "       <wsp:Policy>\n" +
+                        "           <sp:Basic256/>\n" +
+                        "       </wsp:Policy>\n" +
+                        "   </sp:AlgorithmSuite>\n" +
+                        "<sp:IncludeTimestamp/>\n" +
+                        "<sp:EncryptSignature/>\n" +
+                        "<sp:ProtectTokens/>\n" +
+                        "<sp:OnlySignEntireHeadersAndBody/>\n" +
+                        "</wsp:Policy>\n" +
+                        "</sp:AsymmetricBinding>";
+        PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+        TimestampSecurityEvent timestampSecurityEvent = new TimestampSecurityEvent();
+        policyEnforcer.registerSecurityEvent(timestampSecurityEvent);
+
+        X509TokenSecurityEvent x509TokenSecurityEvent = new X509TokenSecurityEvent();
+        X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
+        securityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainSignature);
+        x509TokenSecurityEvent.setSecurityToken(securityToken);
+        policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
+
+        x509TokenSecurityEvent = new X509TokenSecurityEvent();
+        securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
+        securityToken.addTokenUsage(WSSecurityTokenConstants.TokenUsage_MainEncryption);
+        x509TokenSecurityEvent.setSecurityToken(securityToken);
+
+        policyEnforcer.registerSecurityEvent(x509TokenSecurityEvent);
+
+        List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<XMLSecurityConstants.ContentType>();
+        protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
+        protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
+        EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null,
true, protectionOrder);
+        List<QName> headerPath = new ArrayList<QName>();
+        headerPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+        headerPath.add(WSSConstants.TAG_dsig_Signature);
+        encryptedElementSecurityEvent.setElementPath(headerPath);
+        policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
+
+        encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
+        headerPath = new ArrayList<QName>();
+        headerPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+        headerPath.add(WSSConstants.TAG_wsse11_SignatureConfirmation);
+        encryptedElementSecurityEvent.setElementPath(headerPath);
+        policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
+
+        SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
true, protectionOrder);
+        QName elementName = WSSConstants.TAG_wsse_Username;
+        signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName,
null, null));
+        List<QName> elementPath = new ArrayList<QName>();
+        elementPath.addAll(WSSConstants.WSSE_SECURITY_HEADER_PATH);
+        elementPath.add(WSSConstants.TAG_wsse_UsernameToken);
+        elementPath.add(elementName);
+        signedPartSecurityEvent.setElementPath(elementPath);
+        policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
+
+        OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+        operationSecurityEvent.setOperation(new QName("definitions"));
+        try {
+            policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+            Assert.fail("Exception expected");
+        } catch (WSSecurityException e) {
+            Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
+            Assert.assertEquals(e.getCause().getMessage(),
+                    "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+                            "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}UsernameToken/{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Username");
+            Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
+        }
+    }
+
+    @Test
+    public void testOnlySignEntireHeadersAndBodyPolicyNothingSigned() throws Exception {
+        String policyString =
+                "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\"
xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+                        "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n"
+
+                        "   <sp:AlgorithmSuite>\n" +
+                        "       <wsp:Policy>\n" +
+                        "           <sp:Basic256/>\n" +
+                        "       </wsp:Policy>\n" +
+                        "   </sp:AlgorithmSuite>\n" +
+                        "<sp:OnlySignEntireHeadersAndBody/>\n" +
+                        "</wsp:Policy>\n" +
+                        "</sp:AsymmetricBinding>";
+        PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+
+        OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+        operationSecurityEvent.setOperation(new QName("definitions"));
+        policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+        policyEnforcer.doFinal();
+    }
 }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/SymmetricBindingTest.java
Wed Jun 12 07:35:39 2013
@@ -26,6 +26,7 @@ import org.apache.wss4j.stax.securityTok
 import org.apache.wss4j.stax.impl.securityToken.SecureConversationSecurityTokenImpl;
 import org.apache.wss4j.stax.securityEvent.*;
 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
+import org.apache.xml.security.stax.ext.stax.XMLSecEventFactory;
 import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
 import org.testng.Assert;
 import org.testng.annotations.Test;
@@ -101,6 +102,7 @@ public class SymmetricBindingTest extend
         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
 
         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
true, protectionOrder);
+        signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(WSSConstants.TAG_soap11_Body,
null, null));
         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
         policyEnforcer.doFinal();
@@ -313,15 +315,21 @@ public class SymmetricBindingTest extend
         operationSecurityEvent.setOperation(new QName("definitions"));
         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
 
-        SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
false, protectionOrder);
-        signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+        SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null,
true, protectionOrder);
+        QName elementName = new QName("http://www.example.com", "bodyChildElement");
+        signedPartSecurityEvent.setXmlSecEvent(XMLSecEventFactory.createXmlSecStartElement(elementName,
null, null));
+        List<QName> elementPath = new ArrayList<QName>();
+        elementPath.addAll(WSSConstants.SOAP_11_BODY_PATH);
+        elementPath.add(elementName);
+        signedPartSecurityEvent.setElementPath(elementPath);
         try {
             policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
             Assert.fail("Exception expected");
         } catch (WSSecurityException e) {
             Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
             Assert.assertEquals(e.getCause().getMessage(),
-                    "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body
must be signed");
+                    "OnlySignEntireHeadersAndBody not fulfilled, offending element: " +
+                            "/{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body/{http://www.example.com}bodyChildElement");
             Assert.assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
         }
     }

Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java?rev=1492093&r1=1492092&r2=1492093&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
(original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/wss4j/policy/stax/test/VulnerabliltyVectorsTest.java
Wed Jun 12 07:35:39 2013
@@ -74,7 +74,7 @@ public class VulnerabliltyVectorsTest ex
         inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
 
         PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
-        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy",
false);
+        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("emptyPolicy",
false, null);
         inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
 
         try {
@@ -126,7 +126,7 @@ public class VulnerabliltyVectorsTest ex
         inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
 
         PolicyEnforcerFactory policyEnforcerFactory = PolicyEnforcerFactory.newInstance(this.getClass().getClassLoader().getResource("testdata/wsdl/actionSpoofing.wsdl"));
-        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy",
false);
+        PolicyEnforcer policyEnforcer = policyEnforcerFactory.newPolicyEnforcer("goodPolicy",
false, null);
         inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
 
         try {



Mime
View raw message