ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1663945 - in /webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor: EncryptedKeyProcessor.java ReferenceListProcessor.java SignatureProcessor.java
Date Wed, 04 Mar 2015 11:49:49 GMT
Author: coheigea
Date: Wed Mar  4 11:49:48 2015
New Revision: 1663945

URL: http://svn.apache.org/r1663945
Log:
Processor refactor

Modified:
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
Wed Mar  4 11:49:48 2015
@@ -28,7 +28,6 @@ import java.security.cert.X509Certificat
 import java.security.spec.MGF1ParameterSpec;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.LinkedList;
 import java.util.List;
 
 import javax.crypto.Cipher;
@@ -226,7 +225,8 @@ public class EncryptedKeyProcessor imple
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
         }
         
-        List<String> dataRefURIs = getDataRefURIs(elem);
+        Element refList = 
+            WSSecurityUtil.getDirectChildElement(elem, "ReferenceList", WSConstants.ENC_NS);
         
         byte[] encryptedEphemeralKey = null;
         byte[] decryptedBytes = null;
@@ -237,11 +237,10 @@ public class EncryptedKeyProcessor imple
         } catch (IllegalStateException ex) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
         } catch (Exception ex) {
-            decryptedBytes = getRandomKey(dataRefURIs, elem.getOwnerDocument(), wsDocInfo);
+            decryptedBytes = getRandomKey(refList, wsDocInfo);
         }
 
-        List<WSDataRef> dataRefs = decryptDataRefs(dataRefURIs, elem.getOwnerDocument(),
wsDocInfo,
-            decryptedBytes, data);
+        List<WSDataRef> dataRefs = decryptDataRefs(refList, wsDocInfo, decryptedBytes,
data);
         
         WSSecurityEngineResult result = new WSSecurityEngineResult(
                 WSConstants.ENCR, 
@@ -267,19 +266,17 @@ public class EncryptedKeyProcessor imple
     /**
      * Generates a random secret key using the algorithm specified in the
      * first DataReference URI
-     * 
-     * @param dataRefURIs
-     * @param doc
-     * @param wsDocInfo
-     * @throws WSSecurityException
      */
-    private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo
wsDocInfo) throws WSSecurityException {
+    private static byte[] getRandomKey(Element refList, WSDocInfo wsDocInfo) throws WSSecurityException
{
         try {
             String alg = "AES";
             int size = 16;
-            if (!dataRefURIs.isEmpty()) {
-                String uri = dataRefURIs.iterator().next();
-                Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo,
uri);
+            String uri = getFirstDataRefURI(refList);
+            
+            if (uri != null) {
+                Element ee = 
+                    ReferenceListProcessor.findEncryptedDataElement(refList.getOwnerDocument(),

+                                                                    wsDocInfo, uri);
                 String algorithmURI = X509Util.getEncAlgo(ee);
                 alg = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
                 size = KeyUtils.getKeyLength(algorithmURI);
@@ -301,6 +298,24 @@ public class EncryptedKeyProcessor imple
         }
     }
     
+    private static String getFirstDataRefURI(Element refList) {
+        // Lookup the references that are encrypted with this key
+        if (refList != null) {
+            for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling())
{
+                if (Node.ELEMENT_NODE == node.getNodeType()
+                        && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+                        && "DataReference".equals(node.getLocalName())) {
+                    String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
+                    if (dataRefURI.charAt(0) == '#') {
+                        dataRefURI = dataRefURI.substring(1);
+                    }
+                    return dataRefURI;
+                }
+            }
+        }
+        return null;
+    }
+    
     /**
      * Method getDecodedBase64EncodedData
      *
@@ -477,50 +492,35 @@ public class EncryptedKeyProcessor imple
     }
     
     /**
-     * Find the list of all URIs that this encrypted Key references
-     */
-    private List<String> getDataRefURIs(Element xencEncryptedKey) {
-        // Lookup the references that are encrypted with this key
-        Element refList = 
-            WSSecurityUtil.getDirectChildElement(
-                xencEncryptedKey, "ReferenceList", WSConstants.ENC_NS
-            );
-        List<String> dataRefURIs = new LinkedList<>();
-        if (refList != null) {
-            for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling())
{
-                if (Node.ELEMENT_NODE == node.getNodeType()
-                        && WSConstants.ENC_NS.equals(node.getNamespaceURI())
-                        && "DataReference".equals(node.getLocalName())) {
-                    String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
-                    if (dataRefURI.charAt(0) == '#') {
-                        dataRefURI = dataRefURI.substring(1);
-                    }
-                    dataRefURIs.add(dataRefURI);
-                }
-            }
-        }
-        return dataRefURIs;
-    }
-    
-    /**
      * Decrypt all data references
      */
-    private List<WSDataRef> decryptDataRefs(List<String> dataRefURIs, Document
doc,
-        WSDocInfo docInfo, byte[] decryptedBytes, RequestData data
+    private List<WSDataRef> decryptDataRefs(Element refList, WSDocInfo docInfo, 
+                                            byte[] decryptedBytes, RequestData data
     ) throws WSSecurityException {
         //
         // At this point we have the decrypted session (symmetric) key. According
         // to W3C XML-Enc this key is used to decrypt _any_ references contained in
         // the reference list
-        if (dataRefURIs == null || dataRefURIs.isEmpty()) {
+        if (refList == null) {
             return null;
         }
-        List<WSDataRef> dataRefs = new ArrayList<>(dataRefURIs.size());
-        for (String dataRefURI : dataRefURIs) {
-            WSDataRef dataRef = 
-                decryptDataRef(doc, dataRefURI, docInfo, decryptedBytes, data);
-            dataRefs.add(dataRef);
+        
+        List<WSDataRef> dataRefs = new ArrayList<>();
+        for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling())
{
+            if (Node.ELEMENT_NODE == node.getNodeType()
+                    && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+                    && "DataReference".equals(node.getLocalName())) {
+                String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
+                if (dataRefURI.charAt(0) == '#') {
+                    dataRefURI = dataRefURI.substring(1);
+                }
+                
+                WSDataRef dataRef = 
+                    decryptDataRef(refList.getOwnerDocument(), dataRefURI, docInfo, decryptedBytes,
data);
+                dataRefs.add(dataRef);
+            }
         }
+        
         return dataRefs;
     }
 

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
Wed Mar  4 11:49:48 2015
@@ -101,10 +101,6 @@ public class ReferenceListProcessor impl
         WSDocInfo wsDocInfo
     ) throws WSSecurityException {
         List<WSDataRef> dataRefs = new ArrayList<>();
-        //find out if there's an EncryptedKey in the doc (AsymmetricBinding)
-        Element wsseHeaderElement = wsDocInfo.getSecurityHeader();
-        boolean asymBinding = WSSecurityUtil.getDirectChildElement(
-            wsseHeaderElement, WSConstants.ENC_KEY_LN, WSConstants.ENC_NS) != null;
         for (Node node = elem.getFirstChild(); 
             node != null; 
             node = node.getNextSibling()
@@ -121,7 +117,7 @@ public class ReferenceListProcessor impl
                 if (!wsDocInfo.hasResult(WSConstants.ENCR, dataRefURI)) {
                     WSDataRef dataRef = 
                         decryptDataRefEmbedded(
-                            elem.getOwnerDocument(), dataRefURI, data, wsDocInfo, asymBinding);
+                            elem.getOwnerDocument(), dataRefURI, data, wsDocInfo);
                     dataRefs.add(dataRef);
                 }
             }
@@ -138,8 +134,7 @@ public class ReferenceListProcessor impl
         Document doc, 
         String dataRefURI, 
         RequestData data,
-        WSDocInfo wsDocInfo,
-        boolean asymBinding
+        WSDocInfo wsDocInfo
     ) throws WSSecurityException {
         if (LOG.isDebugEnabled()) {
             LOG.debug("Found data reference: " + dataRefURI);
@@ -149,7 +144,7 @@ public class ReferenceListProcessor impl
         //
         Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI);
         
-        if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements())
{
+        if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements())
{
             List<WSSecurityEngineResult> signedResults = 
                 wsDocInfo.getResultsByTag(WSConstants.SIGN);
             WSSecurityUtil.verifySignedElement(encryptedDataElement, signedResults);
@@ -326,86 +321,13 @@ public class ReferenceListProcessor impl
         dataRef.setWsuId(dataRefURI);
         dataRef.setAlgorithm(symEncAlgo);
 
+        // See if it is an attachment, and handle that differently
         String typeStr = encData.getAttributeNS(null, "Type");
         if (typeStr != null &&
             (WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_CONTENT_ONLY.equals(typeStr)
||
             WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr))) {
 
-            try {
-                Element cipherData = WSSecurityUtil.getDirectChildElement(encData, "CipherData",
WSConstants.ENC_NS);
-                if (cipherData == null) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
-                }
-                Element cipherReference = WSSecurityUtil.getDirectChildElement(cipherData,
"CipherReference", WSConstants.ENC_NS);
-                if (cipherReference == null) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
-                }
-                String uri = cipherReference.getAttributeNS(null, "URI");
-                if (uri == null || uri.length() < 5) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
-                }
-                if (!uri.startsWith("cid:")) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
-                }
-                dataRef.setWsuId(uri);
-                dataRef.setAttachment(true);
-
-                CallbackHandler attachmentCallbackHandler = requestData.getAttachmentCallbackHandler();
-                if (attachmentCallbackHandler == null) {
-                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
-                }
-
-                final String attachmentId = uri.substring(4);
-
-                AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
-                attachmentRequestCallback.setAttachmentId(attachmentId);
-
-                attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
-                List<Attachment> attachments = attachmentRequestCallback.getAttachments();
-                if (attachments == null || attachments.isEmpty() || !attachmentId.equals(attachments.get(0).getId()))
{
-                    throw new WSSecurityException(
-                            WSSecurityException.ErrorCode.INVALID_SECURITY,
-                            "empty", "Attachment not found"
-                    );
-                }
-                Attachment attachment = attachments.get(0);
-
-                final String encAlgo = X509Util.getEncAlgo(encData);
-                final String jceAlgorithm =
-                        JCEMapper.translateURItoJCEID(encAlgo);
-                final Cipher cipher = Cipher.getInstance(jceAlgorithm);
-
-                InputStream attachmentInputStream =
-                        AttachmentUtils.setupAttachmentDecryptionStream(
-                                encAlgo, cipher, symmetricKey, attachment.getSourceStream());
-
-                Attachment resultAttachment = new Attachment();
-                resultAttachment.setId(attachment.getId());
-                resultAttachment.setMimeType(encData.getAttributeNS(null, "MimeType"));
-                resultAttachment.setSourceStream(attachmentInputStream);
-                resultAttachment.addHeaders(attachment.getHeaders());
-
-                if (WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr))
{
-                    AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(
-                            resultAttachment.getHeaders(), attachmentInputStream);
-                }
-
-                AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
-                attachmentResultCallback.setAttachment(resultAttachment);
-                attachmentResultCallback.setAttachmentId(resultAttachment.getId());
-                attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
-
-            } catch (UnsupportedCallbackException | IOException
-                | NoSuchAlgorithmException | NoSuchPaddingException e) {
-                throw new WSSecurityException(
-                        WSSecurityException.ErrorCode.FAILED_CHECK, e);
-            }
-
-            dataRef.setContent(true);
-            // Remove this EncryptedData from the security header to avoid processing it
again
-            encData.getParentNode().removeChild(encData);
-            
-            return dataRef;
+            return decryptAttachment(dataRefURI, encData, symmetricKey, symEncAlgo, requestData);
         }
 
         boolean content = X509Util.isContent(encData);
@@ -465,11 +387,95 @@ public class ReferenceListProcessor impl
         return dataRef;
     }
     
-    
-    public String getId() {
-        return null;
-    }
+    private static WSDataRef
+    decryptAttachment(
+        String dataRefURI,
+        Element encData,
+        SecretKey symmetricKey,
+        String symEncAlgo,
+        RequestData requestData
+    ) throws WSSecurityException {
+        WSDataRef dataRef = new WSDataRef();
+        dataRef.setWsuId(dataRefURI);
+        dataRef.setAlgorithm(symEncAlgo);
+        
+        try {
+            Element cipherData = WSSecurityUtil.getDirectChildElement(encData, "CipherData",
WSConstants.ENC_NS);
+            if (cipherData == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+            }
+            Element cipherReference = WSSecurityUtil.getDirectChildElement(cipherData, "CipherReference",
WSConstants.ENC_NS);
+            if (cipherReference == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+            }
+            String uri = cipherReference.getAttributeNS(null, "URI");
+            if (uri == null || uri.length() < 5) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+            }
+            if (!uri.startsWith("cid:")) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+            }
+            dataRef.setWsuId(uri);
+            dataRef.setAttachment(true);
+
+            CallbackHandler attachmentCallbackHandler = requestData.getAttachmentCallbackHandler();
+            if (attachmentCallbackHandler == null) {
+                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+            }
+
+            final String attachmentId = uri.substring(4);
+
+            AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
+            attachmentRequestCallback.setAttachmentId(attachmentId);
 
+            attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
+            List<Attachment> attachments = attachmentRequestCallback.getAttachments();
+            if (attachments == null || attachments.isEmpty() || !attachmentId.equals(attachments.get(0).getId()))
{
+                throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.INVALID_SECURITY,
+                        "empty", "Attachment not found"
+                );
+            }
+            Attachment attachment = attachments.get(0);
+
+            final String encAlgo = X509Util.getEncAlgo(encData);
+            final String jceAlgorithm =
+                    JCEMapper.translateURItoJCEID(encAlgo);
+            final Cipher cipher = Cipher.getInstance(jceAlgorithm);
+
+            InputStream attachmentInputStream =
+                    AttachmentUtils.setupAttachmentDecryptionStream(
+                            encAlgo, cipher, symmetricKey, attachment.getSourceStream());
+
+            Attachment resultAttachment = new Attachment();
+            resultAttachment.setId(attachment.getId());
+            resultAttachment.setMimeType(encData.getAttributeNS(null, "MimeType"));
+            resultAttachment.setSourceStream(attachmentInputStream);
+            resultAttachment.addHeaders(attachment.getHeaders());
+
+            String typeStr = encData.getAttributeNS(null, "Type");
+            if (WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr))
{
+                AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(
+                        resultAttachment.getHeaders(), attachmentInputStream);
+            }
+
+            AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
+            attachmentResultCallback.setAttachment(resultAttachment);
+            attachmentResultCallback.setAttachmentId(resultAttachment.getId());
+            attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
+
+        } catch (UnsupportedCallbackException | IOException
+            | NoSuchAlgorithmException | NoSuchPaddingException e) {
+            throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.FAILED_CHECK, e);
+        }
+
+        dataRef.setContent(true);
+        // Remove this EncryptedData from the security header to avoid processing it again
+        encData.getParentNode().removeChild(encData);
+        
+        return dataRef;
+    }
     
     /**
      * @param decryptedNode the decrypted node

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
(original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Wed Mar  4 11:49:48 2015
@@ -230,7 +230,7 @@ public class SignatureProcessor implemen
             buildProtectedRefs(
                 elem.getOwnerDocument(), xmlSignature.getSignedInfo(), data, wsDocInfo
             );
-        if (dataRefs.size() == 0) {
+        if (dataRefs.isEmpty()) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
         }
         
@@ -520,7 +520,7 @@ public class SignatureProcessor implemen
         RequestData requestData,
         WSDocInfo wsDocInfo
     ) throws WSSecurityException {
-        List<WSDataRef> protectedRefs = new ArrayList<>();
+        List<WSDataRef> protectedRefs = new ArrayList<>(signedInfo.getReferences().size());
         for (Object reference : signedInfo.getReferences()) {
             Reference siRef = (Reference)reference;
             String uri = siRef.getURI();



Mime
View raw message