ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1733039 - in /webservices/wss4j/branches/2_1_x-fixes: ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
Date Tue, 01 Mar 2016 11:06:25 GMT
Author: coheigea
Date: Tue Mar  1 11:06:24 2016
New Revision: 1733039

URL: http://svn.apache.org/viewvc?rev=1733039&view=rev
Log:
Respects provider when creating Cipher instances

Modified:
    webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
    webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java

Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java?rev=1733039&r1=1733038&r2=1733039&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
(original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-common/src/main/java/org/apache/wss4j/common/util/KeyUtils.java
Tue Mar  1 11:06:24 2016
@@ -19,24 +19,25 @@
 
 package org.apache.wss4j.common.util;
 
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.xml.security.algorithms.JCEMapper;
+import org.apache.xml.security.encryption.XMLCipher;
+import org.apache.xml.security.utils.JavaUtils;
 
 import javax.crypto.Cipher;
 import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
-
-import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.xml.security.algorithms.JCEMapper;
-import org.apache.xml.security.encryption.XMLCipher;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 
 public final class KeyUtils {
     private static final org.slf4j.Logger LOG =
             org.slf4j.LoggerFactory.getLogger(KeyUtils.class);
     private static final int MAX_SYMMETRIC_KEY_SIZE = 1024;
+    public static final String RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING = "RSA/ECB/OAEPWithSHA1AndMGF1Padding";
 
     /**
      * A cached MessageDigest object
@@ -50,7 +51,7 @@ public final class KeyUtils {
     /**
      * Returns the length of the key in # of bytes
      *
-     * @param algorithm
+     * @param algorithm the URI of the algorithm. See http://www.w3.org/TR/xmlenc-core1/
      * @return the key length
      */
     public static int getKeyLength(String algorithm) throws WSSecurityException {
@@ -118,45 +119,86 @@ public final class KeyUtils {
         }
     }
 
-
     /**
      * Translate the "cipherAlgo" URI to a JCE ID, and return a javax.crypto.Cipher instance
      * of this type.
+     * @param cipherAlgo The cipher in it's WSS URI form,
+     *                   ref. https://www.w3.org/TR/xmlenc-core1/#sec-Algorithms
      */
     public static Cipher getCipherInstance(String cipherAlgo)
         throws WSSecurityException {
-        try {
-            String keyAlgorithm = JCEMapper.translateURItoJCEID(cipherAlgo);
-            String provider = JCEMapper.getProviderId();
+        return getCipherInstance(cipherAlgo, null);
+    }
 
+    /**
+     * Translate the "cipherAlgo" URI to a JCE ID, and request a javax.crypto.Cipher instance
+     * of this type from the given provider.
+     *
+     * @param cipherAlgo The cipher in it's WSS URI form, ref. https://www.w3.org/TR/xmlenc-core1/#sec-Algorithms
+     * @param provider   The provider which shall instantiate the cipher.
+     */
+    public static Cipher getCipherInstance(String cipherAlgo, String provider)
+            throws WSSecurityException {
+        String keyAlgorithm = JCEMapper.translateURItoJCEID(cipherAlgo);
+        if (keyAlgorithm == null) {
+            throw new WSSecurityException(
+                    WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
+                    new Object[]{"No such algorithm: \"" + cipherAlgo + "\""});
+        }
+
+        if (provider == null) {
+            provider = JCEMapper.getProviderId();
+        } else {
+            JavaUtils.checkRegisterPermission();
+        }
+
+        try {
             if (provider == null) {
                 return Cipher.getInstance(keyAlgorithm);
+            } else {
+                return Cipher.getInstance(keyAlgorithm, provider);
             }
-            return Cipher.getInstance(keyAlgorithm, provider);
-        } catch (NoSuchPaddingException ex) {
-            throw new WSSecurityException(
-                WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, ex, "unsupportedKeyTransp",
-                new Object[] {"No such padding: \"" + cipherAlgo + "\""});
-        } catch (NoSuchAlgorithmException ex) {
-            // Check to see if an RSA OAEP MGF-1 with SHA-1 algorithm was requested
-            // Some JDKs don't support RSA/ECB/OAEPPadding
+        } catch (NoSuchPaddingException | NoSuchAlgorithmException e) {
             if (XMLCipher.RSA_OAEP.equals(cipherAlgo)) {
+                // Check to see if an RSA OAEP MGF-1 with SHA-1 algorithm was requested
+                // Some JCE implementations don't support RSA/ECB/OAEPPadding (e.g. nCipherKM
of Thales)
                 try {
-                    return Cipher.getInstance("RSA/ECB/OAEPWithSHA1AndMGF1Padding");
-                } catch (Exception e) {
+                    if (provider == null) {
+                        return Cipher.getInstance(RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING);
+                    } else {
+                        return Cipher.getInstance(RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING,
provider);
+                    }
+                } catch (NoSuchProviderException ex1) {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, ex1, "unsupportedKeyTransp",
+                        new Object[]{
+                            "No such provider \"" + JCEMapper.getProviderId() + "\" for \""
+                                + RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING + "\""
+                        });
+                } catch (NoSuchPaddingException ex1) {
                     throw new WSSecurityException(
                         WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e, "unsupportedKeyTransp",
-                        new Object[] {"No such algorithm: \"" + cipherAlgo + "\""});
+                        new Object[]{"No such padding: \"" + RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING
+ "\""});
+                } catch (NoSuchAlgorithmException ex1) {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e, "unsupportedKeyTransp",
+                        new Object[]{"No such algorithm: \"" + RSA_ECB_OAEPWITH_SHA1_AND_MGF1_PADDING
+ "\""});
                 }
             } else {
-                throw new WSSecurityException(
-                    WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, ex, "unsupportedKeyTransp",
-                    new Object[] {"No such algorithm: \"" + cipherAlgo + "\""});
+                if (e instanceof NoSuchAlgorithmException) {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e, "unsupportedKeyTransp",
+                        new Object[]{"No such algorithm: \"" + keyAlgorithm + "\""});
+                } else {
+                    throw new WSSecurityException(
+                        WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, e, "unsupportedKeyTransp",
+                        new Object[]{"No such padding: \"" + keyAlgorithm + "\""});
+                }
             }
         } catch (NoSuchProviderException ex) {
             throw new WSSecurityException(
                 WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, ex, "unsupportedKeyTransp",
-                new Object[] {"No such provider " + JCEMapper.getProviderId() + " for: \""
+ cipherAlgo + "\""});
+                new Object[]{"No such provider \"" + JCEMapper.getProviderId() + "\" for
\"" + keyAlgorithm + "\""});
         }
     }
 

Modified: webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1733039&r1=1733038&r2=1733039&view=diff
==============================================================================
--- webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
(original)
+++ webservices/wss4j/branches/2_1_x-fixes/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
Tue Mar  1 11:06:24 2016
@@ -294,7 +294,8 @@ public class EncryptedKeyProcessor imple
         if (data.getDecCrypto() == null) {
             throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noDecCryptoFile");
         }
-        Cipher cipher = KeyUtils.getCipherInstance(encryptedKeyTransportMethod);
+        String cryptoProvider = data.getDecCrypto().getCryptoProvider();
+        Cipher cipher = KeyUtils.getCipherInstance(encryptedKeyTransportMethod, cryptoProvider);
         try {
             OAEPParameterSpec oaepParameterSpec = null;
             if (WSConstants.KEYTRANSPORT_RSAOAEP.equals(encryptedKeyTransportMethod)
@@ -331,6 +332,7 @@ public class EncryptedKeyProcessor imple
                         jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource
                     );
             }
+
             if (oaepParameterSpec == null) {
                 cipher.init(Cipher.UNWRAP_MODE, privateKey);
             } else {



Mime
View raw message