ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject [ws-wss4j] 02/03: Merged latest 1.5.4 branch changes to 1.5.4 tag, in preparation for release.
Date Thu, 31 Oct 2019 14:35:59 GMT
This is an automated email from the ASF dual-hosted git repository.

dkulp pushed a commit to annotated tag 1_5_4
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git

commit 7081b1452f6991ef0f602a9854a49c1168f792a4
Author: Fred Dushin <fadushin@apache.org>
AuthorDate: Tue May 27 14:54:37 2008 +0000

    Merged latest 1.5.4 branch changes to 1.5.4 tag, in preparation for release.
---
 ChangeLog.txt                                      |  51 +++++
 README.txt                                         |   2 +-
 pom.xml                                            |  39 +++-
 .../apache/ws/security/message/WSSecEncrypt.java   |   4 +
 .../ws/security/message/WSSecEncryptedKey.java     |   8 +
 .../ws/security/processor/SignatureProcessor.java  |  14 +-
 test/wssec/PackageTests.java                       |   1 +
 test/wssec/TestWSSecurityNew16.java                | 222 +++++++++++++++++++++
 wss4j-readme.html                                  |   4 +-
 xdocs/index.xml                                    |   2 +-
 10 files changed, 340 insertions(+), 7 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
new file mode 100644
index 0000000..160da60
--- /dev/null
+++ b/ChangeLog.txt
@@ -0,0 +1,51 @@
+
+This file contains a listing of all Jira tickets that have been closed
+for a given release.  
+
+Portions of this report were generated using the ReleaseNotes facility
+in Jira.
+
+Release 1.5.4
+=============
+
+** Bug
+    * [WSS-51] - Incorrect test for null in WSHandler
+    * [WSS-52] - ArrayIndexOutOfBoundsException if certs.length > 1
+    * [WSS-54] - UsernameTokenProcessor not processing unhashed UsernameToken
+    * [WSS-56] - WSS4j statically inserts Bouncycastle and Juice in list of JCE providers
+    * [WSS-66] - Possible security hole when PasswordDigest is used by client.
+    * [WSS-68] - No way to create a UsernameToken with absent <Password> element
+    * [WSS-70] - WSHandler checkReceiverResults causes security problem
+    * [WSS-82] - Add the ability to use a custom-loaded JCE provider instance instead of
using the system-provided one
+    * [WSS-89] - Error in verifying the signature with encrypted key
+    * [WSS-93] - xmlsec NPE on Reference URI and ValueType attributes
+    * [WSS-95] - Missing NOTICE file in WSS4J release
+    * [WSS-96] - Error when making a signature when containing a WSSecTimestamp
+    * [WSS-97] - Merlin passes invalid OID to getExtensionValue
+    * [WSS-100] - Bug in wsse11 element creation
+    * [WSS-101] - Bug in Encrypted SOAP Header creation
+    * [WSS-103] - BinarySecurityToken processor does not allow for custom token types
+    * [WSS-105] - Make WSS4J compliant with X.509 1.1 specification
+    * [WSS-106] - Certs are expired in wss4j.keystore
+    * [WSS-108] - Some work on KeyIdentifiers
+    * [WSS-109] - Review of error handling messages
+    * [WSS-112] - DerivedKeyProcessor is overwritten if more derivedkeys are present in a
Soap Message.
+    * [WSS-113] - Bug in WSHandler#getPassword
+    * [WSS-114] - Some test reports are deleted by intermediate tasks in the ant build
+    * [WSS-116] - EncryptedKeyProcessor fails to record QName of decrypted element
+
+** Improvement
+    * [WSS-37] - Make it easier to set key-stores programmatically
+    * [WSS-38] - Make it easier to set key-stores programmatically
+    * [WSS-74] - Allow Actions and Processors to be customizable
+    * [WSS-80] - Doc fixes to main WSS4J page
+    * [WSS-88] - SecureRandom.getInstance("SHA1PRNG") is slow on IBM JDK 1.4.2 (And perhaps
others)
+    * [WSS-92] - Support for Encrypted Header 
+    * [WSS-104] - Reference List processor should provide more information
+    * [WSS-107] - X509NameTokenizer.java contains Bouncy Castle JCE copyright code
+
+
+Version prior to 1.5.4
+======================
+
+no record
diff --git a/README.txt b/README.txt
index 102cb54..dfd2406 100644
--- a/README.txt
+++ b/README.txt
@@ -87,7 +87,7 @@ about the certificate keystores you use. The property files and the keystore
 are accessed either as resources via classpath or, if that fails, as files
 using the relative path of the application
 
-Thus no specific installation is required. The wss4j-1.5.1.jar file could be 
+Thus no specific installation is required. The wss4j jar file could be 
 included into ear or war files of enterprise or web application servers.
 
 Please refer to the JAVADOC files of the distribution for further 
diff --git a/pom.xml b/pom.xml
index 9a4c0a1..8294938 100644
--- a/pom.xml
+++ b/pom.xml
@@ -17,7 +17,7 @@
     <url>http://ws.apache.org/wss4j/</url>
     <issueManagement>
         <system>JIRA</system>
-        <url>http://issues.apache.org/jira/browse/WSS4J</url>
+        <url>http://issues.apache.org/jira/browse/WSS</url>
     </issueManagement>
     <ciManagement>
         <system>Continuum</system>
@@ -83,6 +83,14 @@
             <organization></organization>
         </developer>
   </developers>
+    
+    <contributors>
+        <contributor>
+            <name>Colm O hEigeartaigh</name>
+        </contributor>
+        <!-- ask permission to list others -->
+    </contributors>
+  
     <licenses>
         <license>
             <name>The Apache Software License, Version 2.0</name>
@@ -436,6 +444,18 @@
             </plugin-->
             <plugin>
                 <artifactId>maven-project-info-reports-plugin</artifactId>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependencies</report>
+                            <report>project-team</report>
+                            <report>mailing-list</report>
+                            <report>issue-tracking</report>
+                            <report>license</report>
+                            <report>scm</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -447,6 +467,23 @@
               <artifactId>jxr-maven-plugin</artifactId>
               <version>2.0-beta-2-SNAPSHOT</version>
             </plugin-->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-changes-plugin</artifactId>
+                <configuration>
+                    <onlyCurrentVersion>true</onlyCurrentVersion>
+                    <resolutionIds>Any</resolutionIds>
+                    <statusIds>Resolved, Closed</statusIds>
+                    <sortColumnNames>Key</sortColumnNames>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>jira-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
         </plugins>
     </reporting>
     <distributionManagement>
diff --git a/src/org/apache/ws/security/message/WSSecEncrypt.java b/src/org/apache/ws/security/message/WSSecEncrypt.java
index f774dbe..6279352 100644
--- a/src/org/apache/ws/security/message/WSSecEncrypt.java
+++ b/src/org/apache/ws/security/message/WSSecEncrypt.java
@@ -296,6 +296,10 @@ public class WSSecEncrypt extends WSSecEncryptedKey {
         }
 
         prepare(doc, crypto);
+        
+        if (envelope == null) {
+            envelope = document.getDocumentElement();
+        }
 
         SOAPConstants soapConstants = WSSecurityUtil.getSOAPConstants(envelope);
         if (parts == null) {
diff --git a/src/org/apache/ws/security/message/WSSecEncryptedKey.java b/src/org/apache/ws/security/message/WSSecEncryptedKey.java
index 29a2caa..6f651bc 100644
--- a/src/org/apache/ws/security/message/WSSecEncryptedKey.java
+++ b/src/org/apache/ws/security/message/WSSecEncryptedKey.java
@@ -451,6 +451,14 @@ public class WSSecEncryptedKey extends WSSecBase {
     }
     
     /**
+     * Set the encrypted key element when a pre prepared encrypted key is used
+     * @param encryptedKeyElement EncryptedKey element of the encrypted key used
+     */
+    public void setEncryptedKeyElement(Element encryptedKeyElement) {
+        this.encryptedKeyElement = encryptedKeyElement;
+    }
+    
+    /**
      * @return Returns the BinarySecurityToken element.
      */
     public Element getBinarySecurityTokenElement() {
diff --git a/src/org/apache/ws/security/processor/SignatureProcessor.java b/src/org/apache/ws/security/processor/SignatureProcessor.java
index 4ee1279..d2e6b07 100644
--- a/src/org/apache/ws/security/processor/SignatureProcessor.java
+++ b/src/org/apache/ws/security/processor/SignatureProcessor.java
@@ -236,8 +236,18 @@ public class SignatureProcessor implements Processor {
                         secretKey = samlKi.getSecret();
 
                     } else if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)){
-                        EncryptedKeyProcessor encryptKeyProcessor = new EncryptedKeyProcessor();
-                        encryptKeyProcessor.handleEncryptedKey((Element)token, cb, crypto);
+                        
+                        String encryptedKeyID = token.getAttributeNS(null,"Id");        
          
+                        EncryptedKeyProcessor encryptKeyProcessor = (EncryptedKeyProcessor)
+                                wsDocInfo.getProcessor(encryptedKeyID);
+                        
+                        if (encryptKeyProcessor == null ) {
+                        
+                            encryptKeyProcessor = new EncryptedKeyProcessor();
+                            encryptKeyProcessor.handleEncryptedKey((Element)token, cb, crypto);
+                        
+                        } 
+                        
                         secretKey = encryptKeyProcessor.getDecryptedBytes();
                      
                     }else {
diff --git a/test/wssec/PackageTests.java b/test/wssec/PackageTests.java
index 81f7858..9d7f39f 100644
--- a/test/wssec/PackageTests.java
+++ b/test/wssec/PackageTests.java
@@ -63,6 +63,7 @@ public class PackageTests extends TestCase {
         suite.addTestSuite(TestWSSecurityNew12.class);
         suite.addTestSuite(TestWSSecurityNew13.class);
         suite.addTestSuite(TestWSSecurityNew14.class);
+        suite.addTestSuite(TestWSSecurityNew16.class);
         suite.addTestSuite(TestWSSecurityNewSOAP12.class);
         // suite.addTestSuite(TestWSSecurityHooks.class);
         suite.addTestSuite(TestWSSecurityNewST1.class);
diff --git a/test/wssec/TestWSSecurityNew16.java b/test/wssec/TestWSSecurityNew16.java
new file mode 100644
index 0000000..a998799
--- /dev/null
+++ b/test/wssec/TestWSSecurityNew16.java
@@ -0,0 +1,222 @@
+/*
+ * Copyright  2003-2004 The Apache Software Foundation.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+package wssec;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.xml.crypto.dsig.SignatureMethod;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+import org.apache.axis.Message;
+import org.apache.axis.MessageContext;
+import org.apache.axis.SOAPPart;
+import org.apache.axis.client.AxisClient;
+import org.apache.axis.configuration.NullProvider;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.axis.utils.XMLUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.message.WSSecEncrypt;
+import org.apache.ws.security.message.WSSecEncryptedKey;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecSignature;
+import org.w3c.dom.Document;
+
+
+/**
+ * Test signature created using an encrypted key
+ * SOAP Body is signed and encrypted. In the encryption, The ReferencesList element is 
+ * put into the Encrypted Key, as a child of the EncryptedKey. Signature is created 
+ * using the encrypted key. 
+ */
+public class TestWSSecurityNew16 extends TestCase implements CallbackHandler {
+    private static Log log = LogFactory.getLog(TestWSSecurityNew16.class);
+    static final String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+            "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">"
+
+            "   <soapenv:Body>" +
+            "      <ns1:testMethod xmlns:ns1=\"http://axis/service/security/test6/LogTestService8\"></ns1:testMethod>"
+
+            "   </soapenv:Body>" +
+            "</soapenv:Envelope>";
+
+    static final WSSecurityEngine secEngine = new WSSecurityEngine();
+    static final Crypto crypto = CryptoFactory.getInstance();
+    MessageContext msgContext;
+    Message message;
+
+    /**
+     * TestWSSecurity constructor
+     * <p/>
+     * 
+     * @param name name of the test
+     */
+    public TestWSSecurityNew16(String name) {
+        super(name);
+    }
+
+    /**
+     * JUnit suite
+     * <p/>
+     * 
+     * @return a junit test suite
+     */
+    public static Test suite() {
+        return new TestSuite(TestWSSecurityNew16.class);
+    }
+
+    /**
+     * Main method
+     * <p/>
+     * 
+     * @param args command line args
+     */
+    public static void main(String[] args) {
+        junit.textui.TestRunner.run(suite());
+    }
+
+    /**
+     * Setup method
+     * <p/>
+     * 
+     * @throws Exception Thrown when there is a problem in setup
+     */
+    protected void setUp() throws Exception {
+        AxisClient tmpEngine = new AxisClient(new NullProvider());
+        msgContext = new MessageContext(tmpEngine);
+        message = getSOAPMessage();
+    }
+
+    /**
+     * Constructs a soap envelope
+     * <p/>
+     * 
+     * @return soap envelope
+     * @throws Exception if there is any problem constructing the soap envelope
+     */
+    protected Message getSOAPMessage() throws Exception {
+        InputStream in = new ByteArrayInputStream(soapMsg.getBytes());
+        Message msg = new Message(in);
+        msg.setMessageContext(msgContext);
+        return msg;
+    }
+
+    /**
+     * Test that first signs, then encrypts a WS-Security envelope.
+     * <p/>
+     * 
+     * @throws Exception Thrown when there is any problem in signing, encryption,
+     *                   decryption, or verification
+     */
+    public void testEncryptedKeySignature() throws Exception {
+        
+        SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+        log.info("Before Sign/Encryption....");
+        Document doc = unsignedEnvelope.getAsDocument();
+        
+        WSSecHeader secHeader = new WSSecHeader();
+        secHeader.insertSecurityHeader(doc);
+        
+        WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+        encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+        encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+        encrKey.setKeySize(192);
+        encrKey.prepare(doc, crypto);   
+        
+        WSSecEncrypt encrypt = new WSSecEncrypt();
+        encrypt.setEncKeyId(encrKey.getId());
+        encrypt.setEphemeralKey(encrKey.getEphemeralKey());
+        encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
+        encrypt.setEncryptSymmKey(false);
+        encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());
+
+        WSSecSignature sign = new WSSecSignature();
+        sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+        sign.setCustomTokenId(encrKey.getId());
+        sign.setSecretKey(encrKey.getEphemeralKey());
+        sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+
+        Document signedDoc = sign.build(doc, crypto, secHeader);
+        Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
+        /*
+         * convert the resulting document into a message first. The toAxisPMessage()
+         * method performs the necessary c14n call to properly set up the signed
+         * document and convert it into a SOAP message. After that we extract it
+         * as a document again for further processing.
+         */
+
+        Message encryptedMsg = SOAPUtil.toAxisMessage(encryptedSignedDoc);
+        if (log.isDebugEnabled()) {
+            log.debug("Signed and encrypted message with IssuerSerial key identifier (both),
3DES:");
+            XMLUtils.PrettyElementToWriter(encryptedMsg.getSOAPEnvelope().getAsDOM(), new
PrintWriter(System.out));
+        }
+        
+        String s = encryptedMsg.getSOAPPartAsString();
+        ((SOAPPart)message.getSOAPPart()).setCurrentMessage(s, SOAPPart.FORM_STRING);
+                
+        Document encryptedSignedDoc1 = message.getSOAPEnvelope().getAsDocument();
+        log.info("After Sign/Encryption....");
+        verify(encryptedSignedDoc1);
+    }
+
+    /**
+     * Verifies the soap envelope
+     * <p/>
+     * 
+     * @param doc 
+     * @throws Exception Thrown when there is a problem in verification
+     */
+    private void verify(Document doc) throws Exception {
+        secEngine.processSecurityHeader(doc, null, this, crypto);
+        SOAPUtil.updateSOAPMessage(doc, message);
+        if (log.isDebugEnabled()) {
+            log.debug("Verfied and decrypted message:");
+            XMLUtils.PrettyElementToWriter(message.getSOAPEnvelope().getAsDOM(), new PrintWriter(System.out));
+        }
+    }
+
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        for (int i = 0; i < callbacks.length; i++) {
+            if (callbacks[i] instanceof WSPasswordCallback) {
+                WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+                /*
+                 * here call a function/method to lookup the password for
+                 * the given identifier (e.g. a user name or keystore alias)
+                 * e.g.: pc.setPassword(passStore.getPassword(pc.getIdentfifier))
+                 * for Testing we supply a fixed name here.
+                 */
+                pc.setPassword("security");
+            } else {
+                throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+            }
+        }
+    }
+}
diff --git a/wss4j-readme.html b/wss4j-readme.html
index 82c2f88..74ffb2e 100644
--- a/wss4j-readme.html
+++ b/wss4j-readme.html
@@ -2,7 +2,7 @@
 <HTML>
 <HEAD>
 	<META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
-	<TITLE>Apache WSS4J-1.5.2</TITLE>
+	<TITLE>Apache WSS4J</TITLE>
 	<META NAME="GENERATOR" CONTENT="OpenOffice.org 1.9.79  (Linux)">
 	<META NAME="AUTHOR" CONTENT="Werner Dittmann">
 	<META NAME="CREATED" CONTENT="20050904;11070500">
@@ -106,7 +106,7 @@ either as resources via classpath or, if that fails, as files using
 the relative path of the application 
 </P>
 <P STYLE="margin-bottom: 0cm">Thus no specific installation is
-required. The wss4j-1.5.2.jar file should be included into ear or war files
+required. The wss4j jar file should be included into ear or war files
 of enterprise or web application servers.</P>
 <P STYLE="margin-bottom: 0cm">Please refer to the JAVADOC files of
 the distribution for further information how to use WSS4J, the
diff --git a/xdocs/index.xml b/xdocs/index.xml
index efcd985..9a14a99 100644
--- a/xdocs/index.xml
+++ b/xdocs/index.xml
@@ -58,7 +58,7 @@ Token Profile V1.0</a>
                 </ul>
             </subsection>
             <subsection name="Where can I download WSS4J">
-                <p style="margin-left: 40px;">Latest version of WSS4J is 1.5.2:<br/>
+                <p style="margin-left: 40px;">You can download the latest version of
WSS4J at the following URL:<br/>
                     <a href="http://www.apache.org/dyn/closer.cgi/ws/wss4j/">http://www.apache.org/dyn/closer.cgi/ws/wss4j/</a>
                 </p>
             </subsection>


Mime
View raw message