ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1157825 - in /webservices/wss4j/trunk/src: main/java/org/apache/ws/security/message/ main/java/org/apache/ws/security/util/ test/java/org/apache/ws/security/message/
Date Mon, 15 Aug 2011 12:42:46 GMT
Author: coheigea
Date: Mon Aug 15 12:42:46 2011
New Revision: 1157825

URL: http://svn.apache.org/viewvc?rev=1157825&view=rev
Log:
[WSS-304,WSS-306] - Using KeyGenerator to generate ephemeral keys and using WRAP_MODE

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
    webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
Mon Aug 15 12:42:46 2011
@@ -29,7 +29,6 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.ws.security.util.Base64;
 import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.algorithms.JCEMapper;
 import org.apache.xml.security.encryption.EncryptedData;
 import org.apache.xml.security.encryption.XMLCipher;
 import org.apache.xml.security.encryption.XMLEncryptionException;
@@ -43,7 +42,6 @@ import org.w3c.dom.Node;
 import javax.crypto.KeyGenerator;
 import javax.crypto.SecretKey;
 
-import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
@@ -59,18 +57,11 @@ public class WSSecEncrypt extends WSSecE
     private static org.apache.commons.logging.Log log = 
         org.apache.commons.logging.LogFactory.getLog(WSSecEncrypt.class);
     
-    protected String symEncAlgo = WSConstants.AES_128;
-
     protected byte[] embeddedKey = null;
 
     protected String embeddedKeyName = null;
 
     /**
-     * Symmetric key used in the EncrytpedKey.
-     */
-    protected SecretKey symmetricKey = null;
-
-    /**
      * SecurityTokenReference to be inserted into EncryptedData/keyInfo element.
      */
     protected SecurityTokenReference securityTokenReference = null;
@@ -96,6 +87,7 @@ public class WSSecEncrypt extends WSSecE
     public WSSecEncrypt() {
         super();
     }
+    
     public WSSecEncrypt(WSSConfig config) {
         super(config);
     }
@@ -134,40 +126,6 @@ public class WSSecEncrypt extends WSSecE
     
     
     /**
-     * Set the name of the symmetric encryption algorithm to use.
-     * 
-     * This encryption algorithm is used to encrypt the data. If the algorithm
-     * is not set then AES128 is used. Refer to WSConstants which algorithms are
-     * supported.
-     * 
-     * @param algo Is the name of the encryption algorithm
-     * @see WSConstants#TRIPLE_DES
-     * @see WSConstants#AES_128
-     * @see WSConstants#AES_192
-     * @see WSConstants#AES_256
-     */
-    public void setSymmetricEncAlgorithm(String algo) {
-        symEncAlgo = algo;
-    }
-
-    
-    /**
-     * Get the name of symmetric encryption algorithm to use.
-     * 
-     * The name of the encryption algorithm to encrypt the data, i.e. the SOAP
-     * Body. Refer to WSConstants which algorithms are supported.
-     * 
-     * @return the name of the currently selected symmetric encryption algorithm
-     * @see WSConstants#TRIPLE_DES
-     * @see WSConstants#AES_128
-     * @see WSConstants#AES_192
-     * @see WSConstants#AES_256
-     */
-    public String getSymmetricEncAlgorithm() {
-        return symEncAlgo;
-    }
-    
-    /**
      * Initialize a WSSec Encrypt.
      * 
      * The method prepares and initializes a WSSec Encrypt structure after the
@@ -220,7 +178,7 @@ public class WSSecEncrypt extends WSSecE
                 }
                 remoteCert = certs[0];
             }
-            prepareInternal(ephemeralKey, remoteCert, crypto);
+            prepareInternal(symmetricKey, remoteCert, crypto);
         } else {
             encryptedEphemeralKey = ephemeralKey;
         }
@@ -598,29 +556,6 @@ public class WSSecEncrypt extends WSSecE
         return keyInfo;
     }
 
-
-    private KeyGenerator getKeyGenerator() throws WSSecurityException {
-        try {
-            //
-            // Assume AES as default, so initialize it
-            //
-            String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(symEncAlgo);
-            KeyGenerator keyGen = KeyGenerator.getInstance(keyAlgorithm);
-            if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_128)) {
-                keyGen.init(128);
-            } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_192)) {
-                keyGen.init(192);
-            } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_256)) {
-                keyGen.init(256);
-            }
-            return keyGen;
-        } catch (NoSuchAlgorithmException e) {
-            throw new WSSecurityException(
-                WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
-            );
-        }
-    }
-
     /**
      * Create DOM subtree for <code>xenc:EncryptedKey</code>
      * 
@@ -646,22 +581,6 @@ public class WSSecEncrypt extends WSSecE
     }
 
     /**
-     * @return The symmetric key
-     */
-    public SecretKey getSymmetricKey() {
-        return symmetricKey;
-    }
-
-    /**
-     * Set the symmetric key to be used for encryption
-     * 
-     * @param key
-     */
-    public void setSymmetricKey(SecretKey key) {
-        this.symmetricKey = key;
-    }
-
-    /**
      * @return Return the SecurityTokenRefernce
      */
     public SecurityTokenReference getSecurityTokenReference() {

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
Mon Aug 15 12:42:46 2011
@@ -20,11 +20,13 @@
 package org.apache.ws.security.message;
 
 import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 
-import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSConfig;
@@ -39,6 +41,7 @@ import org.apache.ws.security.message.to
 import org.apache.ws.security.message.token.X509Security;
 import org.apache.ws.security.util.UUIDGenerator;
 import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.algorithms.JCEMapper;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -69,6 +72,11 @@ public class WSSecEncryptedKey extends W
      * Session key used as the secret in key derivation
      */
     protected byte[] ephemeralKey;
+    
+    /**
+     * Symmetric key used in the EncryptedKey.
+     */
+    protected SecretKey symmetricKey = null;
 
     /**
      * Encrypted bytes of the ephemeral key
@@ -84,6 +92,11 @@ public class WSSecEncryptedKey extends W
      * Algorithm used to encrypt the ephemeral key
      */
     protected String keyEncAlgo = WSConstants.KEYTRANSPORT_RSA15;
+    
+    /**
+     * Algorithm to be used with the ephemeral key
+     */
+    protected String symEncAlgo = WSConstants.AES_128;
 
     /**
      * xenc:EncryptedKey element
@@ -123,6 +136,7 @@ public class WSSecEncryptedKey extends W
     public WSSecEncryptedKey() {
         super();
     }
+    
     public WSSecEncryptedKey(WSSConfig config) {
         super(config);
     }
@@ -167,7 +181,15 @@ public class WSSecEncryptedKey extends W
         // Set up the ephemeral key
         //
         if (ephemeralKey == null) {
-            ephemeralKey = generateEphemeralKey();
+            if (symmetricKey == null) {
+                KeyGenerator keyGen = getKeyGenerator();
+                symmetricKey = keyGen.generateKey();
+            } 
+            ephemeralKey = symmetricKey.getEncoded();
+        }
+        
+        if (symmetricKey == null) {
+            symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, ephemeralKey);
         }
 
         //
@@ -189,7 +211,7 @@ public class WSSecEncryptedKey extends W
             remoteCert = certs[0];
         }
         
-        prepareInternal(ephemeralKey, remoteCert, crypto);
+        prepareInternal(symmetricKey, remoteCert, crypto);
     }
 
     /**
@@ -198,20 +220,20 @@ public class WSSecEncryptedKey extends W
      * This method does the most work for to prepare the EncryptedKey element.
      * It is also used by the WSSecEncrypt sub-class.
      * 
-     * @param keyBytes The bytes that represent the symmetric key
+     * @param secretKey The symmetric key
      * @param remoteCert The certificate that contains the public key to encrypt the
      *                   symmetric key data
      * @param crypto An instance of the Crypto API to handle keystore and certificates
      * @throws WSSecurityException
      */
     protected void prepareInternal(
-        byte[] keyBytes, 
+        SecretKey secretKey, 
         X509Certificate remoteCert,
         Crypto crypto
     ) throws WSSecurityException {
         Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
         try {
-            cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
+            cipher.init(Cipher.WRAP_MODE, remoteCert);
         } catch (InvalidKeyException e) {
             throw new WSSecurityException(
                 WSSecurityException.FAILED_ENCRYPTION, null, null, e
@@ -220,20 +242,12 @@ public class WSSecEncryptedKey extends W
         int blockSize = cipher.getBlockSize();
         if (doDebug) {
             log.debug(
-                "cipher blksize: " + blockSize
-                + ", symm key length: " + keyBytes.length
-            );
-        }
-        if (blockSize > 0 && blockSize < keyBytes.length) {
-            throw new WSSecurityException(
-                WSSecurityException.FAILURE,
-                "unsupportedKeyTransp",
-                new Object[] {"public key algorithm too weak to encrypt symmetric key"}
+                "cipher blksize: " + blockSize + ", symm key: " + secretKey.toString()
             );
         }
         
         try {
-            encryptedEphemeralKey = cipher.doFinal(keyBytes);
+            encryptedEphemeralKey = cipher.wrap(secretKey);
         } catch (IllegalStateException ex) {
             throw new WSSecurityException(
                 WSSecurityException.FAILED_ENCRYPTION, null, null, ex
@@ -242,7 +256,7 @@ public class WSSecEncryptedKey extends W
             throw new WSSecurityException(
                 WSSecurityException.FAILED_ENCRYPTION, null, null, ex
             );
-        } catch (BadPaddingException ex) {
+        } catch (InvalidKeyException ex) {
             throw new WSSecurityException(
                 WSSecurityException.FAILED_ENCRYPTION, null, null, ex
             );
@@ -375,17 +389,27 @@ public class WSSecEncryptedKey extends W
         envelope = document.getDocumentElement();
     }
 
-    /**
-     * Create an ephemeral key
-     * 
-     * @return an ephemeral key
-     * @throws WSSecurityException
-     */
-    protected byte[] generateEphemeralKey() throws WSSecurityException {
+    protected KeyGenerator getKeyGenerator() throws WSSecurityException {
         try {
-            return WSSecurityUtil.generateNonce(this.keySize / 8);
-        } catch (Exception e) {
-            throw new WSSecurityException("Error in creating the ephemeral key", e);
+            //
+            // Assume AES as default, so initialize it
+            //
+            String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(symEncAlgo);
+            KeyGenerator keyGen = KeyGenerator.getInstance(keyAlgorithm);
+            if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_128)) {
+                keyGen.init(128);
+            } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_192)) {
+                keyGen.init(192);
+            } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_256)) {
+                keyGen.init(256);
+            } else {
+                keyGen.init(keySize);
+            }
+            return keyGen;
+        } catch (NoSuchAlgorithmException e) {
+            throw new WSSecurityException(
+                WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
+            );
         }
     }
 
@@ -526,7 +550,7 @@ public class WSSecEncryptedKey extends W
         }
         return null;
     }
-
+    
     public void setKeySize(int keySize) throws WSSecurityException {
         if (keySize < 64) {
             // Minimum size has to be 64 bits - E.g. A DES key
@@ -589,4 +613,56 @@ public class WSSecEncryptedKey extends W
     public void setCustomEKTokenId(String customEKTokenId) {
         this.customEKTokenId = customEKTokenId;
     }
+    
+    /**
+     * Set the name of the symmetric encryption algorithm to use.
+     * 
+     * This encryption algorithm is used to encrypt the data. If the algorithm
+     * is not set then AES128 is used. Refer to WSConstants which algorithms are
+     * supported.
+     * 
+     * @param algo Is the name of the encryption algorithm
+     * @see WSConstants#TRIPLE_DES
+     * @see WSConstants#AES_128
+     * @see WSConstants#AES_192
+     * @see WSConstants#AES_256
+     */
+    public void setSymmetricEncAlgorithm(String algo) {
+        symEncAlgo = algo;
+    }
+
+    
+    /**
+     * Get the name of symmetric encryption algorithm to use.
+     * 
+     * The name of the encryption algorithm to encrypt the data, i.e. the SOAP
+     * Body. Refer to WSConstants which algorithms are supported.
+     * 
+     * @return the name of the currently selected symmetric encryption algorithm
+     * @see WSConstants#TRIPLE_DES
+     * @see WSConstants#AES_128
+     * @see WSConstants#AES_192
+     * @see WSConstants#AES_256
+     */
+    public String getSymmetricEncAlgorithm() {
+        return symEncAlgo;
+    }
+    
+    /**
+     * @return The symmetric key
+     */
+    public SecretKey getSymmetricKey() {
+        return symmetricKey;
+    }
+
+    /**
+     * Set the symmetric key to be used for encryption
+     * 
+     * @param key
+     */
+    public void setSymmetricKey(SecretKey key) {
+        this.symmetricKey = key;
+    }
+
+
 }

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
Mon Aug 15 12:42:46 2011
@@ -1004,7 +1004,7 @@ public class WSSecurityUtil {
         try {
             if (random == null) {
                 random = SecureRandom.getInstance("SHA1PRNG");
-                random.setSeed(System.currentTimeMillis());
+                random.setSeed(System.nanoTime());
             }
             byte[] temp = new byte[length];
             random.nextBytes(temp);

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
Mon Aug 15 12:42:46 2011
@@ -383,7 +383,7 @@ public class SignatureEncryptionTest ext
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
         encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
-        encrKey.setKeySize(192);
+        encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
         encrKey.prepare(doc, crypto);   
 
         WSSecEncrypt encrypt = new WSSecEncrypt();

Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
(original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Mon Aug 15 12:42:46 2011
@@ -124,7 +124,7 @@ public class SymmetricSignatureTest exte
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
         encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
-        encrKey.setKeySize(192);
+        encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
         encrKey.prepare(doc, crypto);
         
         WSSecSignature sign = new WSSecSignature();
@@ -165,7 +165,7 @@ public class SymmetricSignatureTest exte
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
         encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
         encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
-        encrKey.setKeySize(192);
+        encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
         encrKey.prepare(doc, crypto);   
         
         WSSecEncrypt encrypt = new WSSecEncrypt();



Mime
View raw message