Author: anil.saldhana(a)jboss.com Date: 2009-02-08 22:41:50 -0500 (Sun, 08 Feb 2009) New Revision: 307 Added: identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/ identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/DocumentUtilUnitTestCase.java identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/XMLEncryptionUnitTestCase.java identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/ identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/resolver.jar identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/serializer.jar identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xalan.jar identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xercesImpl.jar identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xml-apis.jar identity-federation/trunk/identity-fed-api/src/test/resources/xml/ identity-federation/trunk/identity-fed-api/src/test/resources/xml/dom/ identity-federation/trunk/identity-fed-api/src/test/resources/xml/dom/enc-sample.xml Removed: identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/saml/v2/XMLEncryptionUnitTestCase.java Modified: identity-federation/trunk/identity-fed-api/.classpath identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/util/XMLEncryptionUtil.java Log: JBID-47: xml enc support Modified: identity-federation/trunk/identity-fed-api/.classpath =================================================================== --- identity-federation/trunk/identity-fed-api/.classpath 2009-02-04 23:04:06 UTC (rev 306) +++ identity-federation/trunk/identity-fed-api/.classpath 2009-02-09 03:41:50 UTC (rev 307) @@ -7,7 +7,7 @@ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/> <classpathentry kind="var" path="M2_REPO/javax/xml/bind/jaxb-api/2.1/jaxb-api-2.1.jar"/> <classpathentry kind="var" path="M2_REPO/junit/junit/4.4/junit-4.4.jar"/> - <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-impl/2.1.9/jaxb-impl-2.1.9.jar"/> + <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-impl/2.1.9/jaxb-impl-2.1.9.jar" sourcepath="/M2_REPO/sun-jaxb/jaxb-impl/2.1.9/jaxb-impl-2.1.9-sources.jar"/> <classpathentry kind="var" path="M2_REPO/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar"/> <classpathentry kind="var" path="M2_REPO/org/apache/xmlsec/1.4.1/xmlsec-1.4.1.jar"/> <classpathentry combineaccessrules="false" kind="src" path="/identity-fed-core"/> Modified: identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java =================================================================== --- identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-02-04 23:04:06 UTC (rev 306) +++ identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/saml/v2/response/SAML2Response.java 2009-02-09 03:41:50 UTC (rev 307) @@ -26,6 +26,8 @@ import java.io.Writer; import java.util.List; +import javax.xml.bind.Binder; +import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; import javax.xml.bind.Marshaller; import javax.xml.bind.Unmarshaller; @@ -37,12 +39,17 @@ import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder; import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder; import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder; +import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil; +import org.jboss.identity.federation.core.saml.v2.util.JAXBElementMappingUtil; import org.jboss.identity.federation.core.saml.v2.util.XMLTimeUtil; import org.jboss.identity.federation.saml.v2.assertion.AssertionType; import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType; import org.jboss.identity.federation.saml.v2.assertion.AttributeType; import org.jboss.identity.federation.saml.v2.assertion.ConditionsType; +import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType; import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.w3c.dom.Document; +import org.w3c.dom.Node; /** * API for dealing with SAML2 Response objects @@ -95,6 +102,8 @@ public void createTimedConditions(AssertionType assertion, long durationInMilis) throws Exception { XMLGregorianCalendar issueInstant = assertion.getIssueInstant(); + if(issueInstant == null) + throw new IllegalStateException("assertion does not have issue instant"); XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis); ConditionsType conditionsType = JBossSAMLBaseFactory.getObjectFactory().createConditionsType(); conditionsType.setNotBefore(issueInstant); @@ -104,6 +113,34 @@ } /** + * Get an encrypted assertion from the stream + * @param is + * @return + * @throws Exception + */ + @SuppressWarnings("unchecked") + public EncryptedElementType getEncryptedAssertion(InputStream is) throws Exception + { + if(is == null) + throw new IllegalArgumentException("inputstream is null"); + + Unmarshaller un = JBossSAMLAuthnResponseFactory.getValidatingUnmarshaller(); + JAXBElement<EncryptedElementType> jaxb = (JAXBElement<EncryptedElementType>) un.unmarshal(is); + return jaxb.getValue(); + } + + @SuppressWarnings("unchecked") + public AssertionType getAssertionType(InputStream is) throws Exception + { + if(is == null) + throw new IllegalArgumentException("inputstream is null"); + + Unmarshaller un = JBossSAMLAuthnResponseFactory.getValidatingUnmarshaller(); + JAXBElement<AssertionType> jaxb = (JAXBElement<AssertionType>) un.unmarshal(is); + return jaxb.getValue(); + } + + /** * Read a ResponseType from an input stream * @param is * @return @@ -120,6 +157,26 @@ return jaxbAuthnRequestType.getValue(); } + public Document convert(EncryptedElementType encryptedElementType) throws Exception + { + JAXBContext jaxb = JAXBContext.newInstance(EncryptedElementType.class); + Binder<Node> binder = jaxb.createBinder(); + + Document doc = DocumentUtil.createDocument(); + binder.marshal(JAXBElementMappingUtil.get(encryptedElementType), doc); + return doc; + } + + public Document convert(ResponseType responseType) throws Exception + { + JAXBContext jaxb = JAXBContext.newInstance(ResponseType.class); + Binder<Node> binder = jaxb.createBinder(); + + Document doc = DocumentUtil.createDocument(); + binder.marshal(JAXBElementMappingUtil.get(responseType), doc); + return doc; + } + /** * Marshall the response type to the output stream * <p> <b>Note:</b> JAXB marshaller by default picks up arbitrary namespace Modified: identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/util/XMLEncryptionUtil.java =================================================================== --- identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/util/XMLEncryptionUtil.java 2009-02-04 23:04:06 UTC (rev 306) +++ identity-federation/trunk/identity-fed-api/src/main/java/org/jboss/identity/federation/api/util/XMLEncryptionUtil.java 2009-02-09 03:41:50 UTC (rev 307) @@ -23,16 +23,18 @@ import java.security.Key; import java.security.PrivateKey; +import java.security.PublicKey; import javax.crypto.SecretKey; +import javax.xml.namespace.QName; import org.apache.xml.security.encryption.EncryptedData; import org.apache.xml.security.encryption.EncryptedKey; import org.apache.xml.security.encryption.XMLCipher; -import org.apache.xml.security.keys.KeyInfo; -import org.apache.xml.security.utils.EncryptionConstants; +import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; import org.w3c.dom.Document; import org.w3c.dom.Element; +import org.w3c.dom.Node; import org.w3c.dom.NodeList; /** @@ -46,51 +48,12 @@ */ public class XMLEncryptionUtil { - public static final String TRIPLEDES = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; + private static String XMLSIG_NS = JBossSAMLURIConstants.XMLDSIG_NSURI.get(); + private static String XMLENC_NS = JBossSAMLURIConstants.XMLENC_NSURI.get(); - public static final String AES_128 = "http://www.w3.org/2001/04/xmlenc#aes128-cbc"; - - public static final String AES_256 = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"; - - public static final String AES_192 = "http://www.w3.org/2001/04/xmlenc#aes192-cbc"; - - public static final String RSA_v1dot5 = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"; - - public static final String RSA_OAEP = "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; - - public static final String DIFFIE_HELLMAN = "http://www.w3.org/2001/04/xmlenc#dh"; - - public static final String TRIPLEDES_KeyWrap = "http://www.w3.org/2001/04/xmlenc#kw-tripledes"; - - public static final String AES_128_KeyWrap = "http://www.w3.org/2001/04/xmlenc#kw-aes128"; - - public static final String AES_256_KeyWrap = "http://www.w3.org/2001/04/xmlenc#kw-aes256"; - - public static final String AES_192_KeyWrap = "http://www.w3.org/2001/04/xmlenc#kw-aes192"; - - public static final String SHA1 = "http://www.w3.org/2000/09/xmldsig#sha1"; - - public static final String SHA256 = "http://www.w3.org/2001/04/xmlenc#sha256"; - - public static final String SHA512 = "http://www.w3.org/2001/04/xmlenc#sha512"; - - public static final String RIPEMD_160 = "http://www.w3.org/2001/04/xmlenc#ripemd160"; - - public static final String XML_DSIG = "http://www.w3.org/2000/09/xmldsig#"; - - public static final String N14C_XML = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; - - public static final String N14C_XML_WITH_COMMENTS = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; - - public static final String EXCL_XML_N14C = "http://www.w3.org/2001/10/xml-exc-c14n#"; - - public static final String EXCL_XML_N14C_WITH_COMMENTS = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"; - - public static final String BASE64_ENCODING = "http://www.w3.org/2000/09/xmldsig#base64"; - static { - //Initialize the XML Security Library + //Initialize the Apache XML Security Library org.apache.xml.security.Init.init(); } @@ -107,97 +70,215 @@ * </p> * @param document * @param keyToBeEncrypted Symmetric Key (SecretKey) - * @param keyUsedToEncrypt Asymmetric Key (Public Key) + * @param keyUsedToEncryptSecretKey Asymmetric Key (Public Key) + * @param keySize Length of the key * @return * @throws Exception */ public static EncryptedKey encryptKey(Document document, - Key keyToBeEncrypted, Key keyUsedToEncrypt) throws Exception + SecretKey keyToBeEncrypted, PublicKey keyUsedToEncryptSecretKey, + int keySize) throws Exception { XMLCipher keyCipher = null; - String keyAlgo = keyUsedToEncrypt.getAlgorithm(); - if("RSA".equals(keyAlgo)) - keyCipher = XMLCipher.getInstance(XMLEncryptionUtil.RSA_v1dot5); - else - keyCipher = XMLCipher.getInstance(XMLEncryptionUtil.TRIPLEDES_KeyWrap); + String pubKeyAlg = keyUsedToEncryptSecretKey.getAlgorithm(); + + String keyWrapAlgo = getXMLEncryptionURLForKeyUnwrap(pubKeyAlg, keySize); + keyCipher = XMLCipher.getInstance(keyWrapAlgo); - keyCipher.init(XMLCipher.WRAP_MODE, keyUsedToEncrypt); + keyCipher.init(XMLCipher.WRAP_MODE, keyUsedToEncryptSecretKey); return keyCipher.encryptKey(document, keyToBeEncrypted); } - + /** - * Encrypt either the entire document or an element within provided by the tag - * @param document The Document to encrypt - * @param elementTag An element in the document that you want encrypted (or null indicating entire document) - * @param encryptingKey - * @param algo - * @return document that is encrypted or contains the encrypted element + * Encrypt an element inside a Document. + * @param document Document that contains an element to encrypt + * @param publicKey The Public Key used to encrypt the secret encryption key + * @param secretKey The secret encryption key + * @param keySize Length of key + * @param wrappingElementQName QName of the element to be used to wrap around + * the cipher data. + * @param addEncryptedKeyInKeyInfo Should the encrypted key be inside a KeyInfo + * or added as a peer of Cipher Data + * @return An element that has the wrappingElementQName * @throws Exception */ - public static Document encrypt(Document document, String elementTag, - SecretKey encryptingKey, Key publicKey, String algo) throws Exception + public static Element encryptElementInDocument(Document document, PublicKey publicKey, + SecretKey secretKey, int keySize, QName wrappingElementQName, + boolean addEncryptedKeyInKeyInfo) throws Exception { - XMLCipher xmlCipher = XMLCipher.getInstance(algo); - if(xmlCipher == null) - throw new IllegalStateException("Cipher is null for algorithm:" + algo); - xmlCipher.init(XMLCipher.ENCRYPT_MODE, encryptingKey); + XMLCipher cipher = null; + EncryptedKey encryptedKey = encryptKey(document, secretKey, publicKey, keySize); + + String encryptionAlgorithm = getXMLEncryptionURL(secretKey.getAlgorithm(), keySize); + //Encrypt the Document + cipher = XMLCipher.getInstance(encryptionAlgorithm); + cipher.init(XMLCipher.ENCRYPT_MODE, secretKey); - if(elementTag != null) + Document encryptedDoc = cipher.doFinal(document, document.getDocumentElement()); + + // The EncryptedKey element is added + Element encryptedKeyElement = cipher.martial(document, encryptedKey); + + //Create the wrapping element and set its attribute NS + Element wrappingElement = encryptedDoc.createElementNS(wrappingElementQName.getNamespaceURI(), + wrappingElementQName.getPrefix() + ":" + wrappingElementQName.getLocalPart()); + + wrappingElement.setAttributeNS("http://www.w3.org/2000/xmlns/";, + "xmlns:" + wrappingElementQName.getPrefix(), wrappingElementQName.getNamespaceURI()); + + Element encryptedDocRootElement = encryptedDoc.getDocumentElement(); + //Bring in the encrypted wrapping element to wrap the root node + encryptedDoc.replaceChild(wrappingElement, encryptedDocRootElement); + + wrappingElement.appendChild(encryptedDocRootElement); + + if (addEncryptedKeyInKeyInfo) { - //Lets check if we need an element - NodeList nl = document.getElementsByTagName(elementTag); - if(nl.getLength() < 1) - throw new IllegalArgumentException(elementTag + " was not found in document"); + // Outer ds:KeyInfo Element to hold the EncryptionKey + Element sigElement = encryptedDoc.createElementNS(XMLSIG_NS, "ds:KeyInfo"); + sigElement.setAttributeNS("http://www.w3.org/2000/xmlns/";, "xmlns:ds", XMLSIG_NS); + sigElement.appendChild(encryptedKeyElement); - Element elementToEncrypt = (Element) nl.item(0); - boolean encryptContentsOnly = true; - xmlCipher.doFinal(document, - elementToEncrypt, encryptContentsOnly); + //Insert the Encrypted key before the CipherData element + NodeList nodeList = encryptedDocRootElement.getElementsByTagNameNS(XMLENC_NS, "CipherData"); + if ((nodeList == null) || (nodeList.getLength() == 0)) + throw new IllegalStateException("xenc:CipherData Element Missing"); + + Element cipherDataElement = (Element) nodeList.item(0); + encryptedDocRootElement.insertBefore(sigElement, cipherDataElement); } - else + else { - xmlCipher.doFinal(document, document); + //Add the encrypted key as a child of the wrapping element + wrappingElement.appendChild(encryptedKeyElement); } - EncryptedKey ekey = encryptKey(document, encryptingKey, publicKey); - - EncryptedData encryptedDataElement = - xmlCipher.getEncryptedData(); - KeyInfo keyInfo = new KeyInfo(document); - keyInfo.add(ekey); - encryptedDataElement.setKeyInfo(keyInfo); - return document; + return encryptedDoc.getDocumentElement(); } + /** - * Decrypt the document given two keys - * <p>The SecretKey needs to be obtained out of band or - * needs to be obtained from the KeyInfo using the private key. - * </p> - * @see #encryptKey(Document, Key, Key) - * - * @param encryptedDocument - * @param encryptingKey - * @param signingKey - * @return + * Decrypt an encrypted element inside a document + * @param documentWithEncryptedElement + * @param privateKey key need to unwrap the encryption key + * @return the document with the encrypted element replaced by the data element * @throws Exception */ - public static Document decrypt(Document encryptedDocument, - SecretKey encryptingKey, PrivateKey signingKey) throws Exception + public static Element decryptElementInDocument(Document documentWithEncryptedElement, + PrivateKey privateKey) throws Exception { + if(documentWithEncryptedElement == null) + throw new IllegalArgumentException("Input document is null"); - XMLCipher xmlCipher = XMLCipher.getInstance(); - xmlCipher.init(XMLCipher.DECRYPT_MODE, encryptingKey); //Symmetric Key - xmlCipher.setKEK(signingKey); //Asymmetric Key for Key Transport + //Look for encrypted data element + Element documentRoot = documentWithEncryptedElement.getDocumentElement(); + Element encDataElement = getNextElementNode(documentRoot.getFirstChild()); + if(encDataElement == null) + throw new IllegalStateException("No element representing the encrypted data found"); - //Get the encrypted element - String namespaceURI = EncryptionConstants.EncryptionSpecNS; - String localName = EncryptionConstants._TAG_ENCRYPTEDDATA; + //Look at siblings for the key + Element encKeyElement = getNextElementNode(encDataElement.getNextSibling()); + if(encKeyElement == null) + { + //Search the enc data element for enc key + NodeList nodeList = encDataElement.getElementsByTagNameNS( XMLENC_NS, "EncryptedKey"); + + if(nodeList == null || nodeList.getLength() == 0) + throw new IllegalStateException("Encrypted Key not found in the enc data"); + + encKeyElement = (Element) nodeList.item(0); + } + + XMLCipher cipher = XMLCipher.getInstance(); + cipher.init(XMLCipher.DECRYPT_MODE, null); + EncryptedData encryptedData = cipher.loadEncryptedData(documentWithEncryptedElement, encDataElement); + EncryptedKey encryptedKey = cipher.loadEncryptedKey(documentWithEncryptedElement, encKeyElement); + + Document decryptedDoc = null; + + if (encryptedData != null && encryptedKey != null) + { + String encAlgoURL = encryptedData.getEncryptionMethod().getAlgorithm(); + XMLCipher keyCipher = XMLCipher.getInstance(); + keyCipher.init(XMLCipher.UNWRAP_MODE, privateKey); + Key encryptionKey = keyCipher.decryptKey( encryptedKey, encAlgoURL ); + cipher = XMLCipher.getInstance(); + cipher.init(XMLCipher.DECRYPT_MODE, encryptionKey); + decryptedDoc = cipher.doFinal(documentWithEncryptedElement, encDataElement); + } + + Element decryptedRoot = decryptedDoc.getDocumentElement(); + Element dataElement = getNextElementNode(decryptedRoot.getFirstChild()); + if (dataElement == null) + throw new IllegalStateException("Data Element after encryption is null"); - NodeList nl = encryptedDocument.getElementsByTagNameNS(namespaceURI, localName); - if(nl == null || nl.getLength() < 1) - throw new IllegalStateException("Cannot find encrypted element"); - Element encryptedDataElement = (Element) nl.item(0); - return xmlCipher.doFinal(encryptedDocument, encryptedDataElement); + decryptedRoot.removeChild(dataElement); + decryptedDoc.replaceChild(dataElement, decryptedRoot); + + return decryptedDoc.getDocumentElement(); + } + + /** + * From the secret key, get the W3C XML Encryption URL + * @param publicKeyAlgo + * @param keySize + * @return + */ + private static String getXMLEncryptionURLForKeyUnwrap(String publicKeyAlgo, int keySize) + { + if("AES".equals(publicKeyAlgo)) + { + switch(keySize) + { + case 192: return XMLCipher.AES_192_KeyWrap; + case 256: return XMLCipher.AES_256_KeyWrap; + default: + return XMLCipher.AES_128_KeyWrap; + } + } + if(publicKeyAlgo.contains("RSA")) + return XMLCipher.RSA_v1dot5; + if(publicKeyAlgo.contains("DES")) + return XMLCipher.TRIPLEDES_KeyWrap; + throw new IllegalArgumentException("unsupported publicKey Algo:" + publicKeyAlgo); + } + + /** + * From the secret key, get the W3C XML Encryption URL + * @param secretKey + * @param keySize + * @return + */ + private static String getXMLEncryptionURL(String algo, int keySize) + { + if("AES".equals(algo)) + { + switch(keySize) + { + case 192: return XMLCipher.AES_192; + case 256: return XMLCipher.AES_256; + default: + return XMLCipher.AES_128; + } + } + if(algo.contains("RSA")) + return XMLCipher.RSA_v1dot5; + if(algo.contains("DES")) + return XMLCipher.TRIPLEDES_KeyWrap; + throw new IllegalArgumentException("Secret Key with unsupported algo:" + algo); + } + + /** + * Returns the next Element node. + */ + private static Element getNextElementNode(Node node) + { + while(node != null) + { + if(Node.ELEMENT_NODE == node.getNodeType()) + return (Element) node; + node = node.getNextSibling(); + } + return null; } } \ No newline at end of file Deleted: identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/saml/v2/XMLEncryptionUnitTestCase.java =================================================================== --- identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/saml/v2/XMLEncryptionUnitTestCase.java 2009-02-04 23:04:06 UTC (rev 306) +++ identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/saml/v2/XMLEncryptionUnitTestCase.java 2009-02-09 03:41:50 UTC (rev 307) @@ -1,112 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2008, Red Hat Middleware LLC, and individual contributors - * as indicated by the @author tags. See the copyright.txt file in the - * distribution for a full listing of individual contributors. - * - * This is free software; you can redistribute it and/or modify it - * under the terms of the GNU Lesser General Public License as - * published by the Free Software Foundation; either version 2.1 of - * the License, or (at your option) any later version. - * - * This software is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this software; if not, write to the Free - * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA - * 02110-1301 USA, or see the FSF site: http://www.fsf.org. - */ -package org.jboss.test.identity.federation.api.saml.v2; - -import java.io.StringReader; -import java.security.KeyPair; -import java.security.KeyPairGenerator; - -import javax.crypto.KeyGenerator; -import javax.crypto.SecretKey; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; - -import junit.framework.TestCase; - -import org.jboss.identity.federation.api.util.XMLEncryptionUtil; -import org.w3c.dom.Document; -import org.w3c.dom.Element; -import org.xml.sax.InputSource; - -/** - * Unit Test the XML Encryption Util - * @author Anil.Saldhana(a)redhat.com - * @since Feb 4, 2009 - */ -public class XMLEncryptionUnitTestCase extends TestCase -{ - private String docString = "<rootDoc><element><childOfEl/></element></rootDoc>"; - - /** - * Test the encryption of an entire document using a symmetric key - * @throws Exception - */ - public void testEncryptEntireDocumentWithSymmetricKey() throws Exception - { - Document doc = this.getDocument(); - KeyPair kp = this.getKeyPair("RSA"); - - SecretKey sk = getSecretKey(); - Document edoc = XMLEncryptionUtil.encrypt(doc, null, sk, kp.getPublic(), - XMLEncryptionUtil.AES_128); - assertEquals("xenc:EncryptedData", edoc.getFirstChild().getNodeName()); - - //XMLSignatureUtil.marshall(edoc, System.out); - - Document rdoc = XMLEncryptionUtil.decrypt(edoc, sk, kp.getPrivate()); - //XMLSignatureUtil.marshall(rdoc, System.out); - String nodeName = rdoc.getFirstChild().getNodeName(); - assertEquals("rootDoc",nodeName); - } - - /** - * Test the encryption of an element inside a document using - * a symmetric key - * @throws Exception - */ - public void testEncryptElementWithSymmetricKey() throws Exception - { - Document doc = this.getDocument(); - KeyPair kp = this.getKeyPair("RSA"); - - SecretKey sk = getSecretKey(); - Document edoc = XMLEncryptionUtil.encrypt(doc, "element", sk, kp.getPublic(), - XMLEncryptionUtil.AES_128); - Element encEl = (Element) edoc.getElementsByTagName("element").item(0); - assertEquals("xenc:EncryptedData", encEl.getFirstChild().getNodeName()); - - Document rdoc = XMLEncryptionUtil.decrypt(edoc, sk, kp.getPrivate()); - String nodeName = rdoc.getFirstChild().getNodeName(); - assertEquals("rootDoc",nodeName); - } - - private KeyPair getKeyPair(String algo) throws Exception - { - KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo); - return kpg.genKeyPair(); - } - - private Document getDocument() throws Exception - { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - DocumentBuilder builder = factory.newDocumentBuilder(); - return builder.parse(new InputSource(new StringReader(docString))); - } - - private SecretKey getSecretKey() throws Exception - { - KeyGenerator keyGenerator = - KeyGenerator.getInstance("AES"); - keyGenerator.init(128); - return keyGenerator.generateKey(); - } -} \ No newline at end of file Added: identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/DocumentUtilUnitTestCase.java =================================================================== --- identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/DocumentUtilUnitTestCase.java (rev 0) +++ identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/DocumentUtilUnitTestCase.java 2009-02-09 03:41:50 UTC (rev 307) @@ -0,0 +1,69 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.test.identity.federation.api.util; + +import java.io.InputStream; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; + +import junit.framework.TestCase; + +import org.apache.xml.security.utils.EncryptionConstants; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +/** + * Unit Test the DocumentUtil + * @author Anil.Saldhana(a)redhat.com + * @since Feb 6, 2009 + */ +public class DocumentUtilUnitTestCase extends TestCase +{ + public void testReadSAMLEncryptedAssertion() throws Exception + { + Document encDoc = getDocument(); + Element encryptedDataElement = + (Element) encDoc.getElementsByTagNameNS( + EncryptionConstants.EncryptionSpecNS, + EncryptionConstants._TAG_ENCRYPTEDDATA).item(0); + Element encryptedKeyElement = + (Element) encryptedDataElement.getElementsByTagNameNS( + EncryptionConstants.EncryptionSpecNS, + EncryptionConstants._TAG_ENCRYPTEDKEY).item(0); + assertNotNull(encryptedDataElement); + assertNotNull(encryptedKeyElement); + } + + private Document getDocument() throws Exception + { + String fileName = "xml/dom/enc-sample.xml"; + InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(fileName); + if(is == null) + throw new RuntimeException("InputStream is null"); + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + DocumentBuilder builder = factory.newDocumentBuilder(); + return builder.parse(is); + } + +} Added: identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/XMLEncryptionUnitTestCase.java =================================================================== --- identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/XMLEncryptionUnitTestCase.java (rev 0) +++ identity-federation/trunk/identity-fed-api/src/test/java/org/jboss/test/identity/federation/api/util/XMLEncryptionUnitTestCase.java 2009-02-09 03:41:50 UTC (rev 307) @@ -0,0 +1,176 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2008, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.test.identity.federation.api.util; + +import java.io.ByteArrayInputStream; +import java.io.StringWriter; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.util.ArrayList; +import java.util.List; + +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; +import javax.xml.namespace.QName; + +import junit.framework.TestCase; + +import org.jboss.identity.federation.api.saml.v2.common.IDGenerator; +import org.jboss.identity.federation.api.saml.v2.response.SAML2Response; +import org.jboss.identity.federation.api.util.XMLEncryptionUtil; +import org.jboss.identity.federation.core.saml.v2.constants.JBossSAMLURIConstants; +import org.jboss.identity.federation.core.saml.v2.holders.IDPInfoHolder; +import org.jboss.identity.federation.core.saml.v2.holders.IssuerInfoHolder; +import org.jboss.identity.federation.core.saml.v2.holders.SPInfoHolder; +import org.jboss.identity.federation.core.saml.v2.util.DocumentUtil; +import org.jboss.identity.federation.saml.v2.assertion.AssertionType; +import org.jboss.identity.federation.saml.v2.assertion.AttributeStatementType; +import org.jboss.identity.federation.saml.v2.assertion.EncryptedElementType; +import org.jboss.identity.federation.saml.v2.protocol.ResponseType; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + + +/** + * Unit Test the XML Encryption Utility + * @author Anil.Saldhana(a)redhat.com + * @since Feb 5, 2009 + */ +public class XMLEncryptionUnitTestCase extends TestCase +{ + SAML2Response sr = new SAML2Response(); + + public void testEncryptAssertion() throws Exception + { + KeyPair kp = this.getKeyPair("RSA"); + SecretKey sk = this.getSecretKey(); + + ResponseType rt = createResponse(); + Document responseDoc = sr.convert(rt); + + String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get(); + + QName assertionQName = new QName(assertionNS, "EncryptedAssertion", "saml"); + + Element docElement = XMLEncryptionUtil.encryptElementInDocument(responseDoc,kp.getPublic(), sk, + 128, assertionQName, true); + + EncryptedElementType eet = sr.getEncryptedAssertion(DocumentUtil.getNodeAsStream(docElement)); + rt.getAssertionOrEncryptedAssertion().set(0,eet); + + EncryptedElementType myeet = (EncryptedElementType) rt.getAssertionOrEncryptedAssertion().get(0); + Document eetDoc = sr.convert(myeet); + + Element decryptedDocumentElement = XMLEncryptionUtil.decryptElementInDocument(eetDoc,kp.getPrivate()); + + //Let us use the encrypted doc element to decrypt it + ResponseType newRT = sr.getResponseType(DocumentUtil.getNodeAsStream(decryptedDocumentElement)); + + AssertionType assertion = (AssertionType) newRT.getAssertionOrEncryptedAssertion().get(0); + assertEquals("http://identityurl", assertion.getIssuer().getValue()); + + } + + public void testEncryptAssertionWithMarshalling() throws Exception + { + KeyPair kp = this.getKeyPair("RSA"); + SecretKey sk = this.getSecretKey(); + + ResponseType rt = createResponse(); + Document responseDoc = sr.convert(rt); + + String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get(); + + QName assertionQName = new QName(assertionNS, "EncryptedAssertion", "saml"); + + Element docElement = XMLEncryptionUtil.encryptElementInDocument(responseDoc,kp.getPublic(), sk, + 128, assertionQName, true); + + EncryptedElementType eet = sr.getEncryptedAssertion(DocumentUtil.getNodeAsStream(docElement)); + rt.getAssertionOrEncryptedAssertion().set(0,eet); + + StringWriter sw = new StringWriter(); + sr.marshall(rt, sw); + + //Create a brand new ResponseType + ResponseType received = sr.getResponseType(new ByteArrayInputStream(sw.toString().getBytes("UTF-8"))); + + EncryptedElementType myeet = (EncryptedElementType) received.getAssertionOrEncryptedAssertion().get(0); + Document eetDoc = sr.convert(myeet); + + Element decryptedDocumentElement = XMLEncryptionUtil.decryptElementInDocument(eetDoc,kp.getPrivate()); + + //Let us use the encrypted doc element to decrypt it + ResponseType newRT = sr.getResponseType(DocumentUtil.getNodeAsStream(decryptedDocumentElement)); + + AssertionType assertion = (AssertionType) newRT.getAssertionOrEncryptedAssertion().get(0); + assertEquals("http://identityurl", assertion.getIssuer().getValue()); + } + + private ResponseType createResponse() throws Exception + { + List<String> roles = new ArrayList<String>(); + roles.add("roleA"); + roles.add("roleB"); + + ResponseType responseType = null; + + SAML2Response saml2Response = new SAML2Response(); + + //Create a response type + String id = IDGenerator.create("ID_"); + + IssuerInfoHolder issuerHolder = new IssuerInfoHolder("http://identityurl"); + issuerHolder.setStatusCode(JBossSAMLURIConstants.STATUS_SUCCESS.get()); + + IDPInfoHolder idp = new IDPInfoHolder(); + idp.setNameIDFormatValue("testPrincipal"); + idp.setNameIDFormat(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()); + + SPInfoHolder sp = new SPInfoHolder(); + sp.setResponseDestinationURI("http://service"); + responseType = saml2Response.createResponseType(id, sp, idp, issuerHolder); + AssertionType assertion = (AssertionType) responseType.getAssertionOrEncryptedAssertion().get(0); + + AttributeStatementType attrStatement = saml2Response.createAttributeStatement(roles); + assertion.getStatementOrAuthnStatementOrAuthzDecisionStatement().add(attrStatement); + + //Add timed conditions + saml2Response.createTimedConditions(assertion, 5000L); + + return responseType; + } + + private KeyPair getKeyPair(String algo) throws Exception + { + KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo); + return kpg.genKeyPair(); + } + + private SecretKey getSecretKey() throws Exception + { + KeyGenerator keyGenerator = + KeyGenerator.getInstance("AES"); + keyGenerator.init(128); + return keyGenerator.generateKey(); + } +} \ No newline at end of file Added: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/resolver.jar =================================================================== (Binary files differ) Property changes on: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/resolver.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/serializer.jar =================================================================== (Binary files differ) Property changes on: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/serializer.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xalan.jar =================================================================== (Binary files differ) Property changes on: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xalan.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xercesImpl.jar =================================================================== (Binary files differ) Property changes on: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xercesImpl.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xml-apis.jar =================================================================== (Binary files differ) Property changes on: identity-federation/trunk/identity-fed-api/src/test/resources/endorsed/xml-apis.jar ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Added: identity-federation/trunk/identity-fed-api/src/test/resources/xml/dom/enc-sample.xml =================================================================== --- identity-federation/trunk/identity-fed-api/src/test/resources/xml/dom/enc-sample.xml (rev 0) +++ identity-federation/trunk/identity-fed-api/src/test/resources/xml/dom/enc-sample.xml 2009-02-09 03:41:50 UTC (rev 307) @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="UTF-8"?> +<saml:EncryptedAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> + <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" + Type="http://www.w3.org/2001/04/xmlenc#Element"> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" + xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" /> + <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> + <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> + <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" + xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" /> + <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> + <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> + Y9X5QW+M4gCrvkYo6v0CkDm9lR5/+mF+UxXCgge/KmkFXSHrHhmEHL0kmcPgnYXkufENNOGZkNsT + MTF0sHVEAC+rbf+ZyOgl44jZUD4KtBo+Fgl6ddLBgIcTTFGQ3WscdJForQPYp2rekHyw4YlbLDSq + 5/di4fDS7BVz6mKdEBM=</xenc:CipherValue> + </xenc:CipherData> + </xenc:EncryptedKey> + </ds:KeyInfo> + <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> + <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> + MNLeaBXwfU4vtuhEUEKH190Z46OIdNBmK4yjaKh2QR0DH7xksoQAX+OjU4CJhVB6fZRxitn0Sau0 + zejUE2U5igLHpyrjONmwLh9imubqFZHMzLbiqDWlyjMHnVF ..... + ZPHNjad9sON9QtSnW7uApjUdkcPPpRlE0K2gX3xG07EmRIcWLsMo0AwtYXYW4CFq1rXWF22pfgVv + Bcw1XvGUevgAcgMOtK7aFm6y5QZgIypIGs90GeLKwH6xZGaFg1xFDo+kiLA+KFg1vHVYxqcKcSgy + ZtnthwhqWdxHTBWar7aY+QC9lEV3FAp0deSNOGl78SyvKw==</xenc:CipherValue> + </xenc:CipherData> + </xenc:EncryptedData> +</saml:EncryptedAssertion> \ No newline at end of file