April 2013 - jbossws-commits - Jboss List Archives

JBossWS SVN: r17516 - in thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src: test/java/org/apache/cxf/ws/security/wss4j and 1 other directory.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-26 13:07:26 -0400 (Fri, 26 Apr 2013) New Revision: 17516 Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/content_encrypted_elements_policy.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy2.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_body.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_and_body.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_namespace_only.xml thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_parts_policy_header_and_body_encrypted.xml Log: [JBPAPP-10708] use wss4j 1.5 fork algorithm suite additions Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java 2013-04-26 17:07:26 UTC (rev 17516) @@ -202,8 +202,20 @@ WSDocInfo wsDocInfo, Vector returnResults, WSSConfig config) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + // CHECKSTYLE:OFF + public void handleToken(Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData data) throws WSSecurityException { + // CHECKSTYLE:ON new CustomUsernameTokenProcessor().handleToken(elem, crypto, decCrypto, cb, wsDocInfo, - returnResults, config); + returnResults, config, data); } @@ -244,9 +256,16 @@ private String utId; private UsernameToken ut; + public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, + WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + // CHECKSTYLE:OFF @SuppressWarnings("unchecked") public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, - WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException { + WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc, RequestData data) + throws WSSecurityException { + // CHECKSTYLE:ON if (LOG.isLoggable(Level.FINE)) { LOG.fine("Found UsernameToken list element"); } Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java 2013-04-26 17:07:26 UTC (rev 17516) @@ -60,6 +60,7 @@ import org.apache.cxf.ws.security.policy.SP12Constants; import org.apache.cxf.ws.security.policy.SPConstants; import org.apache.cxf.ws.security.policy.model.AsymmetricBinding; +import org.apache.cxf.ws.security.policy.model.Binding; import org.apache.cxf.ws.security.policy.model.ContentEncryptedElements; import org.apache.cxf.ws.security.policy.model.Header; import org.apache.cxf.ws.security.policy.model.RequiredElements; @@ -78,6 +79,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.WSUsernameTokenPrincipal; +import org.apache.ws.security.components.crypto.AlgorithmSuite; import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.handler.WSHandlerConstants; @@ -388,6 +390,68 @@ } } + + /** + * Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the algorithms that are + * allowed for encryption, signature, etc. + */ + protected void setAlgorithmSuites(SoapMessage message, RequestData data) throws WSSecurityException { + Binding binding = getBinding(message); + if (binding != null && binding.getAlgorithmSuite() != null) { + // Translate into WSS4J's AlgorithmSuite class + AlgorithmSuite algorithmSuite = translateAlgorithmSuite(binding.getAlgorithmSuite()); + data.setAlgorithmSuite(algorithmSuite); + } + } + + /** + * Translate a CXF AlgorithmSuite object into WSS4J's AlgorithmSuite object + */ + private AlgorithmSuite translateAlgorithmSuite( + org.apache.cxf.ws.security.policy.model.AlgorithmSuite cxfAlgorithmSuite) { + // Translate into WSS4J's AlgorithmSuite class + AlgorithmSuite algorithmSuite = new AlgorithmSuite(); + algorithmSuite.setMaximumAsymmetricKeyLength(cxfAlgorithmSuite.getMaximumAsymmetricKeyLength()); + algorithmSuite.setMinimumAsymmetricKeyLength(cxfAlgorithmSuite.getMinimumAsymmetricKeyLength()); + algorithmSuite.setMaximumSymmetricKeyLength(cxfAlgorithmSuite.getMaximumSymmetricKeyLength()); + algorithmSuite.setMinimumSymmetricKeyLength(cxfAlgorithmSuite.getMinimumSymmetricKeyLength()); + + algorithmSuite.addEncryptionMethod(cxfAlgorithmSuite.getEncryption()); + algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getSymmetricKeyWrap()); + algorithmSuite.addKeyWrapAlgorithm(cxfAlgorithmSuite.getAsymmetricKeyWrap()); + + algorithmSuite.addDerivedKeyAlgorithm(SPConstants.P_SHA1); + algorithmSuite.addDerivedKeyAlgorithm(SPConstants.P_SHA1_L128); + + return algorithmSuite; + } + + /** + * Get the WS-SecurityPolicy Binding that is in operation + */ + private Binding getBinding(SoapMessage message) { + AssertionInfoMap aim = message.get(AssertionInfoMap.class); + if (aim != null) { + Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING); + if (ais != null && !ais.isEmpty()) { + AssertionInfo ai = ais.iterator().next(); + return (Binding)ai.getAssertion(); + } + ais = aim.get(SP12Constants.ASYMMETRIC_BINDING); + if (ais != null && !ais.isEmpty()) { + AssertionInfo ai = ais.iterator().next(); + return (Binding)ai.getAssertion(); + } + ais = aim.get(SP12Constants.SYMMETRIC_BINDING); + if (ais != null && !ais.isEmpty()) { + AssertionInfo ai = ais.iterator().next(); + return (Binding)ai.getAssertion(); + } + } + return null; + } + + protected void computeAction(SoapMessage message, RequestData data) { AssertionInfoMap aim = message.get(AssertionInfoMap.class); // extract Assertion information Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/WSS4JInInterceptor.java 2013-04-26 17:07:26 UTC (rev 17516) @@ -195,6 +195,7 @@ */ try { reqData.setMsgContext(msg); + setAlgorithmSuites(msg, reqData); computeAction(msg, reqData); Vector actions = new Vector(); String action = getAction(msg, version); @@ -221,7 +222,8 @@ actor, cbHandler, reqData.getSigCrypto(), - reqData.getDecCrypto() + reqData.getDecCrypto(), + reqData ); if (doTimeLog) { @@ -381,6 +383,15 @@ protected void computeAction(SoapMessage msg, RequestData reqData) { } + + /** + * Set a WSS4J AlgorithmSuite object on the RequestData context, to restrict the algorithms that are + * allowed for encryption, signature, etc. + */ + protected void setAlgorithmSuites(SoapMessage message, RequestData data) throws WSSecurityException { + super.decodeAlgorithmSuite(data); + } + protected void doResults(SoapMessage msg, String actor, SOAPMessage doc, Vector wsResult) throws SOAPException, XMLStreamException, WSSecurityException { /* Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomProcessor.java 2013-04-26 17:07:26 UTC (rev 17516) @@ -24,6 +24,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.SecurityContextToken; import org.apache.ws.security.processor.Processor; @@ -43,6 +44,23 @@ final java.util.Vector returnResults, final WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + // CHECKSTYLE:OFF + @SuppressWarnings("unchecked") + public final void + handleToken( + final org.w3c.dom.Element elem, + final Crypto crypto, + final Crypto decCrypto, + final javax.security.auth.callback.CallbackHandler cb, + final WSDocInfo wsDocInfo, + final java.util.Vector returnResults, + final WSSConfig config, + final RequestData data + ) throws WSSecurityException { + // CHECKSTYLE:ON final java.util.Map result = new WSSecurityEngineResult( WSConstants.SIGN, Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/content_encrypted_elements_policy.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/content_encrypted_elements_policy.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/content_encrypted_elements_policy.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -19,7 +19,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -19,7 +19,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy2.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy2.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_elements_policy2.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -19,7 +19,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_body.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_body.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_body.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -18,7 +18,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -18,7 +18,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_and_body.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_and_body.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_and_body.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -18,7 +18,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_namespace_only.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_namespace_only.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/encrypted_parts_policy_header_namespace_only.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -18,7 +18,7 @@ </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic128 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> Modified: thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_parts_policy_header_and_body_encrypted.xml =================================================================== --- thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_parts_policy_header_and_body_encrypted.xml 2013-04-26 17:01:52 UTC (rev 17515) +++ thirdparty/cxf/branches/cxf-2.2.12/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/signed_parts_policy_header_and_body_encrypted.xml 2013-04-26 17:07:26 UTC (rev 17516) @@ -28,7 +28,7 @@ </sp:RecipientToken> <sp:AlgorithmSuite> <wsp:Policy> - <sp:Basic256 /> + <sp:Basic128Rsa15 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout>

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17515 - in thirdparty/wss4j/branches/1_5_x-fixes: src/org/apache/ws/security/components/crypto and 3 other directories.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-26 13:01:52 -0400 (Fri, 26 Apr 2013) New Revision: 17515 Added: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuite.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuiteValidator.java Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSDerivedKeyTokenPrincipal.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSecurityEngine.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedDataProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/Processor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/ReferenceListProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SAMLTokenProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/TimestampProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/UsernameTokenProcessor.java thirdparty/wss4j/branches/1_5_x-fixes/test/wssec/MyProcessor.java Log: [JBPAPP-10708] Adding algorithm suite validation similar to current 1.6 impl Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSDerivedKeyTokenPrincipal.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSDerivedKeyTokenPrincipal.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSDerivedKeyTokenPrincipal.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -30,6 +30,7 @@ */ public class WSDerivedKeyTokenPrincipal implements Principal { + private String algorithm; private String id; private String nonce; private String label; @@ -85,4 +86,11 @@ this.basetokenId = basetokenId; } + public String getAlgorithm() { + return algorithm; + } + + public void setAlgorithm(String algorithm) { + this.algorithm = algorithm; + } } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSecurityEngine.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSecurityEngine.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/WSSecurityEngine.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -23,6 +23,7 @@ import org.apache.commons.logging.LogFactory; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.conversation.ConversationConstants; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.UsernameToken; import org.apache.ws.security.processor.Processor; import org.apache.ws.security.util.WSSecurityUtil; @@ -226,6 +227,16 @@ Crypto sigCrypto, Crypto decCrypto) throws WSSecurityException { + return processSecurityHeader(doc, actor, cb, sigCrypto, decCrypto, null); + } + + public Vector processSecurityHeader(Document doc, + String actor, + CallbackHandler cb, + Crypto sigCrypto, + Crypto decCrypto, + RequestData requestData) + throws WSSecurityException { doDebug = log.isDebugEnabled(); if (doDebug) { @@ -242,7 +253,7 @@ if (doDebug) { log.debug("Processing WS-Security header for '" + actor + "' actor."); } - wsResult = processSecurityHeader(elem, cb, sigCrypto, decCrypto); + wsResult = processSecurityHeader(elem, cb, sigCrypto, decCrypto, requestData); } return wsResult; } @@ -289,7 +300,8 @@ protected Vector processSecurityHeader(Element securityHeader, CallbackHandler cb, Crypto sigCrypto, - Crypto decCrypto) throws WSSecurityException { + Crypto decCrypto, + RequestData requestData) throws WSSecurityException { long t0 = 0, t1 = 0, t2 = 0; if (tlog.isDebugEnabled()) { @@ -325,7 +337,7 @@ * information about the processed token */ if (p != null) { - p.handleToken((Element) elem, sigCrypto, decCrypto, cb, wsDocInfo, returnResults, cfg); + p.handleToken((Element) elem, sigCrypto, decCrypto, cb, wsDocInfo, returnResults, cfg, requestData); wsDocInfo.setProcessor(p); } else { /* Added: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuite.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuite.java (rev 0) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuite.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -0,0 +1,108 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ws.security.components.crypto; + +import java.util.HashSet; +import java.util.Collections; +import java.util.Set; + +/** + * This class holds the permitted values for encryption/signature/etc. algorithms on the + * inbound side. If the corresponding value is not null then the received algorithm must + * match the appropriate algorithm stored in this class. + */ +public class AlgorithmSuite { + + private Set encryptionMethods = Collections.emptySet(); + private Set keyWrapAlgorithms = Collections.emptySet(); + + private Set derivedKeyAlgorithms = Collections.emptySet(); + + private int maximumSymmetricKeyLength = 256; + private int minimumSymmetricKeyLength = 128; + private int maximumAsymmetricKeyLength = 4096; + private int minimumAsymmetricKeyLength = 1024; + + public void addEncryptionMethod(String encryptionMethod) { + if (encryptionMethods.isEmpty()) { + encryptionMethods = new HashSet(); + } + encryptionMethods.add(encryptionMethod); + } + + public Set getEncryptionMethods() { + return encryptionMethods; + } + + public void addKeyWrapAlgorithm(String keyWrapAlgorithm) { + if (keyWrapAlgorithms.isEmpty()) { + keyWrapAlgorithms = new HashSet(); + } + keyWrapAlgorithms.add(keyWrapAlgorithm); + } + + public Set getKeyWrapAlgorithms() { + return keyWrapAlgorithms; + } + + public void addDerivedKeyAlgorithm(String derivedKeyAlgorithm) { + if (derivedKeyAlgorithms.isEmpty()) { + derivedKeyAlgorithms = new HashSet(); + } + derivedKeyAlgorithms.add(derivedKeyAlgorithm); + } + + public Set getDerivedKeyAlgorithms() { + return derivedKeyAlgorithms; + } + + public int getMaximumSymmetricKeyLength() { + return maximumSymmetricKeyLength; + } + + public void setMaximumSymmetricKeyLength(int maximumSymmetricKeyLength) { + this.maximumSymmetricKeyLength = maximumSymmetricKeyLength; + } + + public int getMinimumAsymmetricKeyLength() { + return minimumAsymmetricKeyLength; + } + + public void setMinimumAsymmetricKeyLength(int minimumAsymmetricKeyLength) { + this.minimumAsymmetricKeyLength = minimumAsymmetricKeyLength; + } + + public int getMaximumAsymmetricKeyLength() { + return maximumAsymmetricKeyLength; + } + + public void setMaximumAsymmetricKeyLength(int maximumAsymmetricKeyLength) { + this.maximumAsymmetricKeyLength = maximumAsymmetricKeyLength; + } + + public int getMinimumSymmetricKeyLength() { + return minimumSymmetricKeyLength; + } + + public void setMinimumSymmetricKeyLength(int minimumSymmetricKeyLength) { + this.minimumSymmetricKeyLength = minimumSymmetricKeyLength; + } + +} Added: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuiteValidator.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuiteValidator.java (rev 0) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/components/crypto/AlgorithmSuiteValidator.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -0,0 +1,134 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.ws.security.components.crypto; + +import java.security.PublicKey; +import java.security.cert.X509Certificate; +import java.security.interfaces.DSAPublicKey; +import java.security.interfaces.RSAPublicKey; +import java.util.Set; + +import org.apache.ws.security.WSSecurityException; + +/** + * Validate signature/encryption/etc. algorithms against an AlgorithmSuite policy. + */ +public class AlgorithmSuiteValidator { + + private static final org.apache.commons.logging.Log LOG = org.apache.commons.logging.LogFactory + .getLog(AlgorithmSuiteValidator.class); + + private final AlgorithmSuite algorithmSuite; + + public AlgorithmSuiteValidator(AlgorithmSuite algorithmSuite) { + this.algorithmSuite = algorithmSuite; + } + + public void checkEncryptionKeyWrapAlgorithm( + String keyWrapAlgorithm + ) throws WSSecurityException { + Set keyWrapAlgorithms = algorithmSuite.getKeyWrapAlgorithms(); + if (!keyWrapAlgorithms.isEmpty() + && !keyWrapAlgorithms.contains(keyWrapAlgorithm)) { + LOG.debug( + "The Key transport method does not match the requirement" + ); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } + + public void checkSymmetricEncryptionAlgorithm( + String symmetricAlgorithm + ) throws WSSecurityException { + Set encryptionMethods = algorithmSuite.getEncryptionMethods(); + if (!encryptionMethods.isEmpty() + && !encryptionMethods.contains(symmetricAlgorithm)) { + LOG.debug( + "The encryption algorithm does not match the requirement" + ); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } + + /** + * Check the asymmetric key length + */ + public void checkAsymmetricKeyLength(X509Certificate x509Certificate) throws WSSecurityException { + if (x509Certificate == null) { + return; + } + + checkAsymmetricKeyLength(x509Certificate.getPublicKey()); + } + + /** + * Check the asymmetric key length + */ + public void checkAsymmetricKeyLength(PublicKey publicKey) throws WSSecurityException { + if (publicKey == null) { + return; + } + if (publicKey instanceof RSAPublicKey) { + int modulus = ((RSAPublicKey)publicKey).getModulus().bitLength(); + if (modulus < algorithmSuite.getMinimumAsymmetricKeyLength() + || modulus > algorithmSuite.getMaximumAsymmetricKeyLength()) { + LOG.debug("The asymmetric key length does not match the requirement"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } else if (publicKey instanceof DSAPublicKey) { + int length = ((DSAPublicKey)publicKey).getParams().getP().bitLength(); + if (length < algorithmSuite.getMinimumAsymmetricKeyLength() + || length > algorithmSuite.getMaximumAsymmetricKeyLength()) { + LOG.debug("The asymmetric key length does not match the requirement"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } else { + LOG.debug("An unknown public key was provided"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } + + /** + * Check the symmetric key length + */ + public void checkSymmetricKeyLength(int secretKeyLength) throws WSSecurityException { + if (secretKeyLength < (algorithmSuite.getMinimumSymmetricKeyLength() / 8) + || secretKeyLength > (algorithmSuite.getMaximumSymmetricKeyLength() / 8)) { + LOG.debug("The symmetric key length does not match the requirement"); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } + + /** + * Check Derived Key algorithm + */ + public void checkDerivedKeyAlgorithm( + String algorithm + ) throws WSSecurityException { + Set derivedKeyAlgorithms = algorithmSuite.getDerivedKeyAlgorithms(); + if (!derivedKeyAlgorithms.isEmpty() + && !derivedKeyAlgorithms.contains(algorithm)) { + LOG.debug( + "The Derived Key Algorithm does not match the requirement" + ); + throw new WSSecurityException(WSSecurityException.INVALID_SECURITY); + } + } +} Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/RequestData.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -22,6 +22,7 @@ import org.apache.ws.security.SOAPConstants; import org.apache.ws.security.WSConstants; import org.apache.ws.security.WSSConfig; +import org.apache.ws.security.components.crypto.AlgorithmSuite; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.message.WSSecHeader; import org.apache.ws.security.message.token.UsernameToken; @@ -66,6 +67,7 @@ private int derivedKeyIterations = UsernameToken.DEFAULT_ITERATION; private boolean useDerivedKeyForMAC = true; private boolean useSingleCert = true; + private AlgorithmSuite algorithmSuite; public void clear() { soapConstants = null; @@ -85,6 +87,7 @@ derivedKeyIterations = UsernameToken.DEFAULT_ITERATION; useDerivedKeyForMAC = true; useSingleCert = true; + algorithmSuite = null; } public Object getMsgContext() { @@ -370,4 +373,12 @@ public boolean isUseSingleCert() { return useSingleCert; } + + public AlgorithmSuite getAlgorithmSuite() { + return algorithmSuite; + } + + public void setAlgorithmSuite(AlgorithmSuite algorithmSuite) { + this.algorithmSuite = algorithmSuite; + } } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/handler/WSHandler.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -29,6 +29,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.action.Action; +import org.apache.ws.security.components.crypto.AlgorithmSuite; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.components.crypto.CryptoFactory; import org.apache.ws.security.message.WSSecHeader; @@ -250,8 +251,26 @@ } } + protected void decodeAlgorithmSuite(RequestData reqData) throws WSSecurityException { + Object mc = reqData.getMsgContext(); + if (mc == null || reqData.getAlgorithmSuite() != null) { + return; + } + + AlgorithmSuite algorithmSuite = new AlgorithmSuite(); + + String encrAlgorithm = getString(WSHandlerConstants.ENC_SYM_ALGO, mc); + if (encrAlgorithm != null && !"".equals(encrAlgorithm)) { + algorithmSuite.addEncryptionMethod(encrAlgorithm); + } + String transportAlgorithm = getString(WSHandlerConstants.ENC_KEY_TRANSPORT, mc); + if (transportAlgorithm != null && !"".equals(transportAlgorithm)) { + algorithmSuite.addKeyWrapAlgorithm(transportAlgorithm); + } + + reqData.setAlgorithmSuite(algorithmSuite); + } - protected void doReceiverAction(int doAction, RequestData reqData) throws WSSecurityException { Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -25,6 +25,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.message.token.PKIPathSecurity; import org.apache.ws.security.message.token.X509Security; @@ -80,6 +81,19 @@ Vector returnResults, WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData requestData + ) throws WSSecurityException { if (crypto == null) { this.getCertificatesTokenReference(elem, decCrypto); } else { Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -24,10 +24,13 @@ import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.AlgorithmSuite; +import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator; import org.apache.ws.security.components.crypto.Crypto; import org.apache.ws.security.conversation.ConversationConstants; import org.apache.ws.security.conversation.dkalgo.AlgoFactory; import org.apache.ws.security.conversation.dkalgo.DerivationAlgorithm; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.DerivedKeyToken; import org.apache.ws.security.message.token.Reference; import org.apache.ws.security.message.token.SecurityTokenReference; @@ -71,9 +74,32 @@ Vector returnResults, WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData requestData + ) throws WSSecurityException { // Deserialize the DKT dkt = new DerivedKeyToken(elem); + + // Check for compliance against the defined AlgorithmSuite + if (requestData != null) { + AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite(); + if (algorithmSuite != null) { + AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite); + algorithmSuiteValidator.checkDerivedKeyAlgorithm(dkt.getAlgorithm()); + } + } + this.extractSecret(wsDocInfo, dkt, cb, crypto); String tempNonce = dkt.getNonce(); Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedDataProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedDataProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedDataProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -24,7 +24,10 @@ import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.AlgorithmSuite; +import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.util.WSSecurityUtil; import org.apache.xml.security.encryption.XMLCipher; import org.apache.xml.security.encryption.XMLEncryptionException; @@ -60,6 +63,19 @@ Vector returnResults, WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData requestData + ) throws WSSecurityException { Element kiElem = (Element)WSSecurityUtil.findElement(elem, "KeyInfo", WSConstants.SIG_NS); NodeList children = kiElem.getChildNodes(); @@ -74,7 +90,7 @@ if (el.equals(WSSecurityEngine.ENCRYPTED_KEY)) { EncryptedKeyProcessor encrKeyProc = new EncryptedKeyProcessor(); encrKeyProc.handleToken( - (Element)child, crypto, decCrypto, cb, wsDocInfo, returnResults, config + (Element)child, crypto, decCrypto, cb, wsDocInfo, returnResults, config, requestData ); symmKey = encrKeyProc.getDecryptedBytes(); break; @@ -83,6 +99,17 @@ String encAlgo = X509Util.getEncAlgo(elem); SecretKey key = WSSecurityUtil.prepareSecretKey(encAlgo, symmKey); + // Check for compliance against the defined AlgorithmSuite + if (requestData != null) { + AlgorithmSuite algorithmSuite = requestData.getAlgorithmSuite(); + if (algorithmSuite != null) { + AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite); + + algorithmSuiteValidator.checkSymmetricKeyLength(key.getEncoded().length); + algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(encAlgo); + } + } + // initialize Cipher .... XMLCipher xmlCipher = null; try { @@ -115,7 +142,7 @@ QName el = new QName(decryptedElem.getNamespaceURI(), decryptedElem.getLocalName()); Processor proc = config.getProcessor(el); proc.handleToken( - decryptedElem, crypto, decCrypto, cb, wsDocInfo, returnResults, config + decryptedElem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, requestData ); wsDocInfo.setProcessor(proc); } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -28,7 +28,10 @@ import org.apache.ws.security.WSSecurityEngine; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.AlgorithmSuite; +import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.SecurityTokenReference; import org.apache.ws.security.message.token.X509Security; import org.apache.ws.security.saml.SAMLKeyInfo; @@ -74,13 +77,26 @@ private WSDocInfo docInfo = null; public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig wsc + ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + + public void handleToken( Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, - WSSConfig wsc + WSSConfig wsc, + RequestData requestData ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found encrypted key element"); @@ -92,7 +108,7 @@ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback"); } docInfo = wsDocInfo; - ArrayList dataRefUris = handleEncryptedKey((Element) elem, cb, decCrypto); + ArrayList dataRefUris = handleEncryptedKey((Element) elem, cb, decCrypto, requestData); encryptedKeyId = elem.getAttributeNS(null, "Id"); WSSecurityEngineResult result = new WSSecurityEngineResult( @@ -114,23 +130,26 @@ public ArrayList handleEncryptedKey( Element xencEncryptedKey, CallbackHandler cb, - Crypto crypto + Crypto crypto, + RequestData requestData ) throws WSSecurityException { - return handleEncryptedKey(xencEncryptedKey, cb, crypto, null); + return handleEncryptedKey(xencEncryptedKey, cb, crypto, null, requestData); } public ArrayList handleEncryptedKey( Element xencEncryptedKey, - PrivateKey privatekey + PrivateKey privatekey, + RequestData requestData ) throws WSSecurityException { - return handleEncryptedKey(xencEncryptedKey, null, null, privatekey); + return handleEncryptedKey(xencEncryptedKey, null, null, privatekey, requestData); } public ArrayList handleEncryptedKey( Element xencEncryptedKey, CallbackHandler cb, Crypto crypto, - PrivateKey privateKey + PrivateKey privateKey, + RequestData requestData ) throws WSSecurityException { long t0 = 0, t1 = 0, t2 = 0; if (tlog.isDebugEnabled()) { @@ -359,6 +378,15 @@ } } + // Check for compliance against the defined AlgorithmSuite + AlgorithmSuite algorithmSuite = requestData != null ? requestData.getAlgorithmSuite() : null; + if (algorithmSuite != null) { + AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite); + + algorithmSuiteValidator.checkAsymmetricKeyLength(cert); + algorithmSuiteValidator.checkEncryptionKeyWrapAlgorithm(encryptedKeyTransportMethod); + } + try { cipher.init(Cipher.DECRYPT_MODE, privateKey); } catch (Exception e1) { @@ -381,7 +409,7 @@ } ArrayList dataRefs = - decryptDataRefs(dataRefURIs, xencEncryptedKey.getOwnerDocument(), decryptedBytes); + decryptDataRefs(dataRefURIs, xencEncryptedKey.getOwnerDocument(), decryptedBytes, algorithmSuite); if (tlog.isDebugEnabled()) { t2 = System.currentTimeMillis(); @@ -454,7 +482,7 @@ * Decrypt all data references */ private ArrayList decryptDataRefs( - List dataRefURIs, Document doc, byte[] decryptedBytes + List dataRefURIs, Document doc, byte[] decryptedBytes, AlgorithmSuite algorithmSuite ) throws WSSecurityException { // // At this point we have the decrypted session (symmetric) key. According @@ -466,7 +494,7 @@ ArrayList dataRefs = new ArrayList(); for (int i = 0; i < dataRefURIs.size(); i++) { String dataRefURI = (String)dataRefURIs.get(i); - WSDataRef dataRef = decryptDataRef(doc, dataRefURI, decryptedBytes); + WSDataRef dataRef = decryptDataRef(doc, dataRefURI, decryptedBytes, algorithmSuite); dataRefs.add(dataRef); } return dataRefs; @@ -499,7 +527,8 @@ private WSDataRef decryptDataRef( Document doc, String dataRefURI, - byte[] decryptedData + byte[] decryptedData, + AlgorithmSuite algorithmSuite ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("found data reference: " + dataRefURI); @@ -516,6 +545,14 @@ SecretKey symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, decryptedData); + // Check for compliance against the defined AlgorithmSuite + if (algorithmSuite != null) { + AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite); + + algorithmSuiteValidator.checkSymmetricKeyLength(symmetricKey.getEncoded().length); + algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(symEncAlgo); + } + return ReferenceListProcessor.decryptEncryptedData( doc, dataRefURI, encryptedDataElement, symmetricKey, symEncAlgo ); Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/Processor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/Processor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/Processor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -23,6 +23,7 @@ import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.w3c.dom.Element; import javax.security.auth.callback.CallbackHandler; @@ -40,6 +41,17 @@ WSSConfig config ) throws WSSecurityException; + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData requestData + ) throws WSSecurityException; + /** * Get the Id of the processor. * Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/ReferenceListProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/ReferenceListProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/ReferenceListProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -35,7 +35,10 @@ import org.apache.ws.security.WSSConfig; import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; +import org.apache.ws.security.components.crypto.AlgorithmSuite; +import org.apache.ws.security.components.crypto.AlgorithmSuiteValidator; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.Reference; import org.apache.ws.security.message.token.SecurityTokenReference; import org.apache.ws.security.saml.SAMLKeyInfo; @@ -56,13 +59,26 @@ WSDocInfo wsDocInfo = null; public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wdi, + Vector returnResults, + WSSConfig wsc + ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wdi, returnResults, wsc, null); + } + + public void handleToken( Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wdi, Vector returnResults, - WSSConfig wsc + WSSConfig wsc, + RequestData data ) throws WSSecurityException { debug = log.isDebugEnabled(); @@ -73,7 +89,7 @@ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback"); } wsDocInfo = wdi; - ArrayList uris = handleReferenceList(elem, cb, decCrypto); + ArrayList uris = handleReferenceList(elem, cb, decCrypto, data != null ? data.getAlgorithmSuite() : null); returnResults.add( 0, new WSSecurityEngineResult(WSConstants.ENCR, uris) @@ -91,7 +107,8 @@ private ArrayList handleReferenceList( Element elem, CallbackHandler cb, - Crypto crypto + Crypto crypto, + AlgorithmSuite algorithmSuite ) throws WSSecurityException { Node tmpE = null; ArrayList dataRefUris = new ArrayList(); @@ -111,7 +128,7 @@ dataRefURI = dataRefURI.substring(1); } WSDataRef dataRef = - decryptDataRefEmbedded(elem.getOwnerDocument(), dataRefURI, cb, crypto); + decryptDataRefEmbedded(elem.getOwnerDocument(), dataRefURI, cb, crypto, algorithmSuite); dataRefUris.add(dataRef); } } @@ -127,7 +144,8 @@ Document doc, String dataRefURI, CallbackHandler cb, - Crypto crypto + Crypto crypto, + AlgorithmSuite algorithmSuite ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found data reference: " + dataRefURI); @@ -163,6 +181,14 @@ getKeyFromSecurityTokenReference(secRefToken, symEncAlgo, crypto, cb); } + // Check for compliance against the defined AlgorithmSuite + if (algorithmSuite != null) { + AlgorithmSuiteValidator algorithmSuiteValidator = new AlgorithmSuiteValidator(algorithmSuite); + + algorithmSuiteValidator.checkSymmetricKeyLength(symmetricKey.getEncoded().length); + algorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(symEncAlgo); + } + return decryptEncryptedData( doc, dataRefURI, encryptedDataElement, symmetricKey, symEncAlgo Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SAMLTokenProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SAMLTokenProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SAMLTokenProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -27,6 +27,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.opensaml.SAMLAssertion; import org.opensaml.SAMLException; import org.w3c.dom.Element; @@ -49,6 +50,19 @@ Vector returnResults, WSSConfig wsc ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig wsc, + RequestData requestData + ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found SAML Assertion element"); } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SecurityContextTokenProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -26,6 +26,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.SecurityContextToken; import org.w3c.dom.Element; @@ -69,6 +70,19 @@ Vector returnResults, WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig config, + RequestData requestData + ) throws WSSecurityException { SecurityContextToken sct = new SecurityContextToken(elem); this.identifier = sct.getIdentifier(); this.secret = this.getSecret(cb, sct); Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureConfirmationProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -27,6 +27,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.SignatureConfirmation; import org.w3c.dom.Element; @@ -47,6 +48,19 @@ Vector returnResults, WSSConfig wsc ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig wsc, + RequestData requestData + ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found SignatureConfirmation list element"); } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/SignatureProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -36,6 +36,7 @@ import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.WSUsernameTokenPrincipal; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.EnvelopeIdResolver; import org.apache.ws.security.message.token.BinarySecurity; import org.apache.ws.security.message.token.DerivedKeyToken; @@ -99,6 +100,19 @@ Vector returnResults, WSSConfig wsc ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig wsc, + RequestData requestData + ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found signature element"); } @@ -117,7 +131,7 @@ verifyXMLSignature( elem, crypto, returnCert, returnElements, protectedElements, signatureValue, cb, - wsDocInfo + wsDocInfo, requestData ); } catch (WSSecurityException ex) { throw ex; @@ -208,7 +222,8 @@ List protectedElements, byte[][] signatureValue, CallbackHandler cb, - WSDocInfo wsDocInfo + WSDocInfo wsDocInfo, + RequestData requestData ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Verify XML Signature"); @@ -293,7 +308,7 @@ ); } EncryptedKeyProcessor encryptKeyProcessor = new EncryptedKeyProcessor(); - encryptKeyProcessor.handleEncryptedKey(token, cb, crypto); + encryptKeyProcessor.handleEncryptedKey(token, cb, crypto, requestData); secretKey = encryptKeyProcessor.getDecryptedBytes(); } else { // Try custom token through callback handler Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/TimestampProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/TimestampProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/TimestampProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -27,6 +27,7 @@ import org.apache.ws.security.WSSecurityEngineResult; import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.Timestamp; import org.apache.ws.security.util.XmlSchemaDateFormat; import org.w3c.dom.Element; @@ -51,6 +52,19 @@ Vector returnResults, WSSConfig wsc ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + + public void handleToken( + Element elem, + Crypto crypto, + Crypto decCrypto, + CallbackHandler cb, + WSDocInfo wsDocInfo, + Vector returnResults, + WSSConfig wsc, + RequestData requestData + ) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found Timestamp list element"); } Modified: thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/UsernameTokenProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/UsernameTokenProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/UsernameTokenProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -29,6 +29,7 @@ import org.apache.ws.security.WSSecurityException; import org.apache.ws.security.WSUsernameTokenPrincipal; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.UsernameToken; import org.apache.ws.security.util.Base64; import org.w3c.dom.Element; @@ -51,6 +52,10 @@ public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, wsc, null); + } + public void handleToken(Element elem, Crypto crypto, Crypto decCrypto, CallbackHandler cb, + WSDocInfo wsDocInfo, Vector returnResults, WSSConfig wsc, RequestData requestData) throws WSSecurityException { if (log.isDebugEnabled()) { log.debug("Found UsernameToken list element"); } Modified: thirdparty/wss4j/branches/1_5_x-fixes/test/wssec/MyProcessor.java =================================================================== --- thirdparty/wss4j/branches/1_5_x-fixes/test/wssec/MyProcessor.java 2013-04-26 14:06:06 UTC (rev 17514) +++ thirdparty/wss4j/branches/1_5_x-fixes/test/wssec/MyProcessor.java 2013-04-26 17:01:52 UTC (rev 17515) @@ -20,6 +20,7 @@ package wssec; import org.apache.ws.security.components.crypto.Crypto; +import org.apache.ws.security.handler.RequestData; import org.apache.ws.security.message.token.SecurityContextToken; import org.apache.ws.security.processor.Processor; import org.apache.ws.security.WSConstants; @@ -43,6 +44,20 @@ final java.util.Vector returnResults, final WSSConfig config ) throws WSSecurityException { + handleToken(elem, crypto, decCrypto, cb, wsDocInfo, returnResults, config, null); + } + + public final void + handleToken( + final org.w3c.dom.Element elem, + final Crypto crypto, + final Crypto decCrypto, + final javax.security.auth.callback.CallbackHandler cb, + final WSDocInfo wsDocInfo, + final java.util.Vector returnResults, + final WSSConfig config, + final RequestData requestData + ) throws WSSecurityException { final java.util.Map result = new WSSecurityEngineResult( WSConstants.UT_SIGN,

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17514 - stack/cxf/branches/jbossws-cxf-3.1.2/modules/testsuite.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-26 10:06:06 -0400 (Fri, 26 Apr 2013) New Revision: 17514 Modified: stack/cxf/branches/jbossws-cxf-3.1.2/modules/testsuite/pom.xml Log: Excluding test Modified: stack/cxf/branches/jbossws-cxf-3.1.2/modules/testsuite/pom.xml =================================================================== --- stack/cxf/branches/jbossws-cxf-3.1.2/modules/testsuite/pom.xml 2013-04-25 16:33:54 UTC (rev 17513) +++ stack/cxf/branches/jbossws-cxf-3.1.2/modules/testsuite/pom.xml 2013-04-26 14:06:06 UTC (rev 17514) @@ -368,6 +368,9 @@  <exclude>org/jboss/test/ws/jaxws/cxf/interop/wstrust10/**</exclude> + +  + <exclude>org/jboss/test/ws/jaxws/samples/wssePolicy/UsernameUnsecureTransportTestCase.*</exclude> </excludes> </configuration> </plugin>

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17513 - in stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701: modules/server/src/main/java/org/jboss/wsf/stack/cxf and 1 other directory.

by jbossws-commits＠lists.jboss.org

Author: klape Date: 2013-04-25 12:33:54 -0400 (Thu, 25 Apr 2013) New Revision: 17513 Modified: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/ stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java Log: [JBPAPP-10701] Adding CVE fix regarding SecurityPolicy 1.1 namespace Property changes on: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701 ___________________________________________________________________ Modified: svn:mergeinfo - /stack/cxf/branches/jbossws-cxf-3.1.2:17027 /stack/cxf/trunk:12339 + /stack/cxf/branches/jbossws-cxf-3.1.2:17027,17062 /stack/cxf/trunk:12339 Modified: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java =================================================================== --- stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java 2013-04-25 10:52:31 UTC (rev 17512) +++ stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java 2013-04-25 16:33:54 UTC (rev 17513) @@ -324,7 +324,7 @@ } private static final String DISABLE_CVE_2012_2379_CHECK_PROP = "org.jboss.wsf.cxf.disableCVE20122379Check"; - private static final String SP_NS_11 = "http://schemas.xmlsoap.org/ws/2005/02/securitypolicy"; + private static final String SP_NS_11 = "http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; private static final String SP_NS_12 = "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; private static final String SP_NS_13 = "http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802"; private static final String SUPPORTING_TOKENS = "SupportingTokens";

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17512 - shared-testsuite/branches/jbossws-shared-testsuite-4.0.x/testsuite/src/test/java/org/jboss/test/ws/jaxws/webfault.

by jbossws-commits＠lists.jboss.org

Author: rsvoboda(a)redhat.com Date: 2013-04-25 06:52:31 -0400 (Thu, 25 Apr 2013) New Revision: 17512 Modified: shared-testsuite/branches/jbossws-shared-testsuite-4.0.x/testsuite/src/test/java/org/jboss/test/ws/jaxws/webfault/WebFaultTestCase.java Log: BZ 956636 - more details in fail message Modified: shared-testsuite/branches/jbossws-shared-testsuite-4.0.x/testsuite/src/test/java/org/jboss/test/ws/jaxws/webfault/WebFaultTestCase.java =================================================================== --- shared-testsuite/branches/jbossws-shared-testsuite-4.0.x/testsuite/src/test/java/org/jboss/test/ws/jaxws/webfault/WebFaultTestCase.java 2013-04-22 02:30:07 UTC (rev 17511) +++ shared-testsuite/branches/jbossws-shared-testsuite-4.0.x/testsuite/src/test/java/org/jboss/test/ws/jaxws/webfault/WebFaultTestCase.java 2013-04-25 10:52:31 UTC (rev 17512) @@ -161,7 +161,7 @@ } catch (Exception e) { - fail("Wrong exception caught!"); + fail("Wrong exception caught! Exception: " + e); } try { @@ -174,7 +174,7 @@ } catch (Exception e) { - fail("Wrong exception caught!"); + fail("Wrong exception caught! Exception: " + e); } } }

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17511 - projects/wsi-bp-test/trunk.

by jbossws-commits＠lists.jboss.org

Author: jim.ma Date: 2013-04-21 22:30:07 -0400 (Sun, 21 Apr 2013) New Revision: 17511 Modified: projects/wsi-bp-test/trunk/pom.xml Log: Upgrade to wss4j-1.6.11-SNAPSHOT and exclude SignEncryptGCMTestCase Modified: projects/wsi-bp-test/trunk/pom.xml =================================================================== --- projects/wsi-bp-test/trunk/pom.xml 2013-04-18 13:55:57 UTC (rev 17510) +++ projects/wsi-bp-test/trunk/pom.xml 2013-04-22 02:30:07 UTC (rev 17511) @@ -65,9 +65,21 @@ <groupId>org.jboss.ws.cxf</groupId> <artifactId>jbossws-cxf-server</artifactId> <version>${jbossws.cxf.version}</version> + <exclusions> + <exclusion> + <groupId>org.apache.ws.security</groupId> + <artifactId>wss4j</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> + <groupId>org.apache.ws.security</groupId> + <artifactId>wss4j</artifactId> + <version>1.6.11-SNAPSHOT</version> + </dependency> + + <dependency> <groupId>org.jboss.ws.cxf</groupId> <artifactId>jbossws-cxf-client</artifactId> <version>${jbossws.cxf.version}</version> @@ -590,6 +602,7 @@ <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/trust/WSTrustPicketLinkTestCase*</exclude>  <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/secconv/*TestCase*</exclude> + <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/basic/SignEncryptGCMTestCase</exclude> </excludes> </configuration> </plugin> @@ -622,7 +635,8 @@ <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/trust/WSTrustPicketLinkTestCase*</exclude>  <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/secconv/*TestCase*</exclude> - <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/oasis/*TestCase*</exclude> +  + <exclude>org/jboss/test/ws/jaxws/samples/wsse/policy/basic/SignEncryptGCMTestCase*</exclude> </excludes> </configuration> </plugin>

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17510 - stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/resources/schema.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-18 09:55:57 -0400 (Thu, 18 Apr 2013) New Revision: 17510 Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/resources/schema/jboss-ws-security_1_0.xsd Log: [JBPAPP-10455] Updating xsd Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/resources/schema/jboss-ws-security_1_0.xsd =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/resources/schema/jboss-ws-security_1_0.xsd 2013-04-18 13:12:16 UTC (rev 17509) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/resources/schema/jboss-ws-security_1_0.xsd 2013-04-18 13:55:57 UTC (rev 17510) @@ -182,6 +182,16 @@ <xs:sequence> <xs:element name="targets" type="targetsType" minOccurs="0"/> </xs:sequence> + <xs:attribute name="algorithm" type="xs:string"> + <xs:annotation> + <xs:documentation>A blank space or comma separated list of algorithm ids that are allowed for the encrypted incoming message</xs:documentation> + </xs:annotation> + </xs:attribute> + <xs:attribute name="keyWrapAlgorithm" type="xs:string"> + <xs:annotation> + <xs:documentation>A blank space or comma separated list of algorithm ids that are allowed for the key wrapping in incoming message</xs:documentation> + </xs:annotation> + </xs:attribute> <xs:attribute name="includeFaults" type="xs:boolean" use="optional" default="false"/> </xs:complexType> <xs:complexType name="requireSignatureType"> @@ -265,6 +275,9 @@ <xs:enumeration value="aes-128"/> <xs:enumeration value="aes-192"/> <xs:enumeration value="aes-256"/> + <xs:enumeration value="aes-128-gcm"/> + <xs:enumeration value="aes-192-gcm"/> + <xs:enumeration value="aes-256-gcm"/> <xs:enumeration value="tripledes"/> </xs:restriction> </xs:simpleType>

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17509 - in stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security: element and 1 other directories.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-18 09:12:16 -0400 (Thu, 18 Apr 2013) New Revision: 17509 Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java Log: [JBPAPP-10455] Adding further checks Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-18 08:26:16 UTC (rev 17508) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-18 13:12:16 UTC (rev 17509) @@ -202,7 +202,7 @@ public void decode(Document message, Element headerElement) throws WSSecurityException { this.headerElement = headerElement; - this.header = new SecurityHeader(this.headerElement, store, allowedKeyWrapAlgorithms); + this.header = new SecurityHeader(this.headerElement, store, allowedKeyWrapAlgorithms, allowedEncAlgorithms); this.message = message; decode(); Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-18 08:26:16 UTC (rev 17508) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-18 13:12:16 UTC (rev 17509) @@ -37,6 +37,7 @@ import org.jboss.ws.extensions.security.exception.FailedCheckException; import org.jboss.ws.extensions.security.exception.InvalidSecurityHeaderException; import org.jboss.ws.extensions.security.exception.WSSecurityException; +import org.jboss.ws.extensions.security.operation.EncryptionAlgorithms; import org.jboss.ws.extensions.security.operation.EncryptionOperation; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -88,7 +89,7 @@ this.tokenRefType = tokenRefType; } - public EncryptedKey(Element element, KeyResolver resolver, List<String> allowedAlgorithms) throws WSSecurityException + public EncryptedKey(Element element, KeyResolver resolver, List<String> allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws WSSecurityException { org.apache.xml.security.encryption.EncryptedKey key; XMLCipher cipher; @@ -116,9 +117,9 @@ if (!supportedKeyWrapAlg) { throw new WSSecurityException("Unsupported key wrap algorithm in received message: " + kwa); } - if (allowedAlgorithms != null && !allowedAlgorithms.isEmpty()) { + if (allowedKeyWrapAlgorithms != null && !allowedKeyWrapAlgorithms.isEmpty()) { boolean found = false; - for (Iterator<String> it = allowedAlgorithms.iterator(); it.hasNext() && !found; ) { + for (Iterator<String> it = allowedKeyWrapAlgorithms.iterator(); it.hasNext() && !found; ) { found = kwa.equals(keyWrapAlgorithms.get(it.next())); } if (!found) { @@ -145,6 +146,15 @@ String alg = getKeyAlgorithm(element); if (alg == null) throw new WSSecurityException("Could not determine encrypted key algorithm!"); + if (allowedEncAlgorithms != null && !allowedEncAlgorithms.isEmpty()) { + boolean found = false; + for (Iterator<String> it = allowedEncAlgorithms.iterator(); it.hasNext() && !found; ) { + found = alg.equals(EncryptionAlgorithms.getAlgorithm(it.next())); + } + if (!found) { + throw new WSSecurityException("Unexpected encryption algorithm in received message: " + alg); + } + } try { Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-18 08:26:16 UTC (rev 17508) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-18 13:12:16 UTC (rev 17509) @@ -61,7 +61,7 @@ this.document = document; } - public SecurityHeader(Element element, SecurityStore store, List<String> allowedKeyWrapAlgorithms) throws WSSecurityException + public SecurityHeader(Element element, SecurityStore store, List<String> allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws WSSecurityException { document = element.getOwnerDocument(); KeyResolver resolver = new KeyResolver(store); @@ -85,7 +85,7 @@ else if (tag.equals("Signature")) securityProcesses.add(new Signature(child, resolver)); else if (tag.equals("EncryptedKey")) - securityProcesses.add(new EncryptedKey(child, resolver, allowedKeyWrapAlgorithms)); + securityProcesses.add(new EncryptedKey(child, resolver, allowedKeyWrapAlgorithms, allowedEncAlgorithms)); else if (tag.equals("ReferenceList")) throw new UnsupportedSecurityTokenException("ReferenceLists outside of encrypted keys (shared secrets) are not supported."); Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-04-18 08:26:16 UTC (rev 17508) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-04-18 13:12:16 UTC (rev 17509) @@ -27,7 +27,7 @@ import org.apache.xml.security.encryption.XMLCipher; -final class EncryptionAlgorithms +public final class EncryptionAlgorithms { /** --- Keep private for security reasons --- **/ private static class Algorithm @@ -47,7 +47,7 @@ private static Map<String, String> algorithmsID; /** ----------------------------------------- **/ - static final String DEFAULT_ALGORITHM = "aes-128"; + public static final String DEFAULT_ALGORITHM = "aes-128"; static { @@ -69,26 +69,26 @@ algorithmsID = Collections.unmodifiableMap(algorithmsID); } - static boolean hasAlgorithm(String id) { + public static boolean hasAlgorithm(String id) { return algorithms.containsKey(id); } - static String getAlgorithm(String id) { + public static String getAlgorithm(String id) { Algorithm alg = algorithms.get(id); return alg == null ? null : alg.xmlName; } - static String getAlgorithmJceName(String id) { + public static String getAlgorithmJceName(String id) { Algorithm alg = algorithms.get(id); return alg == null ? null : alg.jceName; } - static int getAlgorithmSize(String id) { + public static int getAlgorithmSize(String id) { Algorithm alg = algorithms.get(id); return alg == null ? null : alg.size; } - static String getAlgorithmID(String xmlName) { + public static String getAlgorithmID(String xmlName) { return algorithmsID.get(xmlName); } }

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17508 - in stack/native/branches/jbossws-native-3.1.2/modules: core/src/main/java/org/jboss/ws/extensions/security/element and 4 other directories.

by jbossws-commits＠lists.jboss.org

Author: alessio.soldano(a)jboss.com Date: 2013-04-18 04:26:16 -0400 (Thu, 18 Apr 2013) New Revision: 17508 Added: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/DecryptionOperation.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionOperation.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/RequireEncryptionOperation.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml Log: [JBPAPP-10455] Configuration option for defining which algorithms are accepted when decrypting messages Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -35,7 +35,6 @@ import org.jboss.ws.extensions.security.element.UsernameToken; import org.jboss.ws.extensions.security.exception.WSSecurityException; import org.jboss.ws.extensions.security.nonce.NonceFactory; -import org.jboss.ws.extensions.security.operation.AuthorizeOperation; import org.jboss.ws.extensions.security.operation.DecryptionOperation; import org.jboss.ws.extensions.security.operation.ReceiveUsernameOperation; import org.jboss.ws.extensions.security.operation.ReceiveX509Certificate; @@ -45,7 +44,6 @@ import org.jboss.ws.extensions.security.operation.SignatureVerificationOperation; import org.jboss.ws.extensions.security.operation.TimestampVerificationOperation; import org.jboss.ws.metadata.wsse.Authenticate; -import org.jboss.ws.metadata.wsse.Authorize; import org.jboss.ws.metadata.wsse.TimestampVerification; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -74,6 +72,10 @@ private HashSet<String> signedIds = new HashSet<String>(); private HashSet<String> encryptedIds = new HashSet<String>(); + + private List<String> allowedKeyWrapAlgorithms; + + private List<String> allowedEncAlgorithms; public SecurityDecoder(SecurityStore store, NonceFactory nonceFactory, TimestampVerification timestampVerification, Authenticate authenticate) { @@ -137,7 +139,7 @@ encryptedIds.clear(); SignatureVerificationOperation signatureVerifier = new SignatureVerificationOperation(header, store); - DecryptionOperation decrypter = new DecryptionOperation(header, store); + DecryptionOperation decrypter = new DecryptionOperation(header, store, allowedEncAlgorithms); for (SecurityProcess process : header.getSecurityProcesses()) { @@ -160,6 +162,17 @@ } } + + public void init(List<RequireOperation> requireOperations) { + if (requireOperations != null) { + for (RequireOperation operation : requireOperations) { + if (operation instanceof RequireEncryptionOperation) { + ((RequireEncryptionOperation)operation).setupDecoder(this); + break; + } + } + } + } public void verify(List<RequireOperation> requireOperations) throws WSSecurityException { @@ -189,7 +202,7 @@ public void decode(Document message, Element headerElement) throws WSSecurityException { this.headerElement = headerElement; - this.header = new SecurityHeader(this.headerElement, store); + this.header = new SecurityHeader(this.headerElement, store, allowedKeyWrapAlgorithms); this.message = message; decode(); @@ -201,4 +214,15 @@ // message (required by the specification) detachHeader(); } + + public void setAllowedKeyWrapAlgorithms(List<String> allowedKeyWrapAlgorithms) + { + this.allowedKeyWrapAlgorithms = allowedKeyWrapAlgorithms; + } + + public void setAllowedEncAlgorithms(List<String> allowedEncAlgorithms) + { + this.allowedEncAlgorithms = allowedEncAlgorithms; + } + } Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -131,14 +131,16 @@ } SecurityDecoder decoder = new SecurityDecoder(securityStore, factory, configuration.getTimestampVerification(), authenticate); + + List<RequireOperation> operations = buildRequireOperations(config, fault); + + decoder.init(operations); decoder.decode(message.getSOAPPart(), secHeaderElement); if (log.isTraceEnabled()) log.trace("Decoded Message:\n" + DOMWriter.printNode(message.getSOAPPart(), true)); - List<RequireOperation> operations = buildRequireOperations(config, fault); - decoder.verify(operations); if (log.isDebugEnabled()) log.debug("Verification is successful"); @@ -351,7 +353,7 @@ if (requireEncryption != null && (!fault || requireEncryption.isIncludeFaults())) { List<Target> targets = convertTargets(requireEncryption.getTargets()); - operations.add(new RequireEncryptionOperation(targets)); + operations.add(new RequireEncryptionOperation(targets, requireEncryption.getdKeyWrapAlgorithms(), requireEncryption.getAlgorithms())); } return operations; Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -23,6 +23,8 @@ import java.security.PrivateKey; import java.util.HashMap; +import java.util.Iterator; +import java.util.List; import javax.crypto.SecretKey; @@ -64,7 +66,7 @@ private static final String DEFAULT_ALGORITHM = "rsa_15"; static { - keyWrapAlgorithms = new HashMap<String, String>(2); + keyWrapAlgorithms = new HashMap<String, String>(4); keyWrapAlgorithms.put("rsa_15", XMLCipher.RSA_v1dot5); keyWrapAlgorithms.put("rsa_oaep", XMLCipher.RSA_OAEP); } @@ -86,7 +88,7 @@ this.tokenRefType = tokenRefType; } - public EncryptedKey(Element element, KeyResolver resolver) throws WSSecurityException + public EncryptedKey(Element element, KeyResolver resolver, List<String> allowedAlgorithms) throws WSSecurityException { org.apache.xml.security.encryption.EncryptedKey key; XMLCipher cipher; @@ -103,6 +105,27 @@ } KeyInfo info = key.getKeyInfo(); + boolean supportedKeyWrapAlg = false; + final String kwa = key.getEncryptionMethod().getAlgorithm(); + for (Iterator<String> it = keyWrapAlgorithms.values().iterator(); it.hasNext() && !supportedKeyWrapAlg; ) { + String s = it.next(); + if (s.equals(kwa)) { + supportedKeyWrapAlg = true; + } + } + if (!supportedKeyWrapAlg) { + throw new WSSecurityException("Unsupported key wrap algorithm in received message: " + kwa); + } + if (allowedAlgorithms != null && !allowedAlgorithms.isEmpty()) { + boolean found = false; + for (Iterator<String> it = allowedAlgorithms.iterator(); it.hasNext() && !found; ) { + found = kwa.equals(keyWrapAlgorithms.get(it.next())); + } + if (!found) { + throw new WSSecurityException("Unexpected key wrap algorithm in received message: " + kwa); + } + } + if (info == null) throw new WSSecurityException("EncryptedKey element did not contain KeyInfo"); Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -23,6 +23,7 @@ import java.util.HashMap; import java.util.LinkedList; +import java.util.List; import org.jboss.ws.extensions.security.BinarySecurityTokenValidator; import org.jboss.ws.extensions.security.Constants; @@ -54,13 +55,13 @@ // Looks like this is only for embedded tokens private LinkedList<SecurityTokenReference> securityTokenReferences = new LinkedList<SecurityTokenReference>(); - + public SecurityHeader(Document document) { this.document = document; } - public SecurityHeader(Element element, SecurityStore store) throws WSSecurityException + public SecurityHeader(Element element, SecurityStore store, List<String> allowedKeyWrapAlgorithms) throws WSSecurityException { document = element.getOwnerDocument(); KeyResolver resolver = new KeyResolver(store); @@ -84,7 +85,7 @@ else if (tag.equals("Signature")) securityProcesses.add(new Signature(child, resolver)); else if (tag.equals("EncryptedKey")) - securityProcesses.add(new EncryptedKey(child, resolver)); + securityProcesses.add(new EncryptedKey(child, resolver, allowedKeyWrapAlgorithms)); else if (tag.equals("ReferenceList")) throw new UnsupportedSecurityTokenException("ReferenceLists outside of encrypted keys (shared secrets) are not supported."); Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/DecryptionOperation.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/DecryptionOperation.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/DecryptionOperation.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -23,6 +23,8 @@ import java.util.Collection; import java.util.HashSet; +import java.util.Iterator; +import java.util.List; import javax.crypto.SecretKey; @@ -47,11 +49,14 @@ private SecurityHeader header; private SecurityStore store; + + private List<String> allowedEncAlgorithms; - public DecryptionOperation(SecurityHeader header, SecurityStore store) throws WSSecurityException + public DecryptionOperation(SecurityHeader header, SecurityStore store, List<String> allowedEncAlgorithms) throws WSSecurityException { this.header = header; this.store = store; + this.allowedEncAlgorithms = allowedEncAlgorithms; } private boolean isContent(Element element) @@ -99,6 +104,15 @@ } String alg = getEncryptionAlgorithm(element); + if (allowedEncAlgorithms != null && !allowedEncAlgorithms.isEmpty()) { + boolean found = false; + for (Iterator<String> it = allowedEncAlgorithms.iterator(); it.hasNext() && !found; ) { + found = alg.equals(EncryptionAlgorithms.getAlgorithm(it.next())); + } + if (!found) { + throw new WSSecurityException("Unexpected encryption algorithm in received message: " + alg); + } + } try { XMLCipher cipher = XMLCipher.getInstance(alg); Added: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java (rev 0) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -0,0 +1,94 @@ +/* + * JBoss, Home of Professional Open Source. + * Copyright 2013, Red Hat Middleware LLC, and individual contributors + * as indicated by the @author tags. See the copyright.txt file in the + * distribution for a full listing of individual contributors. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.jboss.ws.extensions.security.operation; + +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import org.apache.xml.security.encryption.XMLCipher; + +final class EncryptionAlgorithms +{ + /** --- Keep private for security reasons --- **/ + private static class Algorithm + { + Algorithm(String jceName, String xmlName, int size) + { + this.jceName = jceName; + this.xmlName = xmlName; + this.size = size; + } + + public String jceName; + public String xmlName; + public int size; + } + private static Map<String, Algorithm> algorithms; + private static Map<String, String> algorithmsID; + /** ----------------------------------------- **/ + + static final String DEFAULT_ALGORITHM = "aes-128"; + + static + { + algorithms = new HashMap<String, Algorithm>(4); + algorithms.put("aes-128", new Algorithm("AES", XMLCipher.AES_128, 128)); + algorithms.put("aes-192", new Algorithm("AES", XMLCipher.AES_192, 192)); + algorithms.put("aes-256", new Algorithm("AES", XMLCipher.AES_256, 256)); + algorithms.put("aes-128-gcm", new Algorithm("AES", XMLCipher.AES_128_GCM, 128)); + algorithms.put("aes-192-gcm", new Algorithm("AES", XMLCipher.AES_192_GCM, 192)); + algorithms.put("aes-256-gcm", new Algorithm("AES", XMLCipher.AES_256_GCM, 256)); + algorithms.put("tripledes", new Algorithm("TripleDes", XMLCipher.TRIPLEDES, 168)); + algorithms = Collections.unmodifiableMap(algorithms); + + algorithmsID = new HashMap<String, String>(4); + algorithmsID.put(XMLCipher.AES_128, "aes-128"); + algorithmsID.put(XMLCipher.AES_192, "aes-192"); + algorithmsID.put(XMLCipher.AES_256, "aes-256"); + algorithmsID.put(XMLCipher.TRIPLEDES, "tripledes"); + algorithmsID = Collections.unmodifiableMap(algorithmsID); + } + + static boolean hasAlgorithm(String id) { + return algorithms.containsKey(id); + } + + static String getAlgorithm(String id) { + Algorithm alg = algorithms.get(id); + return alg == null ? null : alg.xmlName; + } + + static String getAlgorithmJceName(String id) { + Algorithm alg = algorithms.get(id); + return alg == null ? null : alg.jceName; + } + + static int getAlgorithmSize(String id) { + Algorithm alg = algorithms.get(id); + return alg == null ? null : alg.size; + } + + static String getAlgorithmID(String xmlName) { + return algorithmsID.get(xmlName); + } +} Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionOperation.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionOperation.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionOperation.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -25,7 +25,6 @@ import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.security.cert.X509Certificate; -import java.util.HashMap; import java.util.List; import javax.crypto.Cipher; @@ -60,43 +59,6 @@ private String tokenRefType; private String securityDomainAliasLabel; - private static class Algorithm - { - Algorithm(String jceName, String xmlName, int size) - { - this.jceName = jceName; - this.xmlName = xmlName; - this.size = size; - } - - public String jceName; - public String xmlName; - public int size; - } - - private static HashMap<String, Algorithm> algorithms; - private static HashMap<String, String> algorithmsID; - - private static final String DEFAULT_ALGORITHM = "aes-128"; - - static - { - algorithms = new HashMap<String, Algorithm>(4); - algorithms.put("aes-128", new Algorithm("AES", XMLCipher.AES_128, 128)); - algorithms.put("aes-192", new Algorithm("AES", XMLCipher.AES_192, 192)); - algorithms.put("aes-256", new Algorithm("AES", XMLCipher.AES_256, 256)); - algorithms.put("aes-128-gcm", new Algorithm("AES", XMLCipher.AES_128_GCM, 128)); - algorithms.put("aes-192-gcm", new Algorithm("AES", XMLCipher.AES_192_GCM, 192)); - algorithms.put("aes-256-gcm", new Algorithm("AES", XMLCipher.AES_256_GCM, 256)); - algorithms.put("tripledes", new Algorithm("TripleDes", XMLCipher.TRIPLEDES, 168)); - - algorithmsID = new HashMap<String, String>(4); - algorithmsID.put(XMLCipher.AES_128, "aes-128"); - algorithmsID.put(XMLCipher.AES_192, "aes-192"); - algorithmsID.put(XMLCipher.AES_256, "aes-256"); - algorithmsID.put(XMLCipher.TRIPLEDES, "tripledes"); - } - public EncryptionOperation(List<Target> targets, String alias, String algorithm, String wrap, String tokenRefType, String securityDomainAliasLabel) { super(); @@ -139,12 +101,10 @@ private static SecretKey getSecretKey(String algorithm) throws WSSecurityException { - Algorithm alg = algorithms.get(algorithm); - try { - KeyGenerator kgen = KeyGenerator.getInstance(alg.jceName); - kgen.init(alg.size); + KeyGenerator kgen = KeyGenerator.getInstance(EncryptionAlgorithms.getAlgorithmJceName(algorithm)); + kgen.init(EncryptionAlgorithms.getAlgorithmSize(algorithm)); return kgen.generateKey(); } catch (NoSuchAlgorithmException e) @@ -155,19 +115,19 @@ public static SecretKey generateSecretKey(String alg) throws WSSecurityException { - return getSecretKey(algorithmsID.get(alg)); + return getSecretKey(EncryptionAlgorithms.getAlgorithmID(alg)); } public void process(Document message, SecurityHeader header, SecurityStore store) throws WSSecurityException { - if (! algorithms.containsKey(algorithm)) - algorithm = DEFAULT_ALGORITHM; + if (! EncryptionAlgorithms.hasAlgorithm(algorithm)) + algorithm = EncryptionAlgorithms.DEFAULT_ALGORITHM; SecretKey secretKey = getSecretKey(algorithm); XMLCipher cipher; try { - cipher = XMLCipher.getInstance(algorithms.get(algorithm).xmlName); + cipher = XMLCipher.getInstance(EncryptionAlgorithms.getAlgorithm(algorithm)); cipher.init(XMLCipher.ENCRYPT_MODE, secretKey); } catch (XMLSecurityException e) Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/RequireEncryptionOperation.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/RequireEncryptionOperation.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/RequireEncryptionOperation.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -21,17 +21,52 @@ */ package org.jboss.ws.extensions.security.operation; +import java.util.LinkedList; import java.util.List; +import java.util.StringTokenizer; +import org.jboss.logging.Logger; +import org.jboss.ws.extensions.security.SecurityDecoder; import org.jboss.ws.extensions.security.Target; public class RequireEncryptionOperation extends RequireTargetableOperation { + private List<String> allowedKeyWrapAlgorithms; + + private List<String> allowedEncAlgorithms; - public RequireEncryptionOperation(List<Target> targets) + public RequireEncryptionOperation(List<Target> targets) { + super(targets); + } + + public RequireEncryptionOperation(List<Target> targets, String keyWrapAlgorithms, String algorithms) { super(targets); + this.allowedEncAlgorithms = parseStringList(algorithms); + this.allowedKeyWrapAlgorithms = parseStringList(keyWrapAlgorithms); } + public void setupDecoder(SecurityDecoder decoder) { + if (allowedEncAlgorithms == null) { + Logger.getLogger(RequireEncryptionOperation.class).warn("No 'algorithms' provided for 'encryption' configuration requirement!"); + } + decoder.setAllowedEncAlgorithms(allowedEncAlgorithms); + if (allowedKeyWrapAlgorithms == null) { + Logger.getLogger(RequireEncryptionOperation.class).warn("No 'keyWrapAlgorithms' provided for 'encryption' configuration requirement!"); + } + decoder.setAllowedKeyWrapAlgorithms(allowedKeyWrapAlgorithms); + } + + private List<String> parseStringList(String s) { + List<String> result = null; + if (s != null && s.trim().length() > 0) { + StringTokenizer st = new StringTokenizer(s, ", ", false); + result = new LinkedList<String>(); + while (st.hasMoreTokens()) { + result.add(st.nextToken()); + } + } + return result; + } } Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -21,6 +21,7 @@ */ package org.jboss.ws.metadata.wsse; + /** * <code>Sign</code> represents the sign tag, which declares that a message * should be signed. @@ -29,13 +30,19 @@ */ public class RequireEncryption extends Targetable { - private static final long serialVersionUID = 3765798680988205647L; + private static final long serialVersionUID = 3765798680988205648L; private boolean includeFaults; + + private String keyWrapAlgorithms; + + private String algorithms; - public RequireEncryption(boolean includeFaults) + public RequireEncryption(boolean includeFaults, String keyWrapAlgorithms, String algorithms) { this.includeFaults = includeFaults; + this.algorithms = algorithms; + this.keyWrapAlgorithms = keyWrapAlgorithms; } public boolean isIncludeFaults() @@ -47,4 +54,25 @@ { this.includeFaults = includeFaults; } + + public String getdKeyWrapAlgorithms() + { + return keyWrapAlgorithms; + } + + public void setKeyWrapAlgorithms(String keyWrapAlgorithms) + { + this.keyWrapAlgorithms = keyWrapAlgorithms; + } + + public String getAlgorithms() + { + return algorithms; + } + + public void setAlgorithms(String algorithms) + { + this.algorithms = algorithms; + } + } Modified: stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2013-04-18 08:26:16 UTC (rev 17508) @@ -499,7 +499,7 @@ if (value != null) includeFaults = (Boolean) SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null); - return new RequireEncryption(includeFaults); + return new RequireEncryption(includeFaults, attrs.getValue("", "keyWrapAlgorithms"), attrs.getValue("", "algorithms")); } else if ("timestamp".equals(localName)) { Modified: stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml 2013-04-18 08:26:16 UTC (rev 17508) @@ -3,7 +3,7 @@ <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <config> - <encrypt type="x509v3" algorithm="aes-192-gcm" alias="wsse"/> + <encrypt type="x509v3" algorithm="aes-192-gcm" keyWrapAlgorithm="rsa_oaep" alias="wsse"/> <requires> <encryption/> </requires> Modified: stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml =================================================================== --- stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml 2013-04-17 19:45:05 UTC (rev 17507) +++ stack/native/branches/jbossws-native-3.1.2/modules/testsuite/native-tests/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml 2013-04-18 08:26:16 UTC (rev 17508) @@ -7,9 +7,9 @@ <trust-store-file>WEB-INF/wsse.truststore</trust-store-file> <trust-store-password>jbossws</trust-store-password> <config> - <encrypt type="x509v3" algorithm="aes-192-gcm" alias="wsse"/> + <encrypt type="x509v3" algorithm="aes-192-gcm" keyWrapAlgorithm="rsa_oaep" alias="wsse"/> <requires> - <encryption/> + <encryption algorithms="aes-192-gcm aes-256-gcm" keyWrapAlgorithms="rsa_oaep"/> </requires> </config> </jboss-ws-security> \ No newline at end of file

11 years, 8 months

1
0
0 / 0

JBossWS SVN: r17507 - in stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701: modules/server/src/main/java/org/jboss/wsf/stack/cxf and 1 other directory.

by jbossws-commits＠lists.jboss.org

Author: klape Date: 2013-04-17 15:45:05 -0400 (Wed, 17 Apr 2013) New Revision: 17507 Modified: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/pom.xml Log: [JBPAPP-10701] Fixing NullPointerException when spring bean has no @WebService or @WebServiceProvider annotation Modified: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java =================================================================== --- stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java 2013-04-17 19:39:50 UTC (rev 17506) +++ stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java 2013-04-17 19:45:05 UTC (rev 17507) @@ -248,7 +248,7 @@ wl = epIfWsa.wsdlLocation(); } } - } else { + } else if (clazz.isAnnotationPresent(WebServiceProvider.class)) { WebServiceProvider wsp = clazz.getAnnotation(WebServiceProvider.class); wl = wsp.wsdlLocation(); } Modified: stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/pom.xml =================================================================== --- stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/pom.xml 2013-04-17 19:39:50 UTC (rev 17506) +++ stack/cxf/branches/jbossws-cxf-3.1.2.SP13-JBPAPP-10701/pom.xml 2013-04-17 19:45:05 UTC (rev 17507) @@ -45,7 +45,7 @@  <properties> <jbossws.common.version>1.1.0.SP9</jbossws.common.version> - <jbossws.framework.version>3.1.2.SP12</jbossws.framework.version> + <jbossws.framework.version>3.1.2.SP13</jbossws.framework.version> <jbossws.spi.version>1.1.2.SP8</jbossws.spi.version>

11 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jbossws-commits April 2013