JBossWS SVN: r17649 - in stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src: main/java/org/jboss/ws/extensions/security and 6 other directories.
11:11 a.m.
Author: mmusaji
Date: 2013-06-04 12:11:17 -0400 (Tue, 04 Jun 2013)
New Revision: 17649
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/operation/
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/core/jaxws/spi/ProviderImpl.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/DecryptionOperation.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireEncryptionOperation.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireSignatureOperation.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireTargetableOperation.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/resources/schema/jboss-ws-security_1_0.xsd
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml
Log:
[JBPAPP-10768] Initial commit of CVE-2012-5575 (JBPAPP-10455) backport
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/core/jaxws/spi/ProviderImpl.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/core/jaxws/spi/ProviderImpl.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/core/jaxws/spi/ProviderImpl.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -116,19 +116,19 @@
return bindingId;
}
- @Override
+
public <T extends EndpointReference> T createEndpointReference(Class<T>
clazz, QName serviceName, QName portName, Source wsdlDocumentLocation, Element...
referenceParameters)
{
throw new NotImplementedException();
}
- @Override
+
public W3CEndpointReference createW3CEndpointReference(String address, QName
serviceName, QName portName, List<Element> metadata, String wsdlDocumentLocation,
List<Element> referenceParameters)
{
throw new NotImplementedException();
}
- @Override
+
public <T> T getPort(EndpointReference endpointReference, Class<T>
serviceEndpointInterface, WebServiceFeature... features)
{
throw new NotImplementedException();
@@ -139,4 +139,4 @@
{
throw new NotImplementedException();
}
-}
\ No newline at end of file
+}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/DecryptionOperation.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/DecryptionOperation.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/DecryptionOperation.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -23,6 +23,8 @@
import java.util.Collection;
import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
import javax.crypto.SecretKey;
@@ -32,6 +34,7 @@
import org.jboss.ws.extensions.security.element.ReferenceList;
import org.jboss.ws.extensions.security.element.SecurityHeader;
import org.jboss.ws.extensions.security.element.SecurityProcess;
+import org.jboss.ws.extensions.security.operation.EncryptionAlgorithms;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -41,11 +44,14 @@
private SecurityHeader header;
private SecurityStore store;
+
+ private List<String> allowedEncAlgorithms;
- public DecryptionOperation(SecurityHeader header, SecurityStore store) throws
WSSecurityException
+ public DecryptionOperation(SecurityHeader header, SecurityStore store,
List<String> allowedEncAlgorithms) throws WSSecurityException
{
this.header = header;
this.store = store;
+ this.allowedEncAlgorithms = allowedEncAlgorithms;
}
private boolean isContent(Element element)
@@ -93,6 +99,15 @@
}
String alg = getEncryptionAlgorithm(element);
+ if (allowedEncAlgorithms != null && !allowedEncAlgorithms.isEmpty()) {
+ boolean found = false;
+ for (Iterator<String> it = allowedEncAlgorithms.iterator(); it.hasNext()
&& !found; ) {
+ found = alg.equals(EncryptionAlgorithms.getAlgorithm(it.next()));
+ }
+ if (!found) {
+ throw new WSSecurityException("Unexpected encryption algorithm in
received message: " + alg);
+ }
+ }
try
{
XMLCipher cipher = XMLCipher.getInstance(alg);
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/EncryptionOperation.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -23,7 +23,6 @@
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
-import java.util.HashMap;
import java.util.List;
import javax.crypto.KeyGenerator;
@@ -38,6 +37,7 @@
import org.jboss.ws.extensions.security.element.ReferenceList;
import org.jboss.ws.extensions.security.element.SecurityHeader;
import org.jboss.ws.extensions.security.element.X509Token;
+import org.jboss.ws.extensions.security.operation.EncryptionAlgorithms;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -47,36 +47,6 @@
private SecurityStore store;
- private static class Algorithm
- {
- Algorithm(String jceName, String xmlName, int size)
- {
- this.jceName = jceName;
- this.xmlName = xmlName;
- this.size = size;
- }
-
- public String jceName;
- public String xmlName;
- public int size;
- }
-
- private static HashMap<String, Algorithm> algorithms;
-
- private static final String DEFAULT_ALGORITHM = "aes-128";
-
- static
- {
- algorithms = new HashMap<String, Algorithm>(4);
- algorithms.put("aes-128", new Algorithm("AES",
XMLCipher.AES_128, 128));
- algorithms.put("aes-192", new Algorithm("AES",
XMLCipher.AES_192, 192));
- algorithms.put("aes-256", new Algorithm("AES",
XMLCipher.AES_256, 256));
- algorithms.put("aes-128-gcm", new Algorithm("AES",
XMLCipher.AES_128_GCM, 128));
- algorithms.put("aes-192-gcm", new Algorithm("AES",
XMLCipher.AES_192_GCM, 192));
- algorithms.put("aes-256-gcm", new Algorithm("AES",
XMLCipher.AES_256_GCM, 256));
- algorithms.put("tripledes", new Algorithm("TripleDes",
XMLCipher.TRIPLEDES, 168));
- }
-
public EncryptionOperation(SecurityHeader header, SecurityStore store) throws
WSSecurityException
{
this.header = header;
@@ -112,14 +82,17 @@
}
}
- public SecretKey getSecretKey(String algorithm) throws WSSecurityException
+ public static SecretKey generateSecretKey(String alg) throws WSSecurityException
{
- Algorithm alg = algorithms.get(algorithm);
+ return getSecretKey(EncryptionAlgorithms.getAlgorithmID(alg));
+ }
+ public static SecretKey getSecretKey(String algorithm) throws WSSecurityException
+ {
try
{
- KeyGenerator kgen = KeyGenerator.getInstance(alg.jceName);
- kgen.init(alg.size);
+ KeyGenerator kgen =
KeyGenerator.getInstance(EncryptionAlgorithms.getAlgorithmJceName(algorithm));
+ kgen.init(EncryptionAlgorithms.getAlgorithmSize(algorithm));
return kgen.generateKey();
}
catch (NoSuchAlgorithmException e)
@@ -130,14 +103,15 @@
public void process(Document message, List<Target> targets, String alias, String
credential, String algorithm, boolean digest, boolean useNonce, boolean useTimestamp)
throws WSSecurityException
{
- if (! algorithms.containsKey(algorithm))
- algorithm = DEFAULT_ALGORITHM;
+ if (! EncryptionAlgorithms.hasAlgorithm(algorithm)) {
+ algorithm = EncryptionAlgorithms.DEFAULT_ALGORITHM;
+ }
SecretKey secretKey = getSecretKey(algorithm);
XMLCipher cipher;
try
{
- cipher = XMLCipher.getInstance(algorithms.get(algorithm).xmlName);
+ cipher = XMLCipher.getInstance(EncryptionAlgorithms.getAlgorithm(algorithm));
cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
}
catch (XMLSecurityException e)
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireEncryptionOperation.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireEncryptionOperation.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireEncryptionOperation.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -21,13 +21,52 @@
*/
package org.jboss.ws.extensions.security;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.StringTokenizer;
+
+import org.jboss.logging.Logger;
import org.jboss.ws.extensions.security.element.SecurityHeader;
+import org.jboss.ws.extensions.security.SecurityDecoder;
+import org.jboss.ws.extensions.security.Target;
-
public class RequireEncryptionOperation extends RequireTargetableOperation
-{
- public RequireEncryptionOperation(SecurityHeader header, SecurityStore store) throws
WSSecurityException
- {
- super(header, store);
+ {
+ private List<String> allowedKeyWrapAlgorithms;
+
+ private List<String> allowedEncAlgorithms;
+
+ public RequireEncryptionOperation(List<Target> targets) {
+ super(targets);
}
-}
+
+ public RequireEncryptionOperation(List<Target> targets, String
keyWrapAlgorithms, String algorithms)
+ {
+ super(targets);
+ this.allowedEncAlgorithms = parseStringList(algorithms);
+ this.allowedKeyWrapAlgorithms = parseStringList(keyWrapAlgorithms);
+ }
+
+ public void setupDecoder(SecurityDecoder decoder) {
+ if (allowedEncAlgorithms == null) {
+ Logger.getLogger(RequireEncryptionOperation.class).warn("No
'algorithms' provided for 'encryption' configuration requirement!");
+ }
+ decoder.setAllowedEncAlgorithms(allowedEncAlgorithms);
+ if (allowedKeyWrapAlgorithms == null) {
+ Logger.getLogger(RequireEncryptionOperation.class).warn("No
'keyWrapAlgorithms' provided for 'encryption' configuration
requirement!");
+ }
+ decoder.setAllowedKeyWrapAlgorithms(allowedKeyWrapAlgorithms);
+ }
+
+ private List<String> parseStringList(String s) {
+ List<String> result = null;
+ if (s != null && s.trim().length() > 0) {
+ StringTokenizer st = new StringTokenizer(s, ", ", false);
+ result = new LinkedList<String>();
+ while (st.hasMoreTokens()) {
+ result.add(st.nextToken());
+ }
+ }
+ return result;
+ }
+ }
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireSignatureOperation.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireSignatureOperation.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireSignatureOperation.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -22,12 +22,14 @@
package org.jboss.ws.extensions.security;
import org.jboss.ws.extensions.security.element.SecurityHeader;
+import org.jboss.ws.extensions.security.SecurityStore;
+import java.util.List;
public class RequireSignatureOperation extends RequireTargetableOperation
{
- public RequireSignatureOperation(SecurityHeader header, SecurityStore store) throws
WSSecurityException
+ public RequireSignatureOperation(List<Target> targets) throws
WSSecurityException
{
- super(header, store);
+ super(targets);
}
}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireTargetableOperation.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireTargetableOperation.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/RequireTargetableOperation.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -33,8 +33,11 @@
public class RequireTargetableOperation implements RequireOperation
{
- public RequireTargetableOperation(SecurityHeader header, SecurityStore store) throws
WSSecurityException
+ private List<Target> targets;
+
+ public RequireTargetableOperation(List<Target> targets)
{
+ this.targets = targets;
}
private Collection<String> resolveTarget(Document message, Target target) throws
WSSecurityException
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -34,6 +34,7 @@
import org.jboss.ws.extensions.security.element.Timestamp;
import org.jboss.ws.extensions.security.element.Token;
import org.jboss.ws.extensions.security.element.UsernameToken;
+import org.jboss.ws.extensions.security.RequireEncryptionOperation;
import org.jboss.ws.extensions.security.nonce.NonceFactory;
import org.jboss.ws.metadata.wsse.Authenticate;
import org.jboss.ws.metadata.wsse.TimestampVerification;
@@ -67,6 +68,10 @@
private HashSet<String> signedIds = new HashSet<String>();
private HashSet<String> encryptedIds = new HashSet<String>();
+
+ private List<String> allowedKeyWrapAlgorithms;
+
+ private List<String> allowedEncAlgorithms;
public SecurityDecoder(SecurityStore store, NonceFactory nonceFactory,
TimestampVerification timestampVerification, Authenticate authenticate)
@@ -129,7 +134,7 @@
encryptedIds.clear();
SignatureVerificationOperation signatureVerifier = new
SignatureVerificationOperation(header, store);
- DecryptionOperation decrypter = new DecryptionOperation(header, store);
+ DecryptionOperation decrypter = new DecryptionOperation(header, store,
allowedEncAlgorithms);
for (SecurityProcess process : header.getSecurityProcesses())
{
@@ -153,6 +158,18 @@
}
+
+ public void init(List<OperationDescription<RequireOperation>>
requireOperations) {
+ if (requireOperations != null) {
+ for (OperationDescription<RequireOperation> operation : requireOperations)
{
+ if (operation.equals(RequireEncryptionOperation.class)) {
+ RequireEncryptionOperation op = new
RequireEncryptionOperation(operation.getTargets());
+ op.setupDecoder(this);
+ break;
+ }
+ }
+ }
+ }
public void verify(List<OperationDescription<RequireOperation>>
requireOperations) throws WSSecurityException
{
@@ -167,12 +184,12 @@
if (operation.equals(RequireSignatureOperation.class))
{
- op = new RequireSignatureOperation(header, store);
+ op = new RequireSignatureOperation(o.getTargets());
processedIds = signedIds;
}
else if (operation.equals(RequireEncryptionOperation.class))
{
- op = new RequireEncryptionOperation(header, store);
+ op = new RequireEncryptionOperation(o.getTargets());
processedIds = encryptedIds;
}
else
@@ -200,7 +217,7 @@
public void decode(Document message, Element headerElement) throws
WSSecurityException
{
this.headerElement = headerElement;
- this.header = new SecurityHeader(this.headerElement, store);
+ this.header = new SecurityHeader(this.headerElement, store,
allowedKeyWrapAlgorithms, allowedEncAlgorithms);
this.message = message;
decode();
@@ -212,4 +229,15 @@
// message (required by the specification)
detachHeader();
}
+
+ public void setAllowedKeyWrapAlgorithms(List<String> allowedKeyWrapAlgorithms)
+ {
+ this.allowedKeyWrapAlgorithms = allowedKeyWrapAlgorithms;
+ }
+
+ public void setAllowedEncAlgorithms(List<String> allowedEncAlgorithms)
+ {
+ this.allowedEncAlgorithms = allowedEncAlgorithms;
+ }
+
}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/WSSecurityDispatcher.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -31,6 +31,7 @@
import javax.xml.rpc.soap.SOAPFaultException;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPHeader;
+import javax.xml.soap.SOAPMessage;
import javax.xml.ws.BindingProvider;
import javax.xml.ws.WebServiceException;
@@ -44,6 +45,7 @@
import org.jboss.ws.extensions.security.nonce.DefaultNonceFactory;
import org.jboss.ws.extensions.security.nonce.NonceFactory;
import org.jboss.ws.extensions.security.nonce.NonceGenerator;
+import org.jboss.ws.extensions.security.RequireEncryptionOperation;
import org.jboss.ws.metadata.umdm.EndpointMetaData;
import org.jboss.ws.metadata.umdm.OperationMetaData;
import org.jboss.ws.metadata.wsse.Authenticate;
@@ -123,6 +125,7 @@
QName secQName = new QName(Constants.WSSE_NS, "Security");
Element secHeaderElement = (soapHeader != null) ? Util.findElement(soapHeader,
secQName) : null;
+ boolean fault = soapMessage.getSOAPBody().getFault() != null;
if (secHeaderElement == null)
{
@@ -158,7 +161,7 @@
Config operationConfig = getConfig(ctx, config, soapMessage);
if (secHeaderElement != null)
{
- decodeHeader(ctx, config, operationConfig, soapMessage, secHeaderElement);
+ decodeHeader(config, actualConfig, soapMessage, secHeaderElement, fault);
}
authorize(operationConfig);
@@ -174,8 +177,7 @@
}
}
- private static void decodeHeader(CommonMessageContext ctx, WSSecurityConfiguration
configuration, Config operationConfig, SOAPMessageImpl message,
- Element secHeaderElement) throws WSSecurityException, SOAPException
+ private static void decodeHeader(WSSecurityConfiguration configuration, Config config,
SOAPMessage message, Element secHeaderElement, boolean fault) throws WSSecurityException,
SOAPException
{
SecurityStore securityStore = new SecurityStore(configuration.getKeyStoreURL(),
configuration.getKeyStoreType(), configuration.getKeyStorePassword(),
configuration.getKeyPasswords(), configuration.getTrustStoreURL(),
configuration.getTrustStoreType(), configuration.getTrustStorePassword());
@@ -183,25 +185,34 @@
Authenticate authenticate = null;
- if (operationConfig != null)
+ if (config != null)
{
- authenticate = operationConfig.getAuthenticate();
+ authenticate = config.getAuthenticate();
}
- SecurityDecoder decoder = new SecurityDecoder(securityStore, factory,
configuration.getTimestampVerification(), authenticate);
-
+ SecurityDecoder decoder = new SecurityDecoder(securityStore, factory,
configuration.getTimestampVerification(), authenticate);
+ List<OperationDescription<RequireOperation>> operations =
buildRequireOperations(config, fault);
+ decoder.init(operations);
decoder.decode(message.getSOAPPart(), secHeaderElement);
if (log.isTraceEnabled())
log.trace("Decoded Message:\n" +
DOMWriter.printNode(message.getSOAPPart(), true));
- OperationMetaData opMetaData = ctx.getOperationMetaData();
+ CommonMessageContext ctx = MessageContextAssociation.peekMessageContext();
+ OperationMetaData opMetaData = null;
+ if(ctx != null) {
+ opMetaData = ctx.getOperationMetaData();
+ }else if (log.isTraceEnabled()) {
+ log.warn("No CommonMessageContext Found");
+ }
+
if (opMetaData == null)
{
// Get the operation meta data from the soap message
// for the server side inbound message.
EndpointMetaData epMetaData = ctx.getEndpointMetaData();
- opMetaData = message.getOperationMetaData(epMetaData);
+ SOAPMessageImpl soapMessage = (SOAPMessageImpl)ctx.getSOAPMessage();
+ opMetaData = soapMessage.getOperationMetaData(epMetaData);
}
String operation = null;
@@ -212,8 +223,6 @@
port = opMetaData.getEndpointMetaData().getPortName().getLocalPart();
}
- List<OperationDescription<RequireOperation>> operations =
buildRequireOperations(configuration, operation, port);
-
decoder.verify(operations);
if (log.isDebugEnabled())
log.debug("Verification is successful");
@@ -325,9 +334,9 @@
return (operationConfig != null && operationConfig.getRequires() != null);
}
- private static List<OperationDescription<RequireOperation>>
buildRequireOperations(WSSecurityConfiguration config, String operation, String port)
+ private static List<OperationDescription<RequireOperation>>
buildRequireOperations(Config operationConfig, boolean fault)
{
- Config operationConfig = getConfig(config, port, operation);
+
if (operationConfig == null)
return null;
@@ -348,7 +357,7 @@
}
RequireEncryption requireEncryption = requires.getRequireEncryption();
- if (requireEncryption != null)
+ if (requireEncryption != null && (!fault ||
requireEncryption.isIncludeFaults()))
{
List<Target> targets = convertTargets(requireEncryption.getTargets());
operations.add(new
OperationDescription<RequireOperation>(RequireEncryptionOperation.class, targets,
null, null, null));
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -22,6 +22,9 @@
package org.jboss.ws.extensions.security.element;
import java.security.PrivateKey;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
import javax.crypto.SecretKey;
@@ -33,9 +36,11 @@
import org.jboss.ws.extensions.security.KeyResolver;
import org.jboss.ws.extensions.security.Util;
import org.jboss.ws.extensions.security.WSSecurityException;
+import org.jboss.ws.extensions.security.operation.EncryptionAlgorithms;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+
/**
* <code>EncryptedKey</code> represents the am XMLSecurity encrypted key.
*
@@ -54,6 +59,15 @@
private Element cachedElement;
+ private static HashMap<String, String> keyWrapAlgorithms;
+ private static final String DEFAULT_ALGORITHM = "rsa_15";
+ static
+ {
+ keyWrapAlgorithms = new HashMap<String, String>(4);
+ keyWrapAlgorithms.put("rsa_15", XMLCipher.RSA_v1dot5);
+ keyWrapAlgorithms.put("rsa_oaep", XMLCipher.RSA_OAEP);
+ }
+
public EncryptedKey(Document document, SecretKey secretKey, X509Token token)
{
this(document, secretKey, token, new ReferenceList());
@@ -67,7 +81,7 @@
this.list = list;
}
- public EncryptedKey(Element element, KeyResolver resolver) throws WSSecurityException
+ public EncryptedKey(Element element, KeyResolver resolver, List<String>
allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws
WSSecurityException
{
org.apache.xml.security.encryption.EncryptedKey key;
XMLCipher cipher;
@@ -84,6 +98,27 @@
}
KeyInfo info = key.getKeyInfo();
+ boolean supportedKeyWrapAlg = false;
+ final String kwa = key.getEncryptionMethod().getAlgorithm();
+ for (Iterator<String> it = keyWrapAlgorithms.values().iterator();
it.hasNext() && !supportedKeyWrapAlg; ) {
+ String s = it.next();
+ if (s.equals(kwa)) {
+ supportedKeyWrapAlg = true;
+ }
+ }
+ if (!supportedKeyWrapAlg) {
+ throw new WSSecurityException("Unsupported key wrap algorithm in received
message: " + kwa);
+ }
+ if (allowedKeyWrapAlgorithms != null &&
!allowedKeyWrapAlgorithms.isEmpty()) {
+ boolean found = false;
+ for (Iterator<String> it = allowedKeyWrapAlgorithms.iterator();
it.hasNext() && !found; ) {
+ found = kwa.equals(keyWrapAlgorithms.get(it.next()));
+ }
+ if (!found) {
+ throw new WSSecurityException("Unexpected key wrap algorithm in received
message: " + kwa);
+ }
+ }
+
if (info == null)
throw new WSSecurityException("EncryptedKey element did not contain
KeyInfo");
@@ -103,6 +138,15 @@
String alg = getKeyAlgorithm(element);
if (alg == null)
throw new WSSecurityException("Could not determine encrypted key
algorithm!");
+ if (allowedEncAlgorithms != null && !allowedEncAlgorithms.isEmpty()) {
+ boolean found = false;
+ for (Iterator<String> it = allowedEncAlgorithms.iterator(); it.hasNext()
&& !found; ) {
+ found = alg.equals(EncryptionAlgorithms.getAlgorithm(it.next()));
+ }
+ if (!found) {
+ throw new WSSecurityException("Unexpected encryption algorithm in
received message: " + alg);
+ }
+ }
try
{
@@ -190,4 +234,4 @@
{
return list;
}
-}
\ No newline at end of file
+}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -23,6 +23,7 @@
import java.util.HashMap;
import java.util.LinkedList;
+import java.util.List;
import org.jboss.ws.extensions.security.BinarySecurityTokenValidator;
import org.jboss.ws.extensions.security.Constants;
@@ -56,13 +57,13 @@
// Looks like this is only for embedded tokens
private LinkedList<SecurityTokenReference> securityTokenReferences = new
LinkedList<SecurityTokenReference>();
-
+
public SecurityHeader(Document document)
{
this.document = document;
}
-
- public SecurityHeader(Element element, SecurityStore store) throws
WSSecurityException
+
+ public SecurityHeader(Element element, SecurityStore store, List<String>
allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws
WSSecurityException
{
document = element.getOwnerDocument();
KeyResolver resolver = new KeyResolver(store);
@@ -86,7 +87,7 @@
else if (tag.equals("Signature"))
securityProcesses.add(new Signature(child, resolver));
else if (tag.equals("EncryptedKey"))
- securityProcesses.add(new EncryptedKey(child, resolver));
+ securityProcesses.add(new EncryptedKey(child, resolver,
allowedKeyWrapAlgorithms, allowedEncAlgorithms));
else if (tag.equals("ReferenceList"))
throw new UnsupportedSecurityTokenException("ReferenceLists outside of
encrypted keys (shared secrets) are not supported.");
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java
(rev 0)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -0,0 +1,94 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2013, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ws.extensions.security.operation;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.xml.security.encryption.XMLCipher;
+
+public final class EncryptionAlgorithms
+{
+ /** --- Keep private for security reasons --- **/
+ private static class Algorithm
+ {
+ Algorithm(String jceName, String xmlName, int size)
+ {
+ this.jceName = jceName;
+ this.xmlName = xmlName;
+ this.size = size;
+ }
+
+ public String jceName;
+ public String xmlName;
+ public int size;
+ }
+ private static Map<String, Algorithm> algorithms;
+ private static Map<String, String> algorithmsID;
+ /** ----------------------------------------- **/
+
+ public static final String DEFAULT_ALGORITHM = "aes-128";
+
+ static
+ {
+ algorithms = new HashMap<String, Algorithm>(4);
+ algorithms.put("aes-128", new Algorithm("AES",
XMLCipher.AES_128, 128));
+ algorithms.put("aes-192", new Algorithm("AES",
XMLCipher.AES_192, 192));
+ algorithms.put("aes-256", new Algorithm("AES",
XMLCipher.AES_256, 256));
+ algorithms.put("aes-128-gcm", new Algorithm("AES",
XMLCipher.AES_128_GCM, 128));
+ algorithms.put("aes-192-gcm", new Algorithm("AES",
XMLCipher.AES_192_GCM, 192));
+ algorithms.put("aes-256-gcm", new Algorithm("AES",
XMLCipher.AES_256_GCM, 256));
+ algorithms.put("tripledes", new Algorithm("TripleDes",
XMLCipher.TRIPLEDES, 168));
+ algorithms = Collections.unmodifiableMap(algorithms);
+
+ algorithmsID = new HashMap<String, String>(4);
+ algorithmsID.put(XMLCipher.AES_128, "aes-128");
+ algorithmsID.put(XMLCipher.AES_192, "aes-192");
+ algorithmsID.put(XMLCipher.AES_256, "aes-256");
+ algorithmsID.put(XMLCipher.TRIPLEDES, "tripledes");
+ algorithmsID = Collections.unmodifiableMap(algorithmsID);
+ }
+
+ public static boolean hasAlgorithm(String id) {
+ return algorithms.containsKey(id);
+ }
+
+ public static String getAlgorithm(String id) {
+ Algorithm alg = algorithms.get(id);
+ return alg == null ? null : alg.xmlName;
+ }
+
+ public static String getAlgorithmJceName(String id) {
+ Algorithm alg = algorithms.get(id);
+ return alg == null ? null : alg.jceName;
+ }
+
+ public static int getAlgorithmSize(String id) {
+ Algorithm alg = algorithms.get(id);
+ return alg == null ? null : alg.size;
+ }
+
+ public static String getAlgorithmID(String xmlName) {
+ return algorithmsID.get(xmlName);
+ }
+}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/RequireEncryption.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -21,6 +21,7 @@
*/
package org.jboss.ws.metadata.wsse;
+
/**
* <code>Sign</code> represents the sign tag, which declares that a message
* should be signed.
@@ -30,5 +31,43 @@
*/
public class RequireEncryption extends Targetable
{
- private static final long serialVersionUID = 3765798680988205647L;
+ private static final long serialVersionUID = 3765798680988205648L;
+
+ private boolean includeFaults;
+
+ private String keyWrapAlgorithms;
+
+ private String algorithms;
+
+ public RequireEncryption(boolean includeFaults, String keyWrapAlgorithms, String
algorithms)
+ {
+ this.includeFaults = includeFaults;
+ this.algorithms = algorithms;
+ this.keyWrapAlgorithms = keyWrapAlgorithms;
+ }
+
+ public boolean isIncludeFaults()
+ {
+ return includeFaults;
+ }
+
+ public String getdKeyWrapAlgorithms()
+ {
+ return keyWrapAlgorithms;
+ }
+
+ public void setKeyWrapAlgorithms(String keyWrapAlgorithms)
+ {
+ this.keyWrapAlgorithms = keyWrapAlgorithms;
+ }
+
+ public String getAlgorithms()
+ {
+ return algorithms;
+ }
+
+ public void setAlgorithms(String algorithms)
+ {
+ this.algorithms = algorithms;
+ }
}
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/java/org/jboss/ws/metadata/wsse/WSSecurityOMFactory.java 2013-06-04
16:11:17 UTC (rev 17649)
@@ -452,13 +452,19 @@
public Object newChild(Requires requires, UnmarshallingContext navigator, String
namespaceURI, String localName, Attributes attrs)
{
log.trace("newChild: " + localName);
+
if ("signature".equals(localName))
{
return new RequireSignature();
}
else if ("encryption".equals(localName))
{
- return new RequireEncryption();
+ boolean includeFaults = false;
+ String value = attrs.getValue("", "includeFaults");
+ if (value != null)
+ includeFaults = (Boolean)
SimpleTypeBindings.unmarshal(SimpleTypeBindings.XS_BOOLEAN_NAME, value, null);
+
+ return new RequireEncryption(includeFaults, attrs.getValue("",
"keyWrapAlgorithms"), attrs.getValue("", "algorithms"));
}
else if ("timestamp".equals(localName))
{
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/resources/schema/jboss-ws-security_1_0.xsd
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/resources/schema/jboss-ws-security_1_0.xsd 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/main/resources/schema/jboss-ws-security_1_0.xsd 2013-06-04
16:11:17 UTC (rev 17649)
@@ -164,6 +164,16 @@
<xs:sequence>
<xs:element name="targets" type="targetsType"
minOccurs="0"/>
</xs:sequence>
+ <xs:attribute name="algorithm" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>A blank space or comma separated list of algorithm ids that
are allowed for the encrypted incoming message</xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
+ <xs:attribute name="keyWrapAlgorithm" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>A blank space or comma separated list of algorithm ids that
are allowed for the key wrapping in incoming message</xs:documentation>
+ </xs:annotation>
+ </xs:attribute>
</xs:complexType>
<xs:complexType name="requiresType">
<xs:all>
@@ -240,6 +250,9 @@
<xs:enumeration value="aes-128"/>
<xs:enumeration value="aes-192"/>
<xs:enumeration value="aes-256"/>
+ <xs:enumeration value="aes-128-gcm"/>
+ <xs:enumeration value="aes-192-gcm"/>
+ <xs:enumeration value="aes-256-gcm"/>
<xs:enumeration value="tripledes"/>
</xs:restriction>
</xs:simpleType>
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/META-INF/jboss-wsse-client.xml 2013-06-04
16:11:17 UTC (rev 17649)
@@ -3,9 +3,9 @@
<jboss-ws-security xmlns="http://www.jboss.com/ws-security/config"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/ws-security/config
http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
<config>
- <encrypt type="x509v3" algorithm="aes-128-gcm"
alias="wsse"/>
+ <encrypt type="x509v3" algorithm="aes-192-gcm"
keyWrapAlgorithm="rsa_oaep" alias="wsse"/>
<requires>
<encryption/>
</requires>
</config>
-</jboss-ws-security>
\ No newline at end of file
+</jboss-ws-security>
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml 2013-06-04
09:53:35 UTC (rev 17648)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP11_JBPAPP-10768/src/test/resources/jaxws/samples/wssecurity/simple-encrypt/WEB-INF/jboss-wsse-server.xml 2013-06-04
16:11:17 UTC (rev 17649)
@@ -7,9 +7,9 @@
<trust-store-file>WEB-INF/wsse.truststore</trust-store-file>
<trust-store-password>jbossws</trust-store-password>
<config>
- <encrypt type="x509v3" algorithm="aes-128-gcm"
alias="wsse"/>
+ <encrypt type="x509v3" algorithm="aes-192-gcm"
keyWrapAlgorithm="rsa_oaep" alias="wsse"/>
<requires>
- <encryption/>
+ <encryption algorithms="aes-192-gcm aes-256-gcm"
keyWrapAlgorithms="rsa_oaep"/>
</requires>
</config>
-</jboss-ws-security>
\ No newline at end of file
+</jboss-ws-security>
4715
days inactive
4715
days old
jbossws-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
jbossws-commits@lists.jboss.org