Author: alessio.soldano(a)jboss.com
Date: 2013-04-18 09:12:16 -0400 (Thu, 18 Apr 2013)
New Revision: 17509
Modified:
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java
Log:
[JBPAPP-10455] Adding further checks
Modified:
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java
===================================================================
---
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-18
08:26:16 UTC (rev 17508)
+++
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/SecurityDecoder.java 2013-04-18
13:12:16 UTC (rev 17509)
@@ -202,7 +202,7 @@
public void decode(Document message, Element headerElement) throws
WSSecurityException
{
this.headerElement = headerElement;
- this.header = new SecurityHeader(this.headerElement, store,
allowedKeyWrapAlgorithms);
+ this.header = new SecurityHeader(this.headerElement, store,
allowedKeyWrapAlgorithms, allowedEncAlgorithms);
this.message = message;
decode();
Modified:
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java
===================================================================
---
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-18
08:26:16 UTC (rev 17508)
+++
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/EncryptedKey.java 2013-04-18
13:12:16 UTC (rev 17509)
@@ -37,6 +37,7 @@
import org.jboss.ws.extensions.security.exception.FailedCheckException;
import org.jboss.ws.extensions.security.exception.InvalidSecurityHeaderException;
import org.jboss.ws.extensions.security.exception.WSSecurityException;
+import org.jboss.ws.extensions.security.operation.EncryptionAlgorithms;
import org.jboss.ws.extensions.security.operation.EncryptionOperation;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -88,7 +89,7 @@
this.tokenRefType = tokenRefType;
}
- public EncryptedKey(Element element, KeyResolver resolver, List<String>
allowedAlgorithms) throws WSSecurityException
+ public EncryptedKey(Element element, KeyResolver resolver, List<String>
allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws
WSSecurityException
{
org.apache.xml.security.encryption.EncryptedKey key;
XMLCipher cipher;
@@ -116,9 +117,9 @@
if (!supportedKeyWrapAlg) {
throw new WSSecurityException("Unsupported key wrap algorithm in received
message: " + kwa);
}
- if (allowedAlgorithms != null && !allowedAlgorithms.isEmpty()) {
+ if (allowedKeyWrapAlgorithms != null &&
!allowedKeyWrapAlgorithms.isEmpty()) {
boolean found = false;
- for (Iterator<String> it = allowedAlgorithms.iterator(); it.hasNext()
&& !found; ) {
+ for (Iterator<String> it = allowedKeyWrapAlgorithms.iterator();
it.hasNext() && !found; ) {
found = kwa.equals(keyWrapAlgorithms.get(it.next()));
}
if (!found) {
@@ -145,6 +146,15 @@
String alg = getKeyAlgorithm(element);
if (alg == null)
throw new WSSecurityException("Could not determine encrypted key
algorithm!");
+ if (allowedEncAlgorithms != null && !allowedEncAlgorithms.isEmpty()) {
+ boolean found = false;
+ for (Iterator<String> it = allowedEncAlgorithms.iterator(); it.hasNext()
&& !found; ) {
+ found = alg.equals(EncryptionAlgorithms.getAlgorithm(it.next()));
+ }
+ if (!found) {
+ throw new WSSecurityException("Unexpected encryption algorithm in
received message: " + alg);
+ }
+ }
try
{
Modified:
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java
===================================================================
---
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-18
08:26:16 UTC (rev 17508)
+++
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/element/SecurityHeader.java 2013-04-18
13:12:16 UTC (rev 17509)
@@ -61,7 +61,7 @@
this.document = document;
}
- public SecurityHeader(Element element, SecurityStore store, List<String>
allowedKeyWrapAlgorithms) throws WSSecurityException
+ public SecurityHeader(Element element, SecurityStore store, List<String>
allowedKeyWrapAlgorithms, List<String> allowedEncAlgorithms) throws
WSSecurityException
{
document = element.getOwnerDocument();
KeyResolver resolver = new KeyResolver(store);
@@ -85,7 +85,7 @@
else if (tag.equals("Signature"))
securityProcesses.add(new Signature(child, resolver));
else if (tag.equals("EncryptedKey"))
- securityProcesses.add(new EncryptedKey(child, resolver,
allowedKeyWrapAlgorithms));
+ securityProcesses.add(new EncryptedKey(child, resolver,
allowedKeyWrapAlgorithms, allowedEncAlgorithms));
else if (tag.equals("ReferenceList"))
throw new UnsupportedSecurityTokenException("ReferenceLists outside of
encrypted keys (shared secrets) are not supported.");
Modified:
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java
===================================================================
---
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-04-18
08:26:16 UTC (rev 17508)
+++
stack/native/branches/jbossws-native-3.1.2/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/EncryptionAlgorithms.java 2013-04-18
13:12:16 UTC (rev 17509)
@@ -27,7 +27,7 @@
import org.apache.xml.security.encryption.XMLCipher;
-final class EncryptionAlgorithms
+public final class EncryptionAlgorithms
{
/** --- Keep private for security reasons --- **/
private static class Algorithm
@@ -47,7 +47,7 @@
private static Map<String, String> algorithmsID;
/** ----------------------------------------- **/
- static final String DEFAULT_ALGORITHM = "aes-128";
+ public static final String DEFAULT_ALGORITHM = "aes-128";
static
{
@@ -69,26 +69,26 @@
algorithmsID = Collections.unmodifiableMap(algorithmsID);
}
- static boolean hasAlgorithm(String id) {
+ public static boolean hasAlgorithm(String id) {
return algorithms.containsKey(id);
}
- static String getAlgorithm(String id) {
+ public static String getAlgorithm(String id) {
Algorithm alg = algorithms.get(id);
return alg == null ? null : alg.xmlName;
}
- static String getAlgorithmJceName(String id) {
+ public static String getAlgorithmJceName(String id) {
Algorithm alg = algorithms.get(id);
return alg == null ? null : alg.jceName;
}
- static int getAlgorithmSize(String id) {
+ public static int getAlgorithmSize(String id) {
Algorithm alg = algorithms.get(id);
return alg == null ? null : alg.size;
}
- static String getAlgorithmID(String xmlName) {
+ public static String getAlgorithmID(String xmlName) {
return algorithmsID.get(xmlName);
}
}
Show replies by date