You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/12/14 10:50:52 UTC
svn commit: r1421768 - in /webservices/wss4j/trunk:
cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/
ws-security-common/src/main/resources/messages/
ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/
ws-se...
Author: giger
Date: Fri Dec 14 09:50:49 2012
New Revision: 1421768
URL: http://svn.apache.org/viewvc?rev=1421768&view=rev
Log:
WSS-415 - Reject RSA v1.5 Key Transport Algorithm by default
Modified:
webservices/wss4j/trunk/cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/CXFIntegrationTest.java
webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/InboundWSSecurityContextImpl.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureInputHandler.java
webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
Modified: webservices/wss4j/trunk/cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/CXFIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/CXFIntegrationTest.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/CXFIntegrationTest.java (original)
+++ webservices/wss4j/trunk/cxf-integration/src/test/java/org/swssf/cxfIntegration/test/integration/CXFIntegrationTest.java Fri Dec 14 09:50:49 2012
@@ -79,6 +79,7 @@ public class CXFIntegrationTest {
wss4JOutInterceptor.setProperty(WSHandlerConstants.SIG_PROP_FILE, "transmitter-crypto.properties");
wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE, "transmitter-crypto.properties");
wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+ wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
client.getOutInterceptors().add(wss4JOutInterceptor);
WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor();
@@ -103,6 +104,7 @@ public class CXFIntegrationTest {
wss4JOutInterceptor.setProperty(WSHandlerConstants.SIG_PROP_FILE, "transmitter-crypto.properties");
wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE, "transmitter-crypto.properties");
wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2001/04/xmlenc#aes256-cbc");
+ wss4JOutInterceptor.setProperty(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
client.getOutInterceptors().add(wss4JOutInterceptor);
WSS4JInInterceptor wss4JInInterceptor = new WSS4JInInterceptor();
Modified: webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/resources/messages/wss4j_errors.properties Fri Dec 14 09:50:49 2012
@@ -93,3 +93,4 @@ unsupportedKeyId = Unsupported key ident
unsupportedKeyInfo = Unsupported KeyInfo type
unsupportedKeyTransp = unsupported key transport encryption algorithm: {0}
unsupportedSecurityToken = Unsupported SecurityToken {0}
+secureProcessing.AllowRSA15KeyTransportAlgorithm = The use of RSAv1.5 key transport algorithm is discouraged. Nonetheless can it be enabled via the \"AllowRSA15KeyTransportAlgorithm\" property in the configuration.
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/main/java/org/apache/ws/security/policy/stax/PolicyInputProcessor.java Fri Dec 14 09:50:49 2012
@@ -51,6 +51,8 @@ import java.util.List;
public class PolicyInputProcessor extends AbstractInputProcessor {
private final PolicyEnforcer policyEnforcer;
+ private boolean initDone = false;
+ private boolean transportSecurityActive = false;
public PolicyInputProcessor(PolicyEnforcer policyEnforcer, XMLSecurityProperties securityProperties) {
super(securityProperties);
@@ -63,7 +65,7 @@ public class PolicyInputProcessor extend
public XMLSecEvent processNextHeaderEvent(InputProcessorChain inputProcessorChain) throws XMLStreamException, XMLSecurityException {
XMLSecEvent xmlSecEvent = inputProcessorChain.processHeaderEvent();
//test if non encrypted element have to be encrypted per policy
- boolean transportSecurityActive = Boolean.TRUE == inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+ init(inputProcessorChain);
//if transport security is active, every element is encrypted/signed
//WSP1.3, 4.2.1 EncryptedParts Assertion
List<QName> elementPath = null;
@@ -130,7 +132,6 @@ public class PolicyInputProcessor extend
break;
}
- boolean transportSecurityActive = Boolean.TRUE == inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
//if transport security is active, every element is encrypted/signed
//WSP1.3, 4.2.1 EncryptedParts Assertion
//test if non encrypted element have to be encrypted per policy
@@ -219,4 +220,12 @@ public class PolicyInputProcessor extend
break;
}
}
+
+ protected void init(InputProcessorChain inputProcessorChain) {
+ if (!this.initDone) {
+ this.initDone = true;
+ this.transportSecurityActive = Boolean.TRUE == inputProcessorChain.getSecurityContext().get(WSSConstants.TRANSPORT_SECURITY_ACTIVE);
+ inputProcessorChain.getSecurityContext().put(WSSConstants.PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM, Boolean.TRUE);
+ }
+ }
}
Modified: webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java (original)
+++ webservices/wss4j/trunk/ws-security-policy-stax/src/test/java/org/apache/ws/security/policy/stax/test/AsymmetricBindingIntegrationTest.java Fri Dec 14 09:50:49 2012
@@ -1351,6 +1351,111 @@ public class AsymmetricBindingIntegratio
}
@Test
+ public void testPolicyReenabledRSA15KeyTransportAlgorithm() throws Exception {
+
+ String policyString =
+ "<wsp:ExactlyOne xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\" " +
+ "xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
+ " <wsp:All>\n" +
+ " <sp:AsymmetricBinding>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:InitiatorToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+ " <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:WssX509V3Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:X509Token>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:InitiatorToken>\n" +
+ " <sp:RecipientToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:X509Token IncludeToken=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient\">\n" +
+ " <sp:IssuerName>CN=receiver,OU=swssf,C=CH</sp:IssuerName>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:WssX509V3Token11/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:X509Token>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:RecipientToken>\n" +
+ " <sp:AlgorithmSuite>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Basic256Rsa15/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AlgorithmSuite>\n" +
+ " <sp:Layout>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:Lax/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:Layout>\n" +
+ " <sp:IncludeTimestamp/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:AsymmetricBinding>\n" +
+ " <sp:SignedParts>\n" +
+ " <sp:Body/>\n" +
+ " <sp:Header Name=\"Header1\" Namespace=\"...\"/>\n" +
+ " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
+ " </sp:SignedParts>\n" +
+ " <sp:SignedElements>\n" +
+ " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " </sp:SignedElements>\n" +
+ " <sp:EncryptedParts>\n" +
+ " <sp:Body/>\n" +
+ " <sp:Header Name=\"Header2\" Namespace=\"...\"/>\n" +
+ " <sp:Header Namespace=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\"/>\n" +
+ " </sp:EncryptedParts>\n" +
+ " <sp:EncryptedElements>\n" +
+ " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Created</sp:XPath>\n" +
+ " </sp:EncryptedElements>\n" +
+ " <sp:ContentEncryptedElements>\n" +
+ " <sp:XPath xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">wsu:Expires</sp:XPath>\n" +
+ " </sp:ContentEncryptedElements>\n" +
+ " </wsp:All>\n" +
+ " </wsp:ExactlyOne>";
+
+ WSSSecurityProperties outSecurityProperties = new WSSSecurityProperties();
+ outSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outSecurityProperties.setEncryptionUser("receiver");
+ outSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outSecurityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-1_5");
+ outSecurityProperties.setSignatureUser("transmitter");
+ outSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_wsu_Timestamp, SecurePart.Modifier.Element));
+ outSecurityProperties.addSignaturePart(new SecurePart(WSSConstants.TAG_soap11_Body, SecurePart.Modifier.Element));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Created, SecurePart.Modifier.Element));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_wsu_Expires, SecurePart.Modifier.Content));
+ outSecurityProperties.addEncryptionPart(new SecurePart(WSSConstants.TAG_soap11_Body, SecurePart.Modifier.Content));
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inSecurityProperties = new WSSSecurityProperties();
+ inSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inSecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inSecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ inSecurityProperties.addInputProcessor(new PolicyInputProcessor(policyEnforcer, inSecurityProperties));
+
+ Document document = doInboundSecurity(inSecurityProperties, new ByteArrayInputStream(baos.toByteArray()), policyEnforcer);
+
+ //read the whole stream:
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
+ transformer.transform(new DOMSource(document), new StreamResult(
+ new OutputStream() {
+ @Override
+ public void write(int b) throws IOException {
+ // > /dev/null
+ }
+ }
+ ));
+ }
+
+ @Test
public void testSignatureProtectionPolicy() throws Exception {
String policyString =
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Fri Dec 14 09:50:49 2012
@@ -117,6 +117,8 @@ public class WSSConstants extends XMLSec
public static final String TIMESTAMP_PROCESSED = "TimestampProcessed";
+ public static final String PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM = "secureProcessing.AllowRSA15KeyTransportAlgorithm";
+
public static final String NS_WSSE10 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
public static final String NS_WSSE11 = "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
public static final String NS_WSU10 = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/InboundWSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/InboundWSSecurityContextImpl.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/InboundWSSecurityContextImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/InboundWSSecurityContextImpl.java Fri Dec 14 09:50:49 2012
@@ -27,12 +27,9 @@ import org.apache.ws.security.stax.ext.W
import org.apache.ws.security.stax.securityEvent.HttpsTokenSecurityEvent;
import org.apache.ws.security.stax.securityEvent.WSSecurityEventConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.ext.SecurityToken;
-import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
-import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
-import org.apache.xml.security.stax.securityEvent.SecurityEvent;
-import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
-import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.*;
import javax.xml.namespace.QName;
import java.util.*;
@@ -46,6 +43,7 @@ import java.util.*;
public class InboundWSSecurityContextImpl extends WSSecurityContextImpl {
private static final transient Log logger = LogFactory.getLog(WSSecurityContextImpl.class);
+ private static final Boolean allowRSA15KeyTransportAlgorithm = Boolean.valueOf(ConfigurationProperties.getProperty("AllowRSA15KeyTransportAlgorithm"));
private final Deque<SecurityEvent> securityEventQueue = new ArrayDeque<SecurityEvent>();
private boolean operationSecurityEventOccured = false;
@@ -99,6 +97,15 @@ public class InboundWSSecurityContextImp
@Override
protected void forwardSecurityEvent(SecurityEvent securityEvent) throws XMLSecurityException {
+
+ if (!allowRSA15KeyTransportAlgorithm && SecurityEventConstants.AlgorithmSuite.equals(securityEvent.getSecurityEventType())) {
+ AlgorithmSuiteSecurityEvent algorithmSuiteSecurityEvent = (AlgorithmSuiteSecurityEvent)securityEvent;
+ Boolean allowRSA15 = get(WSSConstants.PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM);
+ if ((allowRSA15 == null || !allowRSA15) && WSSConstants.NS_XENC_RSA15.equals(algorithmSuiteSecurityEvent.getAlgorithmURI())) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, WSSConstants.PROP_ALLOW_RSA15_KEYTRANSPORT_ALGORITHM);
+ }
+ }
+
try {
super.forwardSecurityEvent(securityEvent);
} catch (WSSecurityException e) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureInputHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureInputHandler.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureInputHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/input/WSSSignatureInputHandler.java Fri Dec 14 09:50:49 2012
@@ -78,6 +78,7 @@ public class WSSSignatureInputHandler ex
@Override
protected void handleSecurityToken(SecurityToken securityToken) throws XMLSecurityException {
+ //todo element path?
//we have to emit a TokenSecurityEvent here too since it could be an embedded token
securityToken.addTokenUsage(SecurityToken.TokenUsage.Signature);
TokenSecurityEvent tokenSecurityEvent = WSSUtils.createTokenSecurityEvent(securityToken, signatureType.getId());
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml Fri Dec 14 09:50:49 2012
@@ -4,6 +4,7 @@
<Properties>
<Property NAME="securityTokenFactory" VAL="org.apache.ws.security.stax.impl.securityToken.SecurityTokenFactoryImpl"/>
<Property NAME="MaximumAllowedDecompressedBytes" VAL="104857600"/>
+ <Property NAME="AllowRSA15KeyTransportAlgorithm" VAL="false"/>
<xi:include href="security-config.xml" xpointer="xmlns(c=http://www.xmlsecurity.org/NS/configuration)xpointer(/c:Configuration/c:Properties/c:Property[@NAME!='securityTokenFactory'])"/>
</Properties>
<SecurityHeaderHandlers>
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java?rev=1421768&r1=1421767&r2=1421768&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/VulnerabliltyVectorsTest.java Fri Dec 14 09:50:49 2012
@@ -614,4 +614,43 @@ public class VulnerabliltyVectorsTest ex
Assert.assertFalse(e.getMessage().contains("data hash wrong"));
}
}
+
+ /**
+ * Test if the RSA 1.5 key transport algorithm will be rejected by default.
+ * Standard key transport algorithm is RSA-OAEP
+ */
+ @Test
+ public void testDisallowRSA15Algorithm() throws Exception {
+ WSSSecurityProperties outboundSecurityProperties = new WSSSecurityProperties();
+ outboundSecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ outboundSecurityProperties.setEncryptionUser("receiver");
+ outboundSecurityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setSignatureUser("transmitter");
+ outboundSecurityProperties.loadSignatureKeyStore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ outboundSecurityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-1_5");
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.TIMESTAMP, WSSConstants.SIGNATURE, WSSConstants.ENCRYPT};
+ outboundSecurityProperties.setOutAction(actions);
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ ByteArrayOutputStream baos = doOutboundSecurity(outboundSecurityProperties, sourceDocument);
+
+ WSSSecurityProperties inboundsecurityProperties = new WSSSecurityProperties();
+ inboundsecurityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ inboundsecurityProperties.loadSignatureVerificationKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ inboundsecurityProperties.addIgnoreBSPRule(BSPRule.R5421);
+
+ try {
+ Document document = doInboundSecurity(inboundsecurityProperties,
+ xmlInputFactory.createXMLStreamReader(
+ new ByteArrayInputStream(baos.toByteArray())));
+ Assert.fail("Expected XMLStreamException");
+ } catch (XMLStreamException e) {
+ Assert.assertTrue(e.getCause() instanceof WSSecurityException);
+ Assert.assertEquals(e.getCause().getMessage(),
+ "The use of RSAv1.5 key transport algorithm is discouraged. " +
+ "Nonetheless can it be enabled via the \"AllowRSA15KeyTransportAlgorithm\" property in the configuration.");
+ Assert.assertEquals(((WSSecurityException) e.getCause()).getFaultCode(), WSSecurityException.FAILED_CHECK);
+ }
+ }
}