You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/03/26 21:24:44 UTC
svn commit: r1305502 - in /webservices/wss4j/branches/swssf:
streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/
streaming-ws-policy/src/test/java/org/swssf/policy/test/
streaming-ws-security/src/main/java/org/swssf/wss/ext/ streaming-w...
Author: giger
Date: Mon Mar 26 19:24:43 2012
New Revision: 1305502
URL: http://svn.apache.org/viewvc?rev=1305502&view=rev
Log:
KeyValueToken policy verification WSS-381 WSS-378
Modified:
webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/main/java/org/swssf/policy/assertionStates/KeyValueTokenAssertionState.java Mon Mar 26 19:24:43 2012
@@ -54,8 +54,8 @@ public class KeyValueTokenAssertionState
KeyValueTokenSecurityEvent keyValueTokenSecurityEvent = (KeyValueTokenSecurityEvent) tokenSecurityEvent;
KeyValueToken keyValueToken = (KeyValueToken) abstractToken;
- if (keyValueToken.isRsaKeyValue() && !keyValueTokenSecurityEvent.isRsaKeyValue()) {
- setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken");
+ if (keyValueToken.isRsaKeyValue() && keyValueTokenSecurityEvent.getKeyValueTokenType() != KeyValueTokenSecurityEvent.KeyValueTokenType.RSA) {
+ setErrorMessage("Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a " + keyValueTokenSecurityEvent.getKeyValueTokenType() + "KeyValue");
return false;
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/AbstractPolicyTestBase.java Mon Mar 26 19:24:43 2012
@@ -79,6 +79,10 @@ public class AbstractPolicyTestBase exte
}
public X509SecurityToken getX509Token(WSSConstants.TokenType tokenType) throws Exception {
+ return getX509Token(tokenType, "transmitter");
+ }
+
+ public X509SecurityToken getX509Token(WSSConstants.TokenType tokenType, final String keyAlias) throws Exception {
final KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(this.getClass().getClassLoader().getResourceAsStream("transmitter.jks"), "default".toCharArray());
@@ -86,13 +90,13 @@ public class AbstractPolicyTestBase exte
return new X509SecurityToken(tokenType, null, null, null, "", WSSConstants.KeyIdentifierType.THUMBPRINT_IDENTIFIER) {
@Override
protected String getAlias() throws XMLSecurityException {
- return "transmitter";
+ return keyAlias;
}
@Override
public Key getSecretKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
try {
- return keyStore.getKey("transmitter", "default".toCharArray());
+ return keyStore.getKey(keyAlias, "default".toCharArray());
} catch (Exception e) {
throw new XMLSecurityException(e.getMessage(), e);
}
@@ -101,7 +105,7 @@ public class AbstractPolicyTestBase exte
@Override
public PublicKey getPublicKey(String algorithmURI, XMLSecurityConstants.KeyUsage keyUsage) throws XMLSecurityException {
try {
- return keyStore.getCertificate("transmitter").getPublicKey();
+ return keyStore.getCertificate(keyAlias).getPublicKey();
} catch (Exception e) {
throw new XMLSecurityException(e.getMessage(), e);
}
@@ -111,7 +115,7 @@ public class AbstractPolicyTestBase exte
public X509Certificate[] getX509Certificates() throws XMLSecurityException {
Certificate[] certificates;
try {
- certificates = keyStore.getCertificateChain("transmitter");
+ certificates = keyStore.getCertificateChain(keyAlias);
} catch (Exception e) {
throw new XMLSecurityException(e.getMessage(), e);
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/KeyValueTokenTest.java Mon Mar 26 19:24:43 2012
@@ -19,13 +19,16 @@
package org.swssf.policy.test;
import org.swssf.policy.PolicyEnforcer;
+import org.swssf.policy.PolicyViolationException;
import org.swssf.wss.ext.WSSConstants;
+import org.swssf.wss.ext.WSSecurityException;
import org.swssf.wss.securityEvent.ContentEncryptedElementSecurityEvent;
import org.swssf.wss.securityEvent.KeyValueTokenSecurityEvent;
import org.swssf.wss.securityEvent.OperationSecurityEvent;
import org.swssf.wss.securityEvent.SignedPartSecurityEvent;
import org.swssf.xmlsec.ext.SecurityToken;
import org.swssf.xmlsec.ext.XMLSecurityConstants;
+import org.testng.Assert;
import org.testng.annotations.Test;
import javax.xml.namespace.QName;
@@ -67,14 +70,12 @@ public class KeyValueTokenTest extends A
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new KeyValueTokenSecurityEvent();
- initiatorTokenSecurityEvent.setRsaKeyValue(true);
SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
initiatorTokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new KeyValueTokenSecurityEvent();
- recipientTokenSecurityEvent.setRsaKeyValue(true);
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
recipientTokenSecurityEvent.setSecurityToken(securityToken);
@@ -98,5 +99,66 @@ public class KeyValueTokenTest extends A
policyEnforcer.doFinal();
}
- //todo more tests
+ @Test
+ public void testPolicyNegative() throws Exception {
+ String policyString =
+
+ "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
+ "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ "<sp:InitiatorToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:KeyValueToken>\n" +
+ " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:RsaKeyValue/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:KeyValueToken>\n" +
+ " </wsp:Policy>\n" +
+ "</sp:InitiatorToken>\n" +
+ "<sp:RecipientToken>\n" +
+ " <wsp:Policy>\n" +
+ " <sp:KeyValueToken>\n" +
+ " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
+ " <sp:RsaKeyValue/>\n" +
+ " </wsp:Policy>\n" +
+ " </sp:KeyValueToken>\n" +
+ " </wsp:Policy>\n" +
+ "</sp:RecipientToken>\n" +
+ "</wsp:Policy>\n" +
+ "</sp:AsymmetricBinding>";
+
+ PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
+ KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new KeyValueTokenSecurityEvent();
+ SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token, "transmitter-ecdsa");
+ securityToken.addTokenUsage(SecurityToken.TokenUsage.MainSignature);
+ initiatorTokenSecurityEvent.setSecurityToken(securityToken);
+ policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
+
+ KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new KeyValueTokenSecurityEvent();
+ securityToken = getX509Token(WSSConstants.X509V3Token);
+ securityToken.addTokenUsage(SecurityToken.TokenUsage.MainEncryption);
+ recipientTokenSecurityEvent.setSecurityToken(securityToken);
+ policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
+
+ List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<XMLSecurityConstants.ContentType>();
+ protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
+ protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
+ SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
+ signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+ policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
+
+ ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
+ contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
+ policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
+
+ OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
+ operationSecurityEvent.setOperation(new QName("definitions"));
+ try {
+ policyEnforcer.registerSecurityEvent(operationSecurityEvent);
+ Assert.fail("Exception expected");
+ } catch (WSSecurityException e) {
+ Assert.assertTrue(e.getCause() instanceof PolicyViolationException);
+ Assert.assertEquals(e.getCause().getMessage(), "\n" +
+ "Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a ECKeyValue");
+ }
+ }
}
Modified: webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-policy/src/test/java/org/swssf/policy/test/SupportingTokensTest.java Mon Mar 26 19:24:43 2012
@@ -1412,14 +1412,12 @@ public class SupportingTokensTest extend
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(true);
SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(tokenSecurityEvent);
tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(true);
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
@@ -1448,15 +1446,13 @@ public class SupportingTokensTest extend
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(false);
- SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
+ SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token, "transmitter-dsa");
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(tokenSecurityEvent);
tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(false);
- securityToken = getX509Token(WSSConstants.X509V3Token);
+ securityToken = getX509Token(WSSConstants.X509V3Token, "transmitter-dsa");
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(tokenSecurityEvent);
@@ -1488,14 +1484,12 @@ public class SupportingTokensTest extend
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(true);
SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(tokenSecurityEvent);
tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(false);
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
@@ -1524,14 +1518,12 @@ public class SupportingTokensTest extend
PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
KeyValueTokenSecurityEvent tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(false);
SecurityToken securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
policyEnforcer.registerSecurityEvent(tokenSecurityEvent);
tokenSecurityEvent = new KeyValueTokenSecurityEvent();
- tokenSecurityEvent.setRsaKeyValue(true);
securityToken = getX509Token(WSSConstants.X509V3Token);
securityToken.addTokenUsage(SecurityToken.TokenUsage.SupportingTokens);
tokenSecurityEvent.setSecurityToken(securityToken);
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/ext/WSSUtils.java Mon Mar 26 19:24:43 2012
@@ -428,7 +428,7 @@ public class WSSUtils extends XMLSecurit
} else if (tokenType == WSSConstants.HttpsToken) {
tokenSecurityEvent = new HttpsTokenSecurityEvent();
} else if (tokenType == WSSConstants.KeyValueToken) {
- tokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
+ tokenSecurityEvent = new KeyValueTokenSecurityEvent();
} else if (tokenType == WSSConstants.DerivedKeyToken) {
tokenSecurityEvent = new DerivedKeyTokenSecurityEvent();
} else if (tokenType == WSSConstants.EncryptedKeyToken) {
Modified: webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java?rev=1305502&r1=1305501&r2=1305502&view=diff
==============================================================================
--- webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java (original)
+++ webservices/wss4j/branches/swssf/streaming-ws-security/src/main/java/org/swssf/wss/securityEvent/KeyValueTokenSecurityEvent.java Mon Mar 26 19:24:43 2012
@@ -18,23 +18,32 @@
*/
package org.swssf.wss.securityEvent;
+import org.swssf.xmlsec.ext.XMLSecurityException;
+
/**
* @author $Author$
* @version $Revision$ $Date$
*/
public class KeyValueTokenSecurityEvent extends TokenSecurityEvent {
- private boolean rsaKeyValue = false;
+ public enum KeyValueTokenType {
+ RSA,
+ DSA,
+ EC
+ }
public KeyValueTokenSecurityEvent() {
super(Event.KeyValueToken);
}
- public boolean isRsaKeyValue() {
- return rsaKeyValue;
- }
-
- public void setRsaKeyValue(boolean rsaKeyValue) {
- this.rsaKeyValue = rsaKeyValue;
+ public KeyValueTokenType getKeyValueTokenType() {
+ try {
+ String algo = getSecurityToken().getPublicKey(null, null).getAlgorithm();
+ return KeyValueTokenType.valueOf(algo);
+ } catch (IllegalArgumentException e) {
+ return null;
+ } catch (XMLSecurityException e) {
+ return null;
+ }
}
}