You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/06/24 15:52:54 UTC
svn commit: r1687275 - in
/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom:
processor/EncryptedKeyProcessor.java processor/ReferenceListProcessor.java
util/X509Util.java
Author: coheigea
Date: Wed Jun 24 13:52:54 2015
New Revision: 1687275
URL: http://svn.apache.org/r1687275
Log:
More refactoring
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1687275&r1=1687274&r2=1687275&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Wed Jun 24 13:52:54 2015
@@ -35,7 +35,6 @@ import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
-import javax.security.auth.callback.Callback;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -45,7 +44,6 @@ import org.apache.wss4j.common.bsp.BSPRu
import org.apache.wss4j.common.crypto.AlgorithmSuite;
import org.apache.wss4j.common.crypto.AlgorithmSuiteValidator;
import org.apache.wss4j.common.crypto.CryptoType;
-import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.DOMX509IssuerSerial;
import org.apache.wss4j.common.token.SecurityTokenReference;
@@ -197,99 +195,13 @@ public class EncryptedKeyProcessor imple
encryptedEphemeralKey = EncryptionUtils.getDecodedBase64EncodedData(xencCipherValue);
}
- Cipher cipher = null;
if (symmetricKeyWrap) {
- // See if we have a KeyName
- String keyName = "";
- if (keyInfoChildElement != null) {
- Element keyNmElem =
- XMLUtils.getDirectChildElement(
- keyInfoChildElement, "KeyName", WSConstants.SIG_NS
- );
- if (keyNmElem != null) {
- keyName = XMLUtils.getElementText(keyNmElem);
- }
- }
-
- // Get secret key for decryption from a CallbackHandler
- WSPasswordCallback pwcb = new WSPasswordCallback(keyName, WSPasswordCallback.SECRET_KEY);
- pwcb.setEncryptedSecret(encryptedEphemeralKey);
-
- // Get the (first) encryption algorithm
- String uri = getFirstDataRefURI(refList);
- if (uri != null) {
- Element ee =
- EncryptionUtils.findEncryptedDataElement(refList.getOwnerDocument(),
- wsDocInfo, uri);
- String algorithmURI = X509Util.getEncAlgo(ee);
- pwcb.setAlgorithm(algorithmURI);
- }
- try {
- data.getCallbackHandler().handle(new Callback[] {pwcb});
- } catch (Exception e) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e,
- "empty", new Object[] {"WSHandler: password callback failed"});
- }
- decryptedBytes = pwcb.getKey();
+ decryptedBytes = getSymmetricDecryptedBytes(data, wsDocInfo, keyInfoChildElement,
+ refList, encryptedEphemeralKey);
} else {
- if (data.getDecCrypto() == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noDecCryptoFile");
- }
- cipher = KeyUtils.getCipherInstance(encryptedKeyTransportMethod);
- try {
- PrivateKey privateKey = data.getDecCrypto().getPrivateKey(certs[0], data.getCallbackHandler());
- OAEPParameterSpec oaepParameterSpec = null;
- if (WSConstants.KEYTRANSPORT_RSAOEP.equals(encryptedKeyTransportMethod)
- || WSConstants.KEYTRANSPORT_RSAOEP_XENC11.equals(encryptedKeyTransportMethod)) {
- // Get the DigestMethod if it exists
- String digestAlgorithm = EncryptionUtils.getDigestAlgorithm(elem);
- String jceDigestAlgorithm = "SHA-1";
- if (digestAlgorithm != null && !"".equals(digestAlgorithm)) {
- jceDigestAlgorithm = JCEMapper.translateURItoJCEID(digestAlgorithm);
- }
-
- String mgfAlgorithm = EncryptionUtils.getMGFAlgorithm(elem);
- MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
- if (mgfAlgorithm != null) {
- if (WSConstants.MGF_SHA224.equals(mgfAlgorithm)) {
- mgfParameterSpec = new MGF1ParameterSpec("SHA-224");
- } else if (WSConstants.MGF_SHA256.equals(mgfAlgorithm)) {
- mgfParameterSpec = new MGF1ParameterSpec("SHA-256");
- } else if (WSConstants.MGF_SHA384.equals(mgfAlgorithm)) {
- mgfParameterSpec = new MGF1ParameterSpec("SHA-384");
- } else if (WSConstants.MGF_SHA512.equals(mgfAlgorithm)) {
- mgfParameterSpec = new MGF1ParameterSpec("SHA-512");
- }
- }
-
- PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
- byte[] pSourceBytes = EncryptionUtils.getPSource(elem);
- if (pSourceBytes != null) {
- pSource = new PSource.PSpecified(pSourceBytes);
- }
-
- oaepParameterSpec =
- new OAEPParameterSpec(
- jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource
- );
- }
- if (oaepParameterSpec == null) {
- cipher.init(Cipher.UNWRAP_MODE, privateKey);
- } else {
- cipher.init(Cipher.UNWRAP_MODE, privateKey, oaepParameterSpec);
- }
- } catch (Exception ex) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
- }
-
- try {
- String keyAlgorithm = JCEMapper.translateURItoJCEID(encryptedKeyTransportMethod);
- decryptedBytes = cipher.unwrap(encryptedEphemeralKey, keyAlgorithm, Cipher.SECRET_KEY).getEncoded();
- } catch (IllegalStateException ex) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
- } catch (Exception ex) {
- decryptedBytes = getRandomKey(refList, wsDocInfo);
- }
+ decryptedBytes = getAsymmetricDecryptedBytes(data, wsDocInfo, encryptedKeyTransportMethod,
+ encryptedEphemeralKey, refList,
+ elem, certs[0]);
}
List<WSDataRef> dataRefs = decryptDataRefs(refList, wsDocInfo, decryptedBytes, data);
@@ -318,6 +230,95 @@ public class EncryptedKeyProcessor imple
return Collections.singletonList(result);
}
+ private static byte[] getSymmetricDecryptedBytes(
+ RequestData data,
+ WSDocInfo wsDocInfo,
+ Element keyInfoChildElement,
+ Element refList,
+ byte[] encryptedEphemeralKey
+ ) throws WSSecurityException {
+ // Get the (first) encryption algorithm
+ String uri = getFirstDataRefURI(refList);
+ String algorithmURI = null;
+ if (uri != null) {
+ Element ee =
+ EncryptionUtils.findEncryptedDataElement(refList.getOwnerDocument(),
+ wsDocInfo, uri);
+ algorithmURI = X509Util.getEncAlgo(ee);
+ }
+ return X509Util.getSecretKey(keyInfoChildElement, algorithmURI,
+ data.getCallbackHandler(), encryptedEphemeralKey);
+ }
+
+ private static byte[] getAsymmetricDecryptedBytes(
+ RequestData data,
+ WSDocInfo wsDocInfo,
+ String encryptedKeyTransportMethod,
+ byte[] encryptedEphemeralKey,
+ Element refList,
+ Element encryptedKeyElement,
+ X509Certificate cert
+ ) throws WSSecurityException {
+ if (data.getDecCrypto() == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noDecCryptoFile");
+ }
+ Cipher cipher = KeyUtils.getCipherInstance(encryptedKeyTransportMethod);
+ try {
+ PrivateKey privateKey = data.getDecCrypto().getPrivateKey(cert, data.getCallbackHandler());
+ OAEPParameterSpec oaepParameterSpec = null;
+ if (WSConstants.KEYTRANSPORT_RSAOEP.equals(encryptedKeyTransportMethod)
+ || WSConstants.KEYTRANSPORT_RSAOEP_XENC11.equals(encryptedKeyTransportMethod)) {
+ // Get the DigestMethod if it exists
+ String digestAlgorithm = EncryptionUtils.getDigestAlgorithm(encryptedKeyElement);
+ String jceDigestAlgorithm = "SHA-1";
+ if (digestAlgorithm != null && !"".equals(digestAlgorithm)) {
+ jceDigestAlgorithm = JCEMapper.translateURItoJCEID(digestAlgorithm);
+ }
+
+ String mgfAlgorithm = EncryptionUtils.getMGFAlgorithm(encryptedKeyElement);
+ MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
+ if (mgfAlgorithm != null) {
+ if (WSConstants.MGF_SHA224.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-224");
+ } else if (WSConstants.MGF_SHA256.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-256");
+ } else if (WSConstants.MGF_SHA384.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-384");
+ } else if (WSConstants.MGF_SHA512.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-512");
+ }
+ }
+
+ PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
+ byte[] pSourceBytes = EncryptionUtils.getPSource(encryptedKeyElement);
+ if (pSourceBytes != null) {
+ pSource = new PSource.PSpecified(pSourceBytes);
+ }
+
+ oaepParameterSpec =
+ new OAEPParameterSpec(
+ jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource
+ );
+ }
+ if (oaepParameterSpec == null) {
+ cipher.init(Cipher.UNWRAP_MODE, privateKey);
+ } else {
+ cipher.init(Cipher.UNWRAP_MODE, privateKey, oaepParameterSpec);
+ }
+ } catch (Exception ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
+ }
+
+ try {
+ String keyAlgorithm = JCEMapper.translateURItoJCEID(encryptedKeyTransportMethod);
+ return cipher.unwrap(encryptedEphemeralKey, keyAlgorithm, Cipher.SECRET_KEY).getEncoded();
+ } catch (IllegalStateException ex) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
+ } catch (Exception ex) {
+ return getRandomKey(refList, wsDocInfo);
+ }
+ }
+
private static boolean isSymmetricKeyWrap(String transportAlgorithm) {
return XMLCipher.AES_128_KeyWrap.equals(transportAlgorithm)
|| XMLCipher.AES_192_KeyWrap.equals(transportAlgorithm)
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java?rev=1687275&r1=1687274&r2=1687275&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java Wed Jun 24 13:52:54 2015
@@ -161,7 +161,9 @@ public class ReferenceListProcessor impl
SecretKey symmetricKey = null;
Principal principal = null;
if (secRefToken == null) {
- symmetricKey = X509Util.getSharedKey(keyInfoElement, symEncAlgo, data.getCallbackHandler());
+ byte[] decryptedData =
+ X509Util.getSecretKey(keyInfoElement, symEncAlgo, data.getCallbackHandler(), null);
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgo, decryptedData);
} else {
STRParserParameters parameters = new STRParserParameters();
parameters.setData(data);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java?rev=1687275&r1=1687274&r2=1687275&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java Wed Jun 24 13:52:54 2015
@@ -22,12 +22,10 @@ package org.apache.wss4j.dom.util;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
-import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
-import javax.crypto.SecretKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
@@ -72,10 +70,11 @@ public final class X509Util {
return symEncAlgo;
}
- public static SecretKey getSharedKey(
+ public static byte[] getSecretKey(
Element keyInfoElem,
String algorithm,
- CallbackHandler cb
+ CallbackHandler cb,
+ byte[] encryptedKey
) throws WSSecurityException {
String keyName = null;
Element keyNmElem =
@@ -88,8 +87,9 @@ public final class X509Util {
if (keyName == null || keyName.length() <= 0) {
LOG.debug("No Key Name available");
}
- WSPasswordCallback pwCb =
- new WSPasswordCallback(keyName, WSPasswordCallback.SECRET_KEY);
+ WSPasswordCallback pwCb = new WSPasswordCallback(keyName, WSPasswordCallback.SECRET_KEY);
+ pwCb.setEncryptedSecret(encryptedKey);
+ pwCb.setAlgorithm(algorithm);
try {
cb.handle(new Callback[]{pwCb});
} catch (IOException | UnsupportedCallbackException e) {
@@ -105,7 +105,7 @@ public final class X509Util {
"noPassword",
new Object[] {keyName});
}
- return KeyUtils.prepareSecretKey(algorithm, decryptedData);
+ return decryptedData;
}
}