You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2019/01/25 12:11:54 UTC
svn commit: r1852118 - in /webservices/wss4j/trunk:
ws-security-common/src/main/java/org/apache/wss4j/common/ext/
ws-security-dom/src/main/java/org/apache/wss4j/dom/action/
ws-security-dom/src/main/java/org/apache/wss4j/dom/message/
ws-security-dom/src...
Author: coheigea
Date: Fri Jan 25 12:11:53 2019
New Revision: 1852118
URL: http://svn.apache.org/viewvc?rev=1852118&view=rev
Log:
Remove encryptedSecret from WSPasswordCallback. Also disallow access to encrypted ephemeral bytes in WSSecEncryptedKey
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/ext/WSPasswordCallback.java Fri Jan 25 12:11:53 2019
@@ -90,18 +90,6 @@ public class WSPasswordCallback implemen
public static final int SIGNATURE = 3;
/**
- * This identifier is deprecated and not used any more.
- */
- @Deprecated
- public static final int KEY_NAME = 4;
-
- /**
- * This identifier is deprecated and not used any more.
- */
- @Deprecated
- public static final int USERNAME_TOKEN_UNKNOWN = 5;
-
- /**
* SECURITY_CONTEXT_TOKEN usage is for the case of when we want the CallbackHandler to
* supply the key associated with a SecurityContextToken. The CallbackHandler must set
* the key via the setKey(byte[]) method.
@@ -117,12 +105,6 @@ public class WSPasswordCallback implemen
public static final int CUSTOM_TOKEN = 7;
/**
- * This identifier is deprecated and not used any more.
- */
- @Deprecated
- public static final int ENCRYPTED_KEY_TOKEN = 8;
-
- /**
* SECRET_KEY usage is used for the case that we want to obtain a secret key for encryption
* or signature on the outbound side, or for decryption or verification on the inbound side.
* The CallbackHandler must set the key via the setKey(byte[]) method.
@@ -138,7 +120,6 @@ public class WSPasswordCallback implemen
private String identifier;
private String password;
private byte[] secret;
- private byte[] encryptedSecret;
private Key key;
private int usage;
private String type;
@@ -269,27 +250,6 @@ public class WSPasswordCallback implemen
}
/**
- * Get the Encrypted Secret. The CallbackHandler may return an encrypted version of the secret key
- * to be used, instead of having WSS4J explicitly encrypt the key. Alternatively, the recipient can
- * call this with the cipher content of the EncryptedKey, if a symmetric key wrap algorithm is used.
- *
- */
- public byte[] getEncryptedSecret() {
- return encryptedSecret;
- }
-
- /**
- * Set the Encrypted Secret. The CallbackHandler may return an encrypted version of the secret key
- * to be used, instead of having WSS4J explicitly encrypt the key. Alternatively, the recipient can
- * call this with the cipher content of the EncryptedKey, if a symmetric key wrap algorithm is used.
- *
- * @param encryptedSecret
- */
- public void setEncryptedSecret(byte[] encryptedSecret) {
- this.encryptedSecret = encryptedSecret;
- }
-
- /**
* Get the algorithm to be used. For example, a different secret key might be returned depending
* on the algorithm.
*/
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/EncryptionAction.java Fri Jan 25 12:11:53 2019
@@ -106,8 +106,6 @@ public class EncryptionAction implements
}
ephemeralKey = pwcb.getKey();
- byte[] encryptedKey = pwcb.getEncryptedSecret();
- wsEncrypt.setEncryptedEphemeralKey(encryptedKey);
wsEncrypt.setCustomEKKeyInfoElement(pwcb.getKeyInfoReference());
}
wsEncrypt.setEphemeralKey(ephemeralKey);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java Fri Jan 25 12:11:53 2019
@@ -152,7 +152,7 @@ public class WSSecEncrypt extends WSSecE
} else if (encryptedEphemeralKey != null) {
prepareInternal(symmetricKey);
} else {
- encryptedEphemeralKey = symmetricKey.getEncoded();
+ setEncryptedKeySHA1(symmetricKey.getEncoded());
}
}
@@ -330,8 +330,7 @@ public class WSSecEncrypt extends WSSecE
if (customReferenceValue != null) {
secToken.setKeyIdentifierEncKeySHA1(customReferenceValue);
} else {
- byte[] encodedBytes = KeyUtils.generateDigest(encryptedEphemeralKey);
- secToken.setKeyIdentifierEncKeySHA1(org.apache.xml.security.utils.XMLUtils.encodeToString(encodedBytes));
+ secToken.setKeyIdentifierEncKeySHA1(getEncryptedKeySHA1());
}
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
keyInfo.addUnknownElement(secToken.getElement());
@@ -384,8 +383,7 @@ public class WSSecEncrypt extends WSSecE
if (customReferenceValue != null) {
secToken.setKeyIdentifierEncKeySHA1(customReferenceValue);
} else {
- byte[] encodedBytes = KeyUtils.generateDigest(encryptedEphemeralKey);
- secToken.setKeyIdentifierEncKeySHA1(org.apache.xml.security.utils.XMLUtils.encodeToString(encodedBytes));
+ secToken.setKeyIdentifierEncKeySHA1(getEncryptedKeySHA1());
}
secToken.addTokenType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
keyInfo.addUnknownElement(secToken.getElement());
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncryptedKey.java Fri Jan 25 12:11:53 2019
@@ -148,6 +148,8 @@ public class WSSecEncryptedKey extends W
private Element customEKKeyInfoElement;
private Provider provider;
+ private String encryptedKeySHA1;
+
public WSSecEncryptedKey(WSSecHeader securityHeader) {
super(securityHeader);
}
@@ -281,6 +283,8 @@ public class WSSecEncryptedKey extends W
WSSecurityUtil.createBase64EncodedTextNode(getDocument(), encryptedEphemeralKey);
xencCipherValue.appendChild(keyText);
}
+
+ setEncryptedKeySHA1(encryptedEphemeralKey);
}
protected void prepareInternal(Key key) throws WSSecurityException {
@@ -296,6 +300,8 @@ public class WSSecEncryptedKey extends W
WSSecurityUtil.createBase64EncodedTextNode(getDocument(), encryptedEphemeralKey);
xencCipherValue.appendChild(keyText);
}
+
+ setEncryptedKeySHA1(encryptedEphemeralKey);
}
/**
@@ -823,14 +829,6 @@ public class WSSecEncryptedKey extends W
return true;
}
- public byte[] getEncryptedEphemeralKey() {
- return encryptedEphemeralKey;
- }
-
- public void setEncryptedEphemeralKey(byte[] encryptedKey) {
- encryptedEphemeralKey = encryptedKey;
- }
-
public void setCustomEKTokenValueType(String customEKTokenValueType) {
this.customEKTokenValueType = customEKTokenValueType;
}
@@ -941,5 +939,12 @@ public class WSSecEncryptedKey extends W
this.customEKKeyInfoElement = customEKKeyInfoElement;
}
+ protected void setEncryptedKeySHA1(byte[] encryptedEphemeralKey) throws WSSecurityException {
+ byte[] encodedBytes = KeyUtils.generateDigest(encryptedEphemeralKey);
+ encryptedKeySHA1 = XMLUtils.encodeToString(encodedBytes);
+ }
+ public String getEncryptedKeySHA1() {
+ return encryptedKeySHA1;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Fri Jan 25 12:11:53 2019
@@ -220,8 +220,7 @@ public class EncryptedKeyProcessor imple
}
if (symmetricKeyWrap) {
- decryptedBytes = getSymmetricDecryptedBytes(data, data.getWsDocInfo(), keyInfoChildElement,
- refList, encryptedEphemeralKey);
+ decryptedBytes = getSymmetricDecryptedBytes(data, data.getWsDocInfo(), keyInfoChildElement, refList);
} else {
PrivateKey privateKey = getPrivateKey(data, certs, publicKey);
decryptedBytes = getAsymmetricDecryptedBytes(data, data.getWsDocInfo(), encryptedKeyTransportMethod,
@@ -282,8 +281,7 @@ public class EncryptedKeyProcessor imple
RequestData data,
WSDocInfo wsDocInfo,
Element keyInfoChildElement,
- Element refList,
- byte[] encryptedEphemeralKey
+ Element refList
) throws WSSecurityException {
// Get the (first) encryption algorithm
String uri = getFirstDataRefURI(refList);
@@ -294,8 +292,7 @@ public class EncryptedKeyProcessor imple
wsDocInfo, uri);
algorithmURI = X509Util.getEncAlgo(ee);
}
- return X509Util.getSecretKey(keyInfoChildElement, algorithmURI,
- data.getCallbackHandler(), encryptedEphemeralKey);
+ return X509Util.getSecretKey(keyInfoChildElement, algorithmURI, data.getCallbackHandler());
}
private static byte[] getAsymmetricDecryptedBytes(
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java Fri Jan 25 12:11:53 2019
@@ -153,7 +153,7 @@ public class ReferenceListProcessor impl
Principal principal = null;
if (secRefToken == null) {
byte[] decryptedData =
- X509Util.getSecretKey(keyInfoElement, symEncAlgo, data.getCallbackHandler(), null);
+ X509Util.getSecretKey(keyInfoElement, symEncAlgo, data.getCallbackHandler());
symmetricKey = KeyUtils.prepareSecretKey(symEncAlgo, decryptedData);
} else {
STRParserParameters parameters = new STRParserParameters();
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java?rev=1852118&r1=1852117&r2=1852118&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java Fri Jan 25 12:11:53 2019
@@ -80,8 +80,7 @@ public final class X509Util {
public static byte[] getSecretKey(
Element keyInfoElem,
String algorithm,
- CallbackHandler cb,
- byte[] encryptedKey
+ CallbackHandler cb
) throws WSSecurityException {
String keyName = null;
Element keyNmElem =
@@ -95,7 +94,6 @@ public final class X509Util {
LOG.debug("No Key Name available");
}
WSPasswordCallback pwCb = new WSPasswordCallback(keyName, WSPasswordCallback.SECRET_KEY);
- pwCb.setEncryptedSecret(encryptedKey);
pwCb.setAlgorithm(algorithm);
try {
cb.handle(new Callback[]{pwCb});