You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/05/13 15:39:47 UTC
svn commit: r774360 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/ src/org/apache/ws/security/message/
src/org/apache/ws/security/processor/ src/org/apache/ws/security/util/
test/wssec/
Author: coheigea
Date: Wed May 13 13:39:46 2009
New Revision: 774360
URL: http://svn.apache.org/viewvc?rev=774360&view=rev
Log:
[WSS-192] - Shared decryption functionality between EncryptedKeyProcessor and ReferenceListProcessor
- Some misc code improvements as well in this area
- In particular, WSDataRef now holds a reference to the decrypted DOM element
- The "URI" of WSDataRef is now the *referencing* URI. I removed the practise of appending the wsu:Id to the decrypted element as this is bad practise IMO.
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/X509Util.java
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew2.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSDataRef.java Wed May 13 13:39:46 2009
@@ -24,10 +24,11 @@
*
* When a processor decrypts/verifies an element it stores information
* about that element in a WSDataRef so this information can
- * be used for validation
- *
+ * be used for validation.
*/
+
import javax.xml.namespace.QName;
+import org.w3c.dom.Element;
public class WSDataRef {
@@ -42,15 +43,9 @@
private QName name;
/**
- * @deprecated
- * This method is left in the class for backwards compatibility.
- * It returns the wsu:Id of the protected element, and not the data reference.
- * This was never implemented properly in WSS4J code anyway
- * @return the wsu:Id
+ * The protected DOM element
*/
- public String getDataref() {
- return wsuId;
- }
+ private Element protectedElement;
/**
* @return Id of the protected element
@@ -79,5 +74,32 @@
public void setName(QName name) {
this.name = name;
}
+
+ /**
+ * @param element The protected DOM element to set
+ */
+ public void setProtectedElement(Element element) {
+ protectedElement = element;
+ String prefix = element.getPrefix();
+ if (prefix == null) {
+ name =
+ new QName(
+ element.getNamespaceURI(), element.getLocalName()
+ );
+ } else {
+ name =
+ new QName(
+ element.getNamespaceURI(), element.getLocalName(), prefix
+ );
+ }
+ }
+
+ /**
+ * @return the protected DOM element
+ */
+ public Element getProtectedElement() {
+ return protectedElement;
+ }
+
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java Wed May 13 13:39:46 2009
@@ -61,8 +61,6 @@
protected String symEncAlgo = WSConstants.AES_128;
- protected String encCanonAlgo = null;
-
protected byte[] embeddedKey = null;
protected String embeddedKeyName = null;
@@ -148,19 +146,6 @@
symEncAlgo = algo;
}
- /**
- * Set the name of an optional canonicalization algorithm to use before
- * encryption.
- *
- * This c14n algorithm is used to serialize the data before encryption. If
- * the algorithm is not set then a standard serialization is used (provided
- * by XMLCipher, usually a XMLSerializer according to DOM 3 specification).
- *
- * @param algo Is the name of the canonicalization algorithm
- */
- public void setEncCanonicalization(String algo) {
- encCanonAlgo = algo;
- }
/**
* Get the name of symmetric encryption algorithm to use.
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/EncryptedKeyProcessor.java Wed May 13 13:39:46 2009
@@ -34,9 +34,6 @@
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.encryption.XMLCipher;
-import org.apache.xml.security.encryption.XMLEncryptionException;
-import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -88,7 +85,7 @@
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
}
- List dataRefUris = handleEncryptedKey(elem, cb, decCrypto, null);
+ List dataRefs = handleEncryptedKey(elem, cb, decCrypto, null);
encryptedKeyId = elem.getAttribute("Id");
returnResults.add(
0,
@@ -97,7 +94,7 @@
decryptedBytes,
encryptedEphemeralKey,
encryptedKeyId,
- dataRefUris,
+ dataRefs,
certs
)
);
@@ -159,19 +156,19 @@
try {
cipher.init(Cipher.DECRYPT_MODE, privateKey);
- } catch (Exception e1) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e1);
+ } catch (Exception ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
}
try {
encryptedEphemeralKey = getDecodedBase64EncodedData(xencCipherValue);
decryptedBytes = cipher.doFinal(encryptedEphemeralKey);
- } catch (IllegalStateException e2) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e2);
- } catch (IllegalBlockSizeException e2) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e2);
- } catch (BadPaddingException e2) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e2);
+ } catch (IllegalStateException ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
+ } catch (IllegalBlockSizeException ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
+ } catch (BadPaddingException ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
}
if (tlog.isDebugEnabled()) {
@@ -193,24 +190,14 @@
node != null;
node = node.getNextSibling()
) {
- if (Node.ELEMENT_NODE != node.getNodeType()) {
- continue;
- }
- if (!node.getNamespaceURI().equals(WSConstants.ENC_NS)) {
- continue;
- }
- if (node.getLocalName().equals("DataReference")) {
+ if (Node.ELEMENT_NODE == node.getNodeType()
+ && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+ && "DataReference".equals(node.getLocalName())) {
String dataRefURI = ((Element) node).getAttribute("URI");
if (dataRefURI.charAt(0) == '#') {
dataRefURI = dataRefURI.substring(1);
}
- WSDataRef dataRef = new WSDataRef();
- Element elt = decryptDataRef(doc, dataRefURI, dataRef, decryptedBytes);
- dataRef.setName(
- new javax.xml.namespace.QName(
- elt.getNamespaceURI(), elt.getLocalName()
- )
- );
+ WSDataRef dataRef = decryptDataRef(doc, dataRefURI, decryptedBytes);
dataRefs.add(dataRef);
}
}
@@ -452,109 +439,32 @@
return alias;
}
- private Element decryptDataRef(
+ /**
+ * Decrypt an EncryptedData element referenced by dataRefURI
+ */
+ private WSDataRef decryptDataRef(
Document doc,
String dataRefURI,
- WSDataRef wsDataRef,
byte[] decryptedData
) throws WSSecurityException {
if (log.isDebugEnabled()) {
log.debug("found data reference: " + dataRefURI);
}
//
- // Look up the encrypted data. First try wsu:Id="someURI". If no such Id then
- // try the generic lookup to find Id="someURI"
+ // Find the encrypted data element referenced by dataRefURI
//
- Element encBodyData = WSSecurityUtil.getElementByWsuId(doc, dataRefURI);
- if (encBodyData == null) {
- encBodyData = WSSecurityUtil.getElementByGenId(doc, dataRefURI);
- }
- if (encBodyData == null) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY, "dataRef", new Object[]{dataRefURI}
- );
- }
-
- boolean content = X509Util.isContent(encBodyData);
-
- // get the encryption method
- String symEncAlgo = X509Util.getEncAlgo(encBodyData);
-
+ Element encryptedDataElement =
+ ReferenceListProcessor.findEncryptedDataElement(doc, dataRefURI);
+ //
+ // Prepare the SecretKey object to decrypt EncryptedData
+ //
+ String symEncAlgo = X509Util.getEncAlgo(encryptedDataElement);
SecretKey symmetricKey =
WSSecurityUtil.prepareSecretKey(symEncAlgo, decryptedData);
- // initialize Cipher ....
- XMLCipher xmlCipher = null;
- try {
- xmlCipher = XMLCipher.getInstance(symEncAlgo);
- xmlCipher.init(XMLCipher.DECRYPT_MODE, symmetricKey);
- } catch (XMLEncryptionException e) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
- );
- }
-
- if (content) {
- encBodyData = (Element) encBodyData.getParentNode();
- }
- final Node parent = encBodyData.getParentNode();
- final List before_peers = WSSecurityUtil.listChildren(parent);
- try {
- xmlCipher.doFinal(doc, encBodyData, content);
- } catch (Exception e1) {
- throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e1);
- }
-
- if (parent.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
- && parent.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
-
- Node decryptedHeader = parent.getFirstChild();
- Element decryptedHeaderClone = (Element)decryptedHeader.cloneNode(true);
- String sigId = decryptedHeaderClone.getAttributeNS(WSConstants.WSU_NS, "Id");
-
- if (sigId == null || sigId.equals("")) {
- String id = ((Element)parent).getAttributeNS(WSConstants.WSU_NS, "Id");
- if (id.charAt(0) == '#') {
- id = id.substring(1);
- }
-
- String wsuPrefix =
- WSSecurityUtil.setNamespace(
- decryptedHeaderClone, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
- );
- decryptedHeaderClone.setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", id);
- wsDataRef.setWsuId(id);
- } else {
- wsDataRef.setWsuId(sigId);
- }
-
- parent.getParentNode().appendChild(decryptedHeaderClone);
- parent.getParentNode().removeChild(parent);
- }
-
- final List after_peers = WSSecurityUtil.listChildren(parent);
- final List new_nodes = WSSecurityUtil.newNodes(before_peers, after_peers);
- for (
- final java.util.Iterator pos = new_nodes.iterator();
- pos.hasNext();
- ) {
- Node node = (Node) pos.next();
- if (node != null && Node.ELEMENT_NODE == node.getNodeType()) {
- if (!Constants.SignatureSpecNS.equals(node.getNamespaceURI()) &&
- node.getAttributes().getNamedItemNS(WSConstants.WSU_NS, "Id") == null) {
- String wsuPrefix =
- WSSecurityUtil.setNamespace(
- (Element)node, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
- );
- ((Element)node).setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI);
- wsDataRef.setWsuId(dataRefURI);
- }
- wsDataRef.setName(new QName(node.getNamespaceURI(),node.getLocalName()));
-
- return (Element) node;
- }
- }
- return encBodyData;
+ return ReferenceListProcessor.decryptEncryptedData(
+ doc, dataRefURI, encryptedDataElement, symmetricKey, symEncAlgo
+ );
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/ReferenceListProcessor.java Wed May 13 13:39:46 2009
@@ -26,7 +26,6 @@
import javax.crypto.SecretKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
-import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -45,16 +44,15 @@
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
-import org.apache.xml.security.utils.Constants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
+
public class ReferenceListProcessor implements Processor {
private static Log log =
LogFactory.getLog(ReferenceListProcessor.class.getName());
private boolean debug = false;
- WSDocInfo wsDocInfo = null;
public void handleToken(
Element elem,
@@ -65,7 +63,6 @@
Vector returnResults,
WSSConfig wsc
) throws WSSecurityException {
-
debug = log.isDebugEnabled();
if (debug) {
log.debug("Found reference list element");
@@ -73,11 +70,10 @@
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
}
- wsDocInfo = wdi;
- List uris = handleReferenceList(elem, cb, crypto);
+ List dataRefs = handleReferenceList(elem, cb, crypto, wdi);
returnResults.add(
0,
- new WSSecurityEngineResult(WSConstants.ENCR, uris)
+ new WSSecurityEngineResult(WSConstants.ENCR, dataRefs)
);
}
@@ -92,159 +88,177 @@
private List handleReferenceList(
Element elem,
CallbackHandler cb,
- Crypto crypto
+ Crypto crypto,
+ WSDocInfo wdi
) throws WSSecurityException {
- List dataRefUris = new ArrayList();
- for (Node tmpE = elem.getFirstChild();
- tmpE != null;
- tmpE = tmpE.getNextSibling()
+ List dataRefs = new ArrayList();
+ for (Node node = elem.getFirstChild();
+ node != null;
+ node = node.getNextSibling()
) {
- if (Node.ELEMENT_NODE == tmpE.getNodeType()
- && WSConstants.ENC_NS.equals(tmpE.getNamespaceURI())
- && "DataReference".equals(tmpE.getLocalName())) {
- String dataRefURI = ((Element) tmpE).getAttribute("URI");
+ if (Node.ELEMENT_NODE == node.getNodeType()
+ && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+ && "DataReference".equals(node.getLocalName())) {
+ String dataRefURI = ((Element) node).getAttribute("URI");
if (dataRefURI.charAt(0) == '#') {
dataRefURI = dataRefURI.substring(1);
}
- WSDataRef dataRef = new WSDataRef();
- decryptDataRefEmbedded(elem.getOwnerDocument(), dataRefURI, dataRef, cb, crypto);
- dataRefUris.add(dataRef);
+ WSDataRef dataRef =
+ decryptDataRefEmbedded(elem.getOwnerDocument(), dataRefURI, cb, crypto, wdi);
+ dataRefs.add(dataRef);
}
}
- return dataRefUris;
+ return dataRefs;
}
- public void decryptDataRefEmbedded(
+
+ /**
+ * Decrypt an (embedded) EncryptedData element referenced by dataRefURI.
+ */
+ private WSDataRef decryptDataRefEmbedded(
Document doc,
String dataRefURI,
- WSDataRef dataRef,
CallbackHandler cb,
- Crypto crypto
+ Crypto crypto,
+ WSDocInfo wdi
) throws WSSecurityException {
-
if (log.isDebugEnabled()) {
log.debug("Found data reference: " + dataRefURI);
}
//
- // Look up the encrypted data. First try wsu:Id="someURI". If no such Id
- // then try the generic lookup to find Id="someURI"
+ // Find the encrypted data element referenced by dataRefURI
//
- Element encBodyData = WSSecurityUtil.getElementByWsuId(doc, dataRefURI);
- if (encBodyData == null) {
- encBodyData = WSSecurityUtil.getElementByGenId(doc, dataRefURI);
- }
- if (encBodyData == null) {
- throw new WSSecurityException(
- WSSecurityException.INVALID_SECURITY, "dataRef", new Object[] {dataRefURI}
- );
- }
- boolean content = X509Util.isContent(encBodyData);
-
- // Now figure out the encryption algorithm
- String symEncAlgo = X509Util.getEncAlgo(encBodyData);
-
- Element tmpE =
- (Element)WSSecurityUtil.findElement(
- encBodyData, "KeyInfo", WSConstants.SIG_NS
+ Element encryptedDataElement = findEncryptedDataElement(doc, dataRefURI);
+ //
+ // Prepare the SecretKey object to decrypt EncryptedData
+ //
+ String symEncAlgo = X509Util.getEncAlgo(encryptedDataElement);
+ Element keyInfoElement =
+ (Element)WSSecurityUtil.getDirectChildElement(
+ encryptedDataElement, "KeyInfo", WSConstants.SIG_NS
);
- if (tmpE == null) {
+ if (keyInfoElement == null) {
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyinfo");
}
-
//
// Try to get a security reference token, if none found try to get a
// shared key using a KeyName.
//
Element secRefToken =
WSSecurityUtil.getDirectChildElement(
- tmpE, "SecurityTokenReference", WSConstants.WSSE_NS
+ keyInfoElement, "SecurityTokenReference", WSConstants.WSSE_NS
);
-
SecretKey symmetricKey = null;
if (secRefToken == null) {
- symmetricKey = X509Util.getSharedKey(tmpE, symEncAlgo, cb);
+ symmetricKey = X509Util.getSharedKey(keyInfoElement, symEncAlgo, cb);
} else {
- symmetricKey = getKeyFromSecurityTokenReference(secRefToken, symEncAlgo, crypto, cb);
+ symmetricKey =
+ getKeyFromSecurityTokenReference(secRefToken, symEncAlgo, crypto, cb, wdi);
+ }
+
+ return
+ decryptEncryptedData(
+ doc, dataRefURI, encryptedDataElement, symmetricKey, symEncAlgo
+ );
+ }
+
+
+ /**
+ * Look up the encrypted data. First try wsu:Id="someURI". If no such Id then try the
+ * generic lookup to find Id="someURI"
+ *
+ * @param doc The document in which to find EncryptedData
+ * @param dataRefURI The URI of EncryptedData
+ * @return The EncryptedData element
+ * @throws WSSecurityException if the EncryptedData element referenced by dataRefURI is
+ * not found
+ */
+ public static Element
+ findEncryptedDataElement(
+ Document doc,
+ String dataRefURI
+ ) throws WSSecurityException {
+ Element encryptedDataElement = WSSecurityUtil.getElementByWsuId(doc, dataRefURI);
+ if (encryptedDataElement == null) {
+ encryptedDataElement = WSSecurityUtil.getElementByGenId(doc, dataRefURI);
}
+ if (encryptedDataElement == null) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "dataRef", new Object[] {dataRefURI}
+ );
+ }
+ return encryptedDataElement;
+ }
- // initialize Cipher ....
+
+ /**
+ * Decrypt the EncryptedData argument using a SecretKey.
+ * @param doc The (document) owner of EncryptedData
+ * @param dataRefURI The URI of EncryptedData
+ * @param encData The EncryptedData element
+ * @param symmetricKey The SecretKey with which to decrypt EncryptedData
+ * @param symEncAlgo The symmetric encryption algorithm to use
+ * @throws WSSecurityException
+ */
+ public static WSDataRef
+ decryptEncryptedData(
+ Document doc,
+ String dataRefURI,
+ Element encData,
+ SecretKey symmetricKey,
+ String symEncAlgo
+ ) throws WSSecurityException {
XMLCipher xmlCipher = null;
try {
xmlCipher = XMLCipher.getInstance(symEncAlgo);
xmlCipher.init(XMLCipher.DECRYPT_MODE, symmetricKey);
- } catch (XMLEncryptionException e1) {
+ } catch (XMLEncryptionException ex) {
throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e1
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, ex
);
}
+ WSDataRef dataRef = new WSDataRef();
+ dataRef.setWsuId(dataRefURI);
+ boolean content = X509Util.isContent(encData);
+ List beforePeers = null;
+ Node parent = encData.getParentNode();
if (content) {
- encBodyData = (Element) encBodyData.getParentNode();
- dataRef.setName(new QName(encBodyData.getNamespaceURI(), encBodyData.getLocalName()));
+ encData = (Element) encData.getParentNode();
+ parent = encData.getParentNode();
+ } else {
+ beforePeers = WSSecurityUtil.listChildren(parent);
}
-
+
try {
- Node parentEncBody = encBodyData.getParentNode();
- final java.util.List before_peers = WSSecurityUtil.listChildren(parentEncBody);
-
- xmlCipher.doFinal(doc, encBodyData, content);
-
- if (parentEncBody.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
- && parentEncBody.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
- Node decryptedHeader = parentEncBody.getFirstChild();
- Element decryptedHeaderClone = (Element)decryptedHeader.cloneNode(true);
- String sigId = decryptedHeaderClone.getAttributeNS(WSConstants.WSU_NS, "Id");
+ xmlCipher.doFinal(doc, encData, content);
+ } catch (Exception ex) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, ex);
+ }
+
+ if (parent.getLocalName().equals(WSConstants.ENCRYPTED_HEADER)
+ && parent.getNamespaceURI().equals(WSConstants.WSSE11_NS)) {
- if (sigId == null || sigId.equals("")) {
- String id = ((Element)parentEncBody).getAttributeNS(WSConstants.WSU_NS, "Id");
- if (id.charAt(0) == '#') {
- id = id.substring(1);
- }
- String wsuPrefix =
- WSSecurityUtil.setNamespace(
- decryptedHeaderClone, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
- );
- decryptedHeaderClone.setAttributeNS(WSConstants.WSU_NS, wsuPrefix + ":Id", id);
- dataRef.setWsuId(id);
- } else {
- dataRef.setWsuId(sigId);
- }
-
- parentEncBody.getParentNode().appendChild(decryptedHeaderClone);
- parentEncBody.getParentNode().removeChild(parentEncBody);
- }
-
- final List after_peers = WSSecurityUtil.listChildren(parentEncBody);
- final List new_nodes = WSSecurityUtil.newNodes(before_peers, after_peers);
- for (
- final java.util.Iterator pos = new_nodes.iterator();
- pos.hasNext();
- ) {
- Node node = (Node) pos.next();
- if (node != null && Node.ELEMENT_NODE == node.getNodeType()) {
- if(!Constants.SignatureSpecNS.equals(node.getNamespaceURI())
- && node.getAttributes().getNamedItemNS(WSConstants.WSU_NS, "Id") == null) {
- String wsuPrefix =
- WSSecurityUtil.setNamespace(
- (Element)node, WSConstants.WSU_NS, WSConstants.WSU_PREFIX
- );
- ((Element)node).setAttributeNS(
- WSConstants.WSU_NS, wsuPrefix + ":Id", dataRefURI
- );
- dataRef.setWsuId(dataRefURI);
- }
- dataRef.setName(new QName(node.getNamespaceURI(),node.getLocalName()));
- }
+ Node decryptedHeader = parent.getFirstChild();
+ Element decryptedHeaderClone = (Element)decryptedHeader.cloneNode(true);
+ parent.getParentNode().appendChild(decryptedHeaderClone);
+ parent.getParentNode().removeChild(parent);
+ dataRef.setProtectedElement(decryptedHeaderClone);
+ } else if (content) {
+ dataRef.setProtectedElement(encData);
+ } else {
+ final List afterPeers = WSSecurityUtil.listChildren(parent);
+ Node decryptedNode = WSSecurityUtil.newNode(beforePeers, afterPeers);
+ if (decryptedNode != null && Node.ELEMENT_NODE == decryptedNode.getNodeType()) {
+ dataRef.setProtectedElement((Element)decryptedNode);
}
-
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_CHECK, null, null, e
- );
}
+
+ return dataRef;
}
-
+
+
public String getId() {
return null;
}
@@ -259,7 +273,7 @@
* EncrypteKey element to get the decrypted session key bytes. Using the
* algorithm parameter these bytes are converted into a secret key.
*
- * This method requires that the EncyrptedKey element is already available,
+ * This method requires that the EncryptedKey element is already available,
* thus requires a strict layout of the security header. This method
* supports EncryptedKey elements within the same message.
*
@@ -274,7 +288,8 @@
Element secRefToken,
String algorithm,
Crypto crypto,
- CallbackHandler cb
+ CallbackHandler cb,
+ WSDocInfo wsDocInfo
) throws WSSecurityException {
SecurityTokenReference secRef = new SecurityTokenReference(secRefToken);
@@ -288,10 +303,21 @@
id = id.substring(1);
}
Processor p = wsDocInfo.getProcessor(id);
- if (!(p instanceof EncryptedKeyProcessor
- || p instanceof DerivedKeyTokenProcessor
- || p instanceof SAMLTokenProcessor)
- ) {
+
+ if (p instanceof EncryptedKeyProcessor) {
+ EncryptedKeyProcessor ekp = (EncryptedKeyProcessor) p;
+ decryptedData = ekp.getDecryptedBytes();
+ } else if (p instanceof DerivedKeyTokenProcessor) {
+ DerivedKeyTokenProcessor dkp = (DerivedKeyTokenProcessor) p;
+ decryptedData = dkp.getKeyBytes(WSSecurityUtil.getKeyLength(algorithm));
+ } else if (p instanceof SAMLTokenProcessor) {
+ SAMLTokenProcessor samlp = (SAMLTokenProcessor) p;
+ SAMLKeyInfo keyInfo =
+ SAMLUtil.getSAMLKeyInfo(samlp.getSamlTokenElement(), crypto, cb);
+ // TODO Handle malformed SAML tokens where they don't have the
+ // secret in them
+ decryptedData = keyInfo.getSecret();
+ } else {
// Try custom token
WSPasswordCallback pwcb =
new WSPasswordCallback(id, WSPasswordCallback.CUSTOM_TOKEN);
@@ -314,25 +340,11 @@
);
}
}
- if (p instanceof EncryptedKeyProcessor) {
- EncryptedKeyProcessor ekp = (EncryptedKeyProcessor) p;
- decryptedData = ekp.getDecryptedBytes();
- } else if (p instanceof DerivedKeyTokenProcessor) {
- DerivedKeyTokenProcessor dkp = (DerivedKeyTokenProcessor) p;
- decryptedData = dkp.getKeyBytes(WSSecurityUtil.getKeyLength(algorithm));
- } else if (p instanceof SAMLTokenProcessor) {
- SAMLTokenProcessor samlp = (SAMLTokenProcessor) p;
- SAMLKeyInfo keyInfo =
- SAMLUtil.getSAMLKeyInfo(samlp.getSamlTokenElement(), crypto, cb);
- // TODO Handle malformed SAML tokens where they don't have the
- // secret in them
- decryptedData = keyInfo.getSecret();
- }
} else if (secRef.containsKeyIdentifier()){
- String sha = secRef.getKeyIdentifierValue();
+ String keyIdentifierValue = secRef.getKeyIdentifierValue();
WSPasswordCallback pwcb =
new WSPasswordCallback(
- secRef.getKeyIdentifierValue(),
+ keyIdentifierValue,
null,
secRef.getKeyIdentifierValueType(),
WSPasswordCallback.ENCRYPTED_KEY_TOKEN
@@ -345,7 +357,7 @@
throw new WSSecurityException(
WSSecurityException.FAILURE,
"noPassword",
- new Object[] {sha},
+ new Object[] {keyIdentifierValue},
e
);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/X509Util.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/X509Util.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/X509Util.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/X509Util.java Wed May 13 13:39:46 2009
@@ -88,10 +88,8 @@
throw new WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyname");
}
WSPasswordCallback pwCb = new WSPasswordCallback(keyName, WSPasswordCallback.KEY_NAME);
- Callback[] callbacks = new Callback[1];
- callbacks[0] = pwCb;
try {
- cb.handle(callbacks);
+ cb.handle(new Callback[]{pwCb});
} catch (IOException e) {
throw new WSSecurityException(
WSSecurityException.FAILURE,
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java Wed May 13 13:39:46 2009
@@ -1091,4 +1091,53 @@
return ret;
}
+
+ /**
+ * @return the first node in b that is not in a
+ */
+ public static Node
+ newNode(
+ final java.util.List a,
+ final java.util.List b
+ ) {
+ if (a.size() == 0 && b.size() > 0) {
+ return (Node)b.get(0);
+ }
+ if (b.size() == 0) {
+ return null;
+ }
+ for (
+ final java.util.Iterator bpos = b.iterator();
+ bpos.hasNext();
+ ) {
+ final Node bnode = (Node) bpos.next();
+ final java.lang.String bns = bnode.getNamespaceURI();
+ final java.lang.String bln = bnode.getLocalName();
+ boolean found = false;
+ for (
+ final java.util.Iterator apos = a.iterator();
+ apos.hasNext() && !found;
+ ) {
+ final Node anode = (Node) apos.next();
+ final java.lang.String ans = anode.getNamespaceURI();
+ final java.lang.String aln = anode.getLocalName();
+ final boolean nsmatch =
+ ans == null
+ ? ((bns == null) ? true : false)
+ : ((bns == null) ? false : ans.equals(bns));
+ final boolean lnmatch =
+ aln == null
+ ? ((bln == null) ? true : false)
+ : ((bln == null) ? false : aln.equals(bln));
+ if (nsmatch && lnmatch) {
+ found = true;
+ }
+ }
+ if (!found) {
+ return bnode;
+ }
+ }
+ return null;
+ }
+
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew2.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew2.java?rev=774360&r1=774359&r2=774360&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew2.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew2.java Wed May 13 13:39:46 2009
@@ -238,6 +238,9 @@
final java.util.List results = secEngine.processSecurityHeader(doc, null, this, crypto);
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug(outputString);
+ }
assertTrue(outputString.indexOf("LogTestService2") > 0 ? true : false);
//
// walk through the results, and make sure there is an encryption
@@ -262,6 +265,15 @@
expectedEncryptedElement,
ref.getName()
);
+ assertNotNull(ref.getProtectedElement());
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("WSDataRef element: ");
+ LOG.debug(
+ org.apache.ws.security.util.DOM2Writer.nodeToString(
+ ref.getProtectedElement()
+ )
+ );
+ }
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org