You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/03/04 12:49:49 UTC
svn commit: r1663945 - in
/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor:
EncryptedKeyProcessor.java ReferenceListProcessor.java
SignatureProcessor.java
Author: coheigea
Date: Wed Mar 4 11:49:48 2015
New Revision: 1663945
URL: http://svn.apache.org/r1663945
Log:
Processor refactor
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Wed Mar 4 11:49:48 2015
@@ -28,7 +28,6 @@ import java.security.cert.X509Certificat
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Collections;
-import java.util.LinkedList;
import java.util.List;
import javax.crypto.Cipher;
@@ -226,7 +225,8 @@ public class EncryptedKeyProcessor imple
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
}
- List<String> dataRefURIs = getDataRefURIs(elem);
+ Element refList =
+ WSSecurityUtil.getDirectChildElement(elem, "ReferenceList", WSConstants.ENC_NS);
byte[] encryptedEphemeralKey = null;
byte[] decryptedBytes = null;
@@ -237,11 +237,10 @@ public class EncryptedKeyProcessor imple
} catch (IllegalStateException ex) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
} catch (Exception ex) {
- decryptedBytes = getRandomKey(dataRefURIs, elem.getOwnerDocument(), wsDocInfo);
+ decryptedBytes = getRandomKey(refList, wsDocInfo);
}
- List<WSDataRef> dataRefs = decryptDataRefs(dataRefURIs, elem.getOwnerDocument(), wsDocInfo,
- decryptedBytes, data);
+ List<WSDataRef> dataRefs = decryptDataRefs(refList, wsDocInfo, decryptedBytes, data);
WSSecurityEngineResult result = new WSSecurityEngineResult(
WSConstants.ENCR,
@@ -267,19 +266,17 @@ public class EncryptedKeyProcessor imple
/**
* Generates a random secret key using the algorithm specified in the
* first DataReference URI
- *
- * @param dataRefURIs
- * @param doc
- * @param wsDocInfo
- * @throws WSSecurityException
*/
- private static byte[] getRandomKey(List<String> dataRefURIs, Document doc, WSDocInfo wsDocInfo) throws WSSecurityException {
+ private static byte[] getRandomKey(Element refList, WSDocInfo wsDocInfo) throws WSSecurityException {
try {
String alg = "AES";
int size = 16;
- if (!dataRefURIs.isEmpty()) {
- String uri = dataRefURIs.iterator().next();
- Element ee = ReferenceListProcessor.findEncryptedDataElement(doc, wsDocInfo, uri);
+ String uri = getFirstDataRefURI(refList);
+
+ if (uri != null) {
+ Element ee =
+ ReferenceListProcessor.findEncryptedDataElement(refList.getOwnerDocument(),
+ wsDocInfo, uri);
String algorithmURI = X509Util.getEncAlgo(ee);
alg = JCEMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
size = KeyUtils.getKeyLength(algorithmURI);
@@ -301,6 +298,24 @@ public class EncryptedKeyProcessor imple
}
}
+ private static String getFirstDataRefURI(Element refList) {
+ // Lookup the references that are encrypted with this key
+ if (refList != null) {
+ for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling()) {
+ if (Node.ELEMENT_NODE == node.getNodeType()
+ && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+ && "DataReference".equals(node.getLocalName())) {
+ String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
+ if (dataRefURI.charAt(0) == '#') {
+ dataRefURI = dataRefURI.substring(1);
+ }
+ return dataRefURI;
+ }
+ }
+ }
+ return null;
+ }
+
/**
* Method getDecodedBase64EncodedData
*
@@ -477,50 +492,35 @@ public class EncryptedKeyProcessor imple
}
/**
- * Find the list of all URIs that this encrypted Key references
- */
- private List<String> getDataRefURIs(Element xencEncryptedKey) {
- // Lookup the references that are encrypted with this key
- Element refList =
- WSSecurityUtil.getDirectChildElement(
- xencEncryptedKey, "ReferenceList", WSConstants.ENC_NS
- );
- List<String> dataRefURIs = new LinkedList<>();
- if (refList != null) {
- for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling()) {
- if (Node.ELEMENT_NODE == node.getNodeType()
- && WSConstants.ENC_NS.equals(node.getNamespaceURI())
- && "DataReference".equals(node.getLocalName())) {
- String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
- if (dataRefURI.charAt(0) == '#') {
- dataRefURI = dataRefURI.substring(1);
- }
- dataRefURIs.add(dataRefURI);
- }
- }
- }
- return dataRefURIs;
- }
-
- /**
* Decrypt all data references
*/
- private List<WSDataRef> decryptDataRefs(List<String> dataRefURIs, Document doc,
- WSDocInfo docInfo, byte[] decryptedBytes, RequestData data
+ private List<WSDataRef> decryptDataRefs(Element refList, WSDocInfo docInfo,
+ byte[] decryptedBytes, RequestData data
) throws WSSecurityException {
//
// At this point we have the decrypted session (symmetric) key. According
// to W3C XML-Enc this key is used to decrypt _any_ references contained in
// the reference list
- if (dataRefURIs == null || dataRefURIs.isEmpty()) {
+ if (refList == null) {
return null;
}
- List<WSDataRef> dataRefs = new ArrayList<>(dataRefURIs.size());
- for (String dataRefURI : dataRefURIs) {
- WSDataRef dataRef =
- decryptDataRef(doc, dataRefURI, docInfo, decryptedBytes, data);
- dataRefs.add(dataRef);
+
+ List<WSDataRef> dataRefs = new ArrayList<>();
+ for (Node node = refList.getFirstChild(); node != null; node = node.getNextSibling()) {
+ if (Node.ELEMENT_NODE == node.getNodeType()
+ && WSConstants.ENC_NS.equals(node.getNamespaceURI())
+ && "DataReference".equals(node.getLocalName())) {
+ String dataRefURI = ((Element) node).getAttributeNS(null, "URI");
+ if (dataRefURI.charAt(0) == '#') {
+ dataRefURI = dataRefURI.substring(1);
+ }
+
+ WSDataRef dataRef =
+ decryptDataRef(refList.getOwnerDocument(), dataRefURI, docInfo, decryptedBytes, data);
+ dataRefs.add(dataRef);
+ }
}
+
return dataRefs;
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/ReferenceListProcessor.java Wed Mar 4 11:49:48 2015
@@ -101,10 +101,6 @@ public class ReferenceListProcessor impl
WSDocInfo wsDocInfo
) throws WSSecurityException {
List<WSDataRef> dataRefs = new ArrayList<>();
- //find out if there's an EncryptedKey in the doc (AsymmetricBinding)
- Element wsseHeaderElement = wsDocInfo.getSecurityHeader();
- boolean asymBinding = WSSecurityUtil.getDirectChildElement(
- wsseHeaderElement, WSConstants.ENC_KEY_LN, WSConstants.ENC_NS) != null;
for (Node node = elem.getFirstChild();
node != null;
node = node.getNextSibling()
@@ -121,7 +117,7 @@ public class ReferenceListProcessor impl
if (!wsDocInfo.hasResult(WSConstants.ENCR, dataRefURI)) {
WSDataRef dataRef =
decryptDataRefEmbedded(
- elem.getOwnerDocument(), dataRefURI, data, wsDocInfo, asymBinding);
+ elem.getOwnerDocument(), dataRefURI, data, wsDocInfo);
dataRefs.add(dataRef);
}
}
@@ -138,8 +134,7 @@ public class ReferenceListProcessor impl
Document doc,
String dataRefURI,
RequestData data,
- WSDocInfo wsDocInfo,
- boolean asymBinding
+ WSDocInfo wsDocInfo
) throws WSSecurityException {
if (LOG.isDebugEnabled()) {
LOG.debug("Found data reference: " + dataRefURI);
@@ -149,7 +144,7 @@ public class ReferenceListProcessor impl
//
Element encryptedDataElement = findEncryptedDataElement(doc, wsDocInfo, dataRefURI);
- if (encryptedDataElement != null && asymBinding && data.isRequireSignedEncryptedDataElements()) {
+ if (encryptedDataElement != null && data.isRequireSignedEncryptedDataElements()) {
List<WSSecurityEngineResult> signedResults =
wsDocInfo.getResultsByTag(WSConstants.SIGN);
WSSecurityUtil.verifySignedElement(encryptedDataElement, signedResults);
@@ -326,86 +321,13 @@ public class ReferenceListProcessor impl
dataRef.setWsuId(dataRefURI);
dataRef.setAlgorithm(symEncAlgo);
+ // See if it is an attachment, and handle that differently
String typeStr = encData.getAttributeNS(null, "Type");
if (typeStr != null &&
(WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_CONTENT_ONLY.equals(typeStr) ||
WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr))) {
- try {
- Element cipherData = WSSecurityUtil.getDirectChildElement(encData, "CipherData", WSConstants.ENC_NS);
- if (cipherData == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- Element cipherReference = WSSecurityUtil.getDirectChildElement(cipherData, "CipherReference", WSConstants.ENC_NS);
- if (cipherReference == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- String uri = cipherReference.getAttributeNS(null, "URI");
- if (uri == null || uri.length() < 5) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- if (!uri.startsWith("cid:")) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
- dataRef.setWsuId(uri);
- dataRef.setAttachment(true);
-
- CallbackHandler attachmentCallbackHandler = requestData.getAttachmentCallbackHandler();
- if (attachmentCallbackHandler == null) {
- throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
- }
-
- final String attachmentId = uri.substring(4);
-
- AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
- attachmentRequestCallback.setAttachmentId(attachmentId);
-
- attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
- List<Attachment> attachments = attachmentRequestCallback.getAttachments();
- if (attachments == null || attachments.isEmpty() || !attachmentId.equals(attachments.get(0).getId())) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.INVALID_SECURITY,
- "empty", "Attachment not found"
- );
- }
- Attachment attachment = attachments.get(0);
-
- final String encAlgo = X509Util.getEncAlgo(encData);
- final String jceAlgorithm =
- JCEMapper.translateURItoJCEID(encAlgo);
- final Cipher cipher = Cipher.getInstance(jceAlgorithm);
-
- InputStream attachmentInputStream =
- AttachmentUtils.setupAttachmentDecryptionStream(
- encAlgo, cipher, symmetricKey, attachment.getSourceStream());
-
- Attachment resultAttachment = new Attachment();
- resultAttachment.setId(attachment.getId());
- resultAttachment.setMimeType(encData.getAttributeNS(null, "MimeType"));
- resultAttachment.setSourceStream(attachmentInputStream);
- resultAttachment.addHeaders(attachment.getHeaders());
-
- if (WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr)) {
- AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(
- resultAttachment.getHeaders(), attachmentInputStream);
- }
-
- AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
- attachmentResultCallback.setAttachment(resultAttachment);
- attachmentResultCallback.setAttachmentId(resultAttachment.getId());
- attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
-
- } catch (UnsupportedCallbackException | IOException
- | NoSuchAlgorithmException | NoSuchPaddingException e) {
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_CHECK, e);
- }
-
- dataRef.setContent(true);
- // Remove this EncryptedData from the security header to avoid processing it again
- encData.getParentNode().removeChild(encData);
-
- return dataRef;
+ return decryptAttachment(dataRefURI, encData, symmetricKey, symEncAlgo, requestData);
}
boolean content = X509Util.isContent(encData);
@@ -465,11 +387,95 @@ public class ReferenceListProcessor impl
return dataRef;
}
-
- public String getId() {
- return null;
- }
+ private static WSDataRef
+ decryptAttachment(
+ String dataRefURI,
+ Element encData,
+ SecretKey symmetricKey,
+ String symEncAlgo,
+ RequestData requestData
+ ) throws WSSecurityException {
+ WSDataRef dataRef = new WSDataRef();
+ dataRef.setWsuId(dataRefURI);
+ dataRef.setAlgorithm(symEncAlgo);
+
+ try {
+ Element cipherData = WSSecurityUtil.getDirectChildElement(encData, "CipherData", WSConstants.ENC_NS);
+ if (cipherData == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ Element cipherReference = WSSecurityUtil.getDirectChildElement(cipherData, "CipherReference", WSConstants.ENC_NS);
+ if (cipherReference == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ String uri = cipherReference.getAttributeNS(null, "URI");
+ if (uri == null || uri.length() < 5) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ if (!uri.startsWith("cid:")) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+ dataRef.setWsuId(uri);
+ dataRef.setAttachment(true);
+
+ CallbackHandler attachmentCallbackHandler = requestData.getAttachmentCallbackHandler();
+ if (attachmentCallbackHandler == null) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
+ }
+
+ final String attachmentId = uri.substring(4);
+
+ AttachmentRequestCallback attachmentRequestCallback = new AttachmentRequestCallback();
+ attachmentRequestCallback.setAttachmentId(attachmentId);
+ attachmentCallbackHandler.handle(new Callback[]{attachmentRequestCallback});
+ List<Attachment> attachments = attachmentRequestCallback.getAttachments();
+ if (attachments == null || attachments.isEmpty() || !attachmentId.equals(attachments.get(0).getId())) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.INVALID_SECURITY,
+ "empty", "Attachment not found"
+ );
+ }
+ Attachment attachment = attachments.get(0);
+
+ final String encAlgo = X509Util.getEncAlgo(encData);
+ final String jceAlgorithm =
+ JCEMapper.translateURItoJCEID(encAlgo);
+ final Cipher cipher = Cipher.getInstance(jceAlgorithm);
+
+ InputStream attachmentInputStream =
+ AttachmentUtils.setupAttachmentDecryptionStream(
+ encAlgo, cipher, symmetricKey, attachment.getSourceStream());
+
+ Attachment resultAttachment = new Attachment();
+ resultAttachment.setId(attachment.getId());
+ resultAttachment.setMimeType(encData.getAttributeNS(null, "MimeType"));
+ resultAttachment.setSourceStream(attachmentInputStream);
+ resultAttachment.addHeaders(attachment.getHeaders());
+
+ String typeStr = encData.getAttributeNS(null, "Type");
+ if (WSConstants.SWA_ATTACHMENT_ENCRYPTED_DATA_TYPE_COMPLETE.equals(typeStr)) {
+ AttachmentUtils.readAndReplaceEncryptedAttachmentHeaders(
+ resultAttachment.getHeaders(), attachmentInputStream);
+ }
+
+ AttachmentResultCallback attachmentResultCallback = new AttachmentResultCallback();
+ attachmentResultCallback.setAttachment(resultAttachment);
+ attachmentResultCallback.setAttachmentId(resultAttachment.getId());
+ attachmentCallbackHandler.handle(new Callback[]{attachmentResultCallback});
+
+ } catch (UnsupportedCallbackException | IOException
+ | NoSuchAlgorithmException | NoSuchPaddingException e) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.FAILED_CHECK, e);
+ }
+
+ dataRef.setContent(true);
+ // Remove this EncryptedData from the security header to avoid processing it again
+ encData.getParentNode().removeChild(encData);
+
+ return dataRef;
+ }
/**
* @param decryptedNode the decrypted node
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1663945&r1=1663944&r2=1663945&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Wed Mar 4 11:49:48 2015
@@ -230,7 +230,7 @@ public class SignatureProcessor implemen
buildProtectedRefs(
elem.getOwnerDocument(), xmlSignature.getSignedInfo(), data, wsDocInfo
);
- if (dataRefs.size() == 0) {
+ if (dataRefs.isEmpty()) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK);
}
@@ -520,7 +520,7 @@ public class SignatureProcessor implemen
RequestData requestData,
WSDocInfo wsDocInfo
) throws WSSecurityException {
- List<WSDataRef> protectedRefs = new ArrayList<>();
+ List<WSDataRef> protectedRefs = new ArrayList<>(signedInfo.getReferences().size());
for (Object reference : signedInfo.getReferences()) {
Reference siRef = (Reference)reference;
String uri = siRef.getURI();