You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/04/28 12:23:10 UTC
svn commit: r769324 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/action/ src/org/apache/ws/security/message/
src/org/apache/ws/security/message/token/ test/wssec/
Author: coheigea
Date: Tue Apr 28 10:23:08 2009
New Revision: 769324
URL: http://svn.apache.org/viewvc?rev=769324&view=rev
Log:
[WSS-179] - Added (better) support for signature using a symmetric key
- Also removed wsu namespace from the STR by default
- Removed wsse and ds namespace definititions froms the TransformationParameters
- Removed UT_SIGNING configuration from WSSecSignature...the same functionality can be achieved using CUSTOM_SYMM_SIGNING
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew13.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew17.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew18.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/action/UsernameTokenSignedAction.java Tue Apr 28 10:23:08 2009
@@ -78,9 +78,10 @@
WSSecSignature sign = new WSSecSignature();
sign.setWsConfig(reqData.getWssConfig());
-
- sign.setUsernameToken(builder);
- sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
+ sign.setCustomTokenId(builder.getId());
+ sign.setSecretKey(builder.getSecretKey());
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
sign.prepare(doc, null, reqData.getSecHeader());
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java Tue Apr 28 10:23:08 2009
@@ -34,6 +34,7 @@
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.saml.SAMLUtil;
import org.apache.ws.security.transform.STRTransform;
+import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.SignatureAlgorithm;
import org.apache.xml.security.c14n.Canonicalizer;
@@ -55,6 +56,8 @@
import org.w3c.dom.NamedNodeMap;
import org.w3c.dom.Node;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.List;
@@ -82,9 +85,7 @@
protected String sigAlgo = null;
- protected String canonAlgo = Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS;
-
- protected WSSecUsernameToken usernameToken = null;
+ protected String canonAlgo = WSConstants.C14N_EXCL_OMIT_COMMENTS;
protected byte[] signatureValue = null;
@@ -143,7 +144,7 @@
* @return A boolean if single certificate is set.
*/
public boolean isUseSingleCertificate() {
- return this.useSingleCert;
+ return useSingleCert;
}
/**
@@ -221,13 +222,6 @@
/**
- * @param usernameToken The usernameToken to set.
- */
- public void setUsernameToken(WSSecUsernameToken usernameToken) {
- this.usernameToken = usernameToken;
- }
-
- /**
* Returns the computed Signature value.
*
* Call this method after <code>computeSignature()</code> or <code>build()</code>
@@ -261,10 +255,10 @@
* BinaruSecurityToken element.
*/
public String getBSTTokenId() {
- if (this.bstToken == null) {
+ if (bstToken == null) {
return null;
}
- return this.bstToken.getID();
+ return bstToken.getID();
}
/**
@@ -299,11 +293,10 @@
// parameters.
//
X509Certificate[] certs = null;
- if (keyIdentifierType != WSConstants.UT_SIGNING
- && keyIdentifierType != WSConstants.CUSTOM_SYMM_SIGNING
- && keyIdentifierType != WSConstants.CUSTOM_SYMM_SIGNING_DIRECT
- && keyIdentifierType != WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER
- && keyIdentifierType != WSConstants.CUSTOM_KEY_IDENTIFIER) {
+ if (!(keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING
+ || keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING_DIRECT
+ || keyIdentifierType == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER
+ || keyIdentifierType == WSConstants.CUSTOM_KEY_IDENTIFIER)) {
if (useThisCert == null) {
certs = crypto.getCertificates(user);
} else {
@@ -418,38 +411,36 @@
secRef.setKeyIdentifierSKI(certs[0], crypto);
break;
- case WSConstants.UT_SIGNING:
- Reference refUt = new Reference(document);
- refUt.setValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
- String utId = usernameToken.getId();
- refUt.setURI("#" + utId);
- secRef.setReference(refUt);
- secretKey = usernameToken.getSecretKey();
- break;
-
case WSConstants.THUMBPRINT_IDENTIFIER:
secRef.setKeyIdentifierThumb(certs[0]);
break;
case WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER:
- secRef.setKeyIdentifierEncKeySHA1(this.encrKeySha1value);
+ if (encrKeySha1value != null) {
+ secRef.setKeyIdentifierEncKeySHA1(encrKeySha1value);
+ } else {
+ secRef.setKeyIdentifierEncKeySHA1(getSHA1(secretKey));
+ }
break;
case WSConstants.CUSTOM_SYMM_SIGNING :
Reference refCust = new Reference(document);
- refCust.setValueType(this.customTokenValueType);
- refCust.setURI("#" + this.customTokenId);
+ refCust.setValueType(customTokenValueType);
+ refCust.setURI("#" + customTokenId);
secRef.setReference(refCust);
break;
+
case WSConstants.CUSTOM_SYMM_SIGNING_DIRECT :
Reference refCustd = new Reference(document);
- refCustd.setValueType(this.customTokenValueType);
- refCustd.setURI(this.customTokenId);
+ refCustd.setValueType(customTokenValueType);
+ refCustd.setURI(customTokenId);
secRef.setReference(refCustd);
break;
+
case WSConstants.CUSTOM_KEY_IDENTIFIER:
secRef.setKeyIdentifier(customTokenValueType, customTokenId);
break;
+
case WSConstants.KEY_VALUE:
java.security.PublicKey publicKey = certs[0].getPublicKey();
String pubKeyAlgo = publicKey.getAlgorithm();
@@ -659,7 +650,7 @@
* @return The DOM Element of the signature.
*/
public Element getSignatureElement() {
- return this.sig.getElement();
+ return sig.getElement();
}
/**
@@ -668,8 +659,8 @@
* @return the BST Token element
*/
public Element getBinarySecurityTokenElement() {
- if (this.bstToken != null) {
- return this.bstToken.getElement();
+ if (bstToken != null) {
+ return bstToken.getElement();
}
return null;
}
@@ -694,11 +685,10 @@
public void computeSignature() throws WSSecurityException {
boolean remove = WSDocInfoStore.store(wsDocInfo);
try {
- if (keyIdentifierType == WSConstants.UT_SIGNING ||
- keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING ||
- keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING_DIRECT ||
- keyIdentifierType == WSConstants.CUSTOM_KEY_IDENTIFIER ||
- keyIdentifierType == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER) {
+ if (keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING
+ || keyIdentifierType == WSConstants.CUSTOM_SYMM_SIGNING_DIRECT
+ || keyIdentifierType == WSConstants.CUSTOM_KEY_IDENTIFIER
+ || keyIdentifierType == WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER) {
if (secretKey == null) {
sig.sign(crypto.getPrivateKey(user, password));
} else {
@@ -748,9 +738,9 @@
}
prepare(doc, cr, secHeader);
- String soapNamespace = WSSecurityUtil.getSOAPNamespace(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
+ String soapNamespace = WSSecurityUtil.getSOAPNamespace(doc.getDocumentElement());
WSEncryptionPart encP =
new WSEncryptionPart(
WSConstants.ELEM_BODY,
@@ -783,20 +773,12 @@
WSConstants.WSSE_PREFIX + ":TransformationParameters"
);
- WSSecurityUtil.setNamespace(
- transformParam, WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX
- );
-
Element canonElem =
doc.createElementNS(
WSConstants.SIG_NS,
WSConstants.SIG_PREFIX + ":CanonicalizationMethod"
);
- WSSecurityUtil.setNamespace(
- canonElem, WSConstants.SIG_NS, WSConstants.SIG_PREFIX
- );
-
canonElem.setAttributeNS(null, "Algorithm", Canonicalizer.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
transformParam.appendChild(canonElem);
return transformParam;
@@ -877,4 +859,19 @@
this.useThisCert = cer;
}
+ private String getSHA1(byte[] input) throws WSSecurityException {
+ try {
+ MessageDigest sha = WSSecurityUtil.resolveMessageDigest();
+ sha.reset();
+ sha.update(input);
+ byte[] data = sha.digest();
+
+ return Base64.encode(data);
+ } catch (NoSuchAlgorithmException e) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
+ );
+ }
+ }
+
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java Tue Apr 28 10:23:08 2009
@@ -103,6 +103,14 @@
public void addWSSENamespace() {
WSSecurityUtil.setNamespace(this.element, WSConstants.WSSE_NS, WSConstants.WSSE_PREFIX);
}
+
+ /**
+ * Add the WSU Namespace to this STR. The namespace is not added by default for
+ * efficiency purposes.
+ */
+ public void addWSUNamespace() {
+ WSSecurityUtil.setNamespace(element, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
+ }
/**
* set the reference.
@@ -761,7 +769,6 @@
* @param id
*/
public void setID(String id) {
- WSSecurityUtil.setNamespace(element, WSConstants.WSU_NS, WSConstants.WSU_PREFIX);
this.element.setAttributeNS(WSConstants.WSU_NS, WSConstants.WSU_PREFIX + ":Id", id);
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew13.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew13.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew13.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew13.java Tue Apr 28 10:23:08 2009
@@ -121,7 +121,7 @@
/**
- * Test the specific signing mehtod that use UsernameToken values
+ * Test the specific signing method that use UsernameToken values
* <p/>
*
* @throws java.lang.Exception Thrown when there is any problem in signing or verification
@@ -140,9 +140,12 @@
builder.prepare(doc);
WSSecSignature sign = new WSSecSignature();
- sign.setUsernameToken(builder);
- sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
+ sign.setCustomTokenId(builder.getId());
+ sign.setSecretKey(builder.getSecretKey());
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+
LOG.info("Before signing with UT text....");
sign.build(doc, null, secHeader);
LOG.info("Before adding UsernameToken PW Text....");
@@ -159,7 +162,7 @@
}
/**
- * Test the specific signing mehtod that use UsernameToken values
+ * Test the specific signing method that use UsernameToken values
* <p/>
*
* @throws java.lang.Exception Thrown when there is any problem in signing or verification
@@ -178,9 +181,12 @@
builder.prepare(doc);
WSSecSignature sign = new WSSecSignature();
- sign.setUsernameToken(builder);
- sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
+ sign.setCustomTokenId(builder.getId());
+ sign.setSecretKey(builder.getSecretKey());
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+
LOG.info("Before signing with UT digest....");
sign.build(doc, null, secHeader);
LOG.info("Before adding UsernameToken PW Digest....");
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew17.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew17.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew17.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew17.java Tue Apr 28 10:23:08 2009
@@ -23,6 +23,8 @@
import java.io.IOException;
import java.io.InputStream;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
@@ -75,6 +77,7 @@
private Crypto crypto = CryptoFactory.getInstance();
private MessageContext msgContext;
private Message message;
+ private byte[] keyData;
/**
* TestWSSecurity constructor
@@ -106,6 +109,11 @@
AxisClient tmpEngine = new AxisClient(new NullProvider());
msgContext = new MessageContext(tmpEngine);
message = getSOAPMessage();
+
+ KeyGenerator keyGen = KeyGenerator.getInstance("AES");
+ keyGen.init(128);
+ SecretKey key = keyGen.generateKey();
+ keyData = key.getEncoded();
}
/**
@@ -121,6 +129,70 @@
msg.setMessageContext(msgContext);
return msg;
}
+
+ /**
+ * Test signing a message body using a symmetric key with EncryptedKeySHA1
+ */
+ public void testSymmetricSignatureSHA1() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ Document doc = unsignedEnvelope.getAsDocument();
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ sign.setSecretKey(keyData);
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signed symmetric message SHA1:");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ verify(signedDoc);
+ }
+
+
+ /**
+ * Test signing a message body using a symmetric key with Direct Reference to an
+ * EncryptedKey
+ */
+ public void testSymmetricSignatureDR() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ Document doc = unsignedEnvelope.getAsDocument();
+
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
+ encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+ encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+ encrKey.setKeySize(192);
+ encrKey.prepare(doc, crypto);
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ sign.setCustomTokenId(encrKey.getId());
+ sign.setSecretKey(encrKey.getEphemeralKey());
+ sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
+ sign.setCustomTokenValueType(
+ WSConstants.SOAPMESSAGE_NS11 + "#" + WSConstants.ENC_KEY_VALUE_TYPE
+ );
+
+ Document signedDoc = sign.build(doc, crypto, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Signed symmetric message DR:");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+ }
/**
* Test that first signs, then encrypts a WS-Security envelope.
@@ -200,6 +272,7 @@
* for Testing we supply a fixed name here.
*/
pc.setPassword("security");
+ pc.setKey(keyData);
} else {
throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew18.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew18.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew18.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew18.java Tue Apr 28 10:23:08 2009
@@ -118,7 +118,7 @@
}
/**
- * The test uses the ThumbprintSHA1 key identifier type.
+ * Sign using a different digest algorithm (SHA-256).
* <p/>
*
* @throws java.lang.Exception Thrown when there is any problem in signing or verification
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java?rev=769324&r1=769323&r2=769324&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java Tue Apr 28 10:23:08 2009
@@ -141,9 +141,12 @@
builder.prepare(doc);
WSSecSignature sign = new WSSecSignature();
- sign.setUsernameToken(builder);
- sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
+ sign.setCustomTokenId(builder.getId());
+ sign.setSecretKey(builder.getSecretKey());
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+
Document signedDoc = sign.build(doc, null, secHeader);
builder.prependToHeader(secHeader);
@@ -181,9 +184,12 @@
builder.prepare(doc);
WSSecSignature sign = new WSSecSignature();
- sign.setUsernameToken(builder);
- sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setCustomTokenValueType(WSConstants.USERNAMETOKEN_NS + "#UsernameToken");
+ sign.setCustomTokenId(builder.getId());
+ sign.setSecretKey(builder.getSecretKey());
+ sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+
Document signedDoc = sign.build(doc, null, secHeader);
builder.prependToHeader(secHeader);
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org