You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2009/10/20 13:18:33 UTC
svn commit: r827034 - in /webservices/wss4j/branches/1_5_x-fixes:
src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
test/wssec/TestWSSecurityNewDK.java
Author: coheigea
Date: Tue Oct 20 11:18:33 2009
New Revision: 827034
URL: http://svn.apache.org/viewvc?rev=827034&view=rev
Log:
[WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens
Modified:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewDK.java
Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java?rev=827034&r1=827033&r2=827034&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/BinarySecurityTokenProcessor.java Tue Oct 20 11:18:33 2009
@@ -86,6 +86,7 @@
0,
new WSSecurityEngineResult(WSConstants.BST, this.token, this.certificates)
);
+ id = elem.getAttributeNS(WSConstants.WSU_NS, "Id");
}
/**
Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java?rev=827034&r1=827033&r2=827034&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java Tue Oct 20 11:18:33 2009
@@ -40,6 +40,7 @@
import javax.security.auth.callback.UnsupportedCallbackException;
import java.io.IOException;
+import java.security.cert.X509Certificate;
import java.util.Vector;
/**
@@ -157,8 +158,13 @@
// Now use the callback and get it
this.secret = this.getSecret(cb, uri);
} else if (processor == null && keyIdentifierValue != null
- && keyIdentifierValueType != null) {
- this.secret = this.getSecret(cb, keyIdentifierValue, keyIdentifierValueType);
+ && keyIdentifierValueType != null) {
+ X509Certificate[] certs = str.getKeyIdentifier(crypto);
+ if (certs == null || certs.length < 1 || certs[0] == null) {
+ this.secret = this.getSecret(cb, keyIdentifierValue, keyIdentifierValueType);
+ } else {
+ this.secret = this.getSecret(cb, crypto, certs);
+ }
} else if (processor instanceof UsernameTokenProcessor) {
this.secret = ((UsernameTokenProcessor) processor).getDerivedKey(cb);
} else if (processor instanceof EncryptedKeyProcessor) {
@@ -246,6 +252,56 @@
return pwcb.getKey();
}
+
+ private byte[] getSecret(
+ CallbackHandler cb,
+ Crypto crypto,
+ X509Certificate certs[]
+ ) throws WSSecurityException {
+ if (cb == null) {
+ throw new WSSecurityException(WSSecurityException.FAILURE, "noCallback");
+ }
+
+ String alias = crypto.getAliasForX509Cert(certs[0]);
+
+ WSPasswordCallback pwCb =
+ new WSPasswordCallback(alias, WSPasswordCallback.DECRYPT);
+ try {
+ Callback[] callbacks = new Callback[]{pwCb};
+ cb.handle(callbacks);
+ } catch (IOException e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[]{alias},
+ e
+ );
+ } catch (UnsupportedCallbackException e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE,
+ "noPassword",
+ new Object[]{alias},
+ e
+ );
+ }
+
+ String password = pwCb.getPassword();
+ if (password == null) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILURE, "noPassword", new Object[]{alias}
+ );
+ }
+
+ java.security.Key privateKey;
+ try {
+ privateKey = crypto.getPrivateKey(alias, password);
+ return privateKey.getEncoded();
+ } catch (Exception e) {
+ throw new WSSecurityException(WSSecurityException.FAILED_CHECK, null, null, e);
+ }
+ }
+
+
/**
* Returns the wsu:Id of the DerivedKeyToken
* @see org.apache.ws.security.processor.Processor#getId()
@@ -269,6 +325,6 @@
this.length = len;
this.deriveKey();
return keyBytes;
- }
-
+ }
+
}
Modified: webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewDK.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewDK.java?rev=827034&r1=827033&r2=827034&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewDK.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewDK.java Tue Oct 20 11:18:33 2009
@@ -34,6 +34,7 @@
import org.apache.ws.security.message.WSSecDKSign;
import org.apache.ws.security.message.WSSecEncryptedKey;
import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.xml.security.signature.XMLSignature;
import org.w3c.dom.Document;
@@ -44,6 +45,7 @@
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.security.cert.X509Certificate;
import junit.framework.Test;
import junit.framework.TestCase;
@@ -224,6 +226,76 @@
verify(doc);
}
+
+ /**
+ * A test for WSS-211 - "WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens".
+ * Here we're signing the SOAP body, where the signature refers to a DerivedKeyToken
+ * which uses a Thumbprint-SHA1 reference to the encoded certificate (which is in the
+ * keystore)
+ */
+ public void testSignatureThumbprintSHA1() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ SecurityTokenReference secToken = new SecurityTokenReference(doc);
+ X509Certificate[] certs = crypto.getCertificates("wss4jcert");
+ secToken.setKeyIdentifierThumb(certs[0]);
+ secToken.getElement();
+
+ WSSecDKSign sigBuilder = new WSSecDKSign();
+ java.security.Key key = crypto.getPrivateKey("wss4jcert", "security");
+ sigBuilder.setExternalKey(key.getEncoded(), secToken.getElement());
+ sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ sigBuilder.build(doc, secHeader);
+
+ sigBuilder.appendSigToHeader(secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Encrypted message: ThumbprintSHA1 + DerivedKeys");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ verify(doc);
+ }
+
+
+ /**
+ * Here we're signing the SOAP body, where the signature refers to a DerivedKeyToken
+ * which uses an SKI reference to the encoded certificate (which is in the
+ * keystore)
+ */
+ public void testSignatureSKI() throws Exception {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ SecurityTokenReference secToken = new SecurityTokenReference(doc);
+ X509Certificate[] certs = crypto.getCertificates("wss4jcert");
+ secToken.setKeyIdentifierSKI(certs[0], crypto);
+ secToken.getElement();
+
+ WSSecDKSign sigBuilder = new WSSecDKSign();
+ java.security.Key key = crypto.getPrivateKey("wss4jcert", "security");
+ sigBuilder.setExternalKey(key.getEncoded(), secToken.getElement());
+ sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ sigBuilder.build(doc, secHeader);
+
+ sigBuilder.appendSigToHeader(secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Encrypted message: SKI + DerivedKeys");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ verify(doc);
+ }
+
+
public void testSignatureEncrypt() throws Exception {
SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
Document doc = unsignedEnvelope.getAsDocument();
@@ -320,7 +392,7 @@
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
assertTrue(outputString.indexOf("LogTestService2") > 0 ? true : false);
}
-
+
public void handle(Callback[] callbacks)
throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org