You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2020/12/01 11:47:01 UTC
[ws-wss4j] branch 2_3_x-fixes updated: WSS-679 - Fix regression in
signing KeyInfos
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_3_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/2_3_x-fixes by this push:
new 49ce08a WSS-679 - Fix regression in signing KeyInfos
49ce08a is described below
commit 49ce08a67fc8a908bca245490420cc61a76c1df2
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Dec 1 11:38:40 2020 +0000
WSS-679 - Fix regression in signing KeyInfos
---
.../apache/wss4j/dom/action/SignatureAction.java | 6 +-
.../apache/wss4j/dom/message/WSSecSignature.java | 32 ++---------
.../wss4j/dom/message/WSSecSignatureBase.java | 2 +-
.../wss4j/dom/message/SignaturePartsTest.java | 65 ++++++++++++----------
4 files changed, 44 insertions(+), 61 deletions(-)
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
index eee1185..7c1b6ab 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/action/SignatureAction.java
@@ -139,10 +139,8 @@ public class SignatureAction implements Action {
signBST = true;
} else if ("KeyInfo".equals(part.getName()) && WSConstants.SIG_NS.equals(part.getNamespace())
&& part.getElement() == null) {
- // Special code to sign the KeyInfo - we have to marshal the KeyInfo to a DOM Element
- // before the signing process
- Element keyInfoElement = wsSign.getKeyInfoElement();
- part.setElement(keyInfoElement);
+ // Special code to sign the KeyInfo
+ part.setId(wsSign.getKeyInfoUri());
break;
}
}
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
index 34917f9..2b8cd7a 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignature.java
@@ -27,9 +27,7 @@ import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
-import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLStructure;
-import javax.xml.crypto.dom.DOMCryptoContext;
import javax.xml.crypto.dom.DOMStructure;
import javax.xml.crypto.dsig.CanonicalizationMethod;
import javax.xml.crypto.dsig.SignatureMethod;
@@ -390,10 +388,8 @@ public class WSSecSignature extends WSSecSignatureBase {
part.setId(strUri);
} else if ("KeyInfo".equals(part.getName()) && WSConstants.SIG_NS.equals(part.getNamespace())
&& part.getElement() == null) {
- // Special code to sign the KeyInfo - we have to marshal the KeyInfo to a DOM Element
- // before the signing process
- Element keyInfoElement = getKeyInfoElement();
- part.setElement(keyInfoElement);
+ // Special code to sign the KeyInfo
+ part.setId(keyInfoUri);
}
}
}
@@ -735,26 +731,6 @@ public class WSSecSignature extends WSSecSignatureBase {
}
/**
- * Return the computed KeyInfo value as a DOM Element
- * Call this method after <code>prepare()</code>
- */
- public Element getKeyInfoElement() throws WSSecurityException {
- Element parent = getDocument().createElement("temp");
- DOMCryptoContext cryptoContext = new DOMCryptoContext() { };
- cryptoContext.putNamespacePrefix(WSConstants.SIG_NS, WSConstants.SIG_PREFIX);
- try {
- keyInfo.marshal(new DOMStructure(parent), cryptoContext);
- } catch (MarshalException ex) {
- LOG.error(ex.getMessage(), ex);
- throw new WSSecurityException(
- WSSecurityException.ErrorCode.FAILED_SIGNATURE, ex
- );
- }
-
- return (Element)parent.getFirstChild();
- }
-
- /**
* Get the id generated during <code>prepare()</code>.
*
* Returns the the value of wsu:Id attribute of the Signature element.
@@ -940,4 +916,8 @@ public class WSSecSignature extends WSSecSignatureBase {
public void setSignatureProvider(Provider signatureProvider) {
this.signatureProvider = signatureProvider;
}
+
+ public String getKeyInfoUri() {
+ return keyInfoUri;
+ }
}
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
index ad078cc..c34f19f 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecSignatureBase.java
@@ -138,7 +138,7 @@ public class WSSecSignatureBase extends WSSecBase {
}
element = callbackLookup.getElement(idToSign, null, false);
}
- if (addInclusivePrefixes) {
+ if (addInclusivePrefixes && element != null) {
List<String> prefixes = getInclusivePrefixes(element);
if (!prefixes.isEmpty()) {
transformSpec = new ExcC14NParameterSpec(prefixes);
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
index 2621035..eb86675 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/SignaturePartsTest.java
@@ -558,7 +558,6 @@ public class SignaturePartsTest {
}
@Test
- @org.junit.jupiter.api.Disabled
public void testSignedKeyInfo() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
WSSecHeader secHeader = new WSSecHeader(doc);
@@ -585,38 +584,10 @@ public class SignaturePartsTest {
WSHandlerResult results = verify(signedDoc);
- WSSecurityEngineResult actionResult =
- results.getActionResults().get(WSConstants.SIGN).get(0);
- assertNotNull(actionResult);
- assertFalse(actionResult.isEmpty());
- final List<WSDataRef> refs =
- (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
-
- WSDataRef wsDataRef = refs.get(0);
- String xpath = wsDataRef.getXpath();
- assertEquals("/soapenv:Envelope/soapenv:Header/wsse:Security/ds:Signature/ds:KeyInfo", xpath);
- assertEquals(WSConstants.RSA_SHA1, wsDataRef.getAlgorithm());
- assertNotNull(wsDataRef.getDigestValue());
- assertTrue(wsDataRef.getDigestValue().length > 0);
- QName expectedQName = new QName(WSConstants.SIG_NS, "KeyInfo");
- assertEquals(expectedQName, wsDataRef.getName());
-
- assertEquals(WSConstants.SHA1, wsDataRef.getDigestAlgorithm());
-
- String sigMethod = (String)actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
- assertEquals(WSConstants.RSA_SHA1, sigMethod);
-
- String c14nMethod =
- (String)actionResult.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
- assertEquals(WSConstants.C14N_EXCL_OMIT_COMMENTS, c14nMethod);
-
- List<String> transformAlgorithms = wsDataRef.getTransformAlgorithms();
- assertTrue(transformAlgorithms.size() == 1);
- assertTrue(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithms.get(0)));
+ verifySignedKeyInfoResults(results);
}
@Test
- @org.junit.jupiter.api.Disabled
public void testSignedKeyInfoAction() throws Exception {
final WSSConfig cfg = WSSConfig.getNewInstance();
final RequestData reqData = new RequestData();
@@ -653,6 +624,40 @@ public class SignaturePartsTest {
List<Integer> receivedActions = new ArrayList<>();
receivedActions.add(WSConstants.SIGN);
assertTrue(handler.checkResults(results.getResults(), receivedActions));
+
+ verifySignedKeyInfoResults(results);
+ }
+
+ private void verifySignedKeyInfoResults(WSHandlerResult results) {
+
+ WSSecurityEngineResult actionResult =
+ results.getActionResults().get(WSConstants.SIGN).get(0);
+ assertNotNull(actionResult);
+ assertFalse(actionResult.isEmpty());
+ final List<WSDataRef> refs =
+ (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
+ WSDataRef wsDataRef = refs.get(0);
+ String xpath = wsDataRef.getXpath();
+ assertTrue(xpath.matches("/(soapenv|SOAP-ENV):Envelope/(soapenv|SOAP-ENV):Header/wsse:Security/ds:Signature/ds:KeyInfo"));
+ assertEquals(WSConstants.RSA_SHA1, wsDataRef.getAlgorithm());
+ assertNotNull(wsDataRef.getDigestValue());
+ assertTrue(wsDataRef.getDigestValue().length > 0);
+ QName expectedQName = new QName(WSConstants.SIG_NS, "KeyInfo");
+ assertEquals(expectedQName, wsDataRef.getName());
+
+ assertEquals(WSConstants.SHA1, wsDataRef.getDigestAlgorithm());
+
+ String sigMethod = (String)actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ assertEquals(WSConstants.RSA_SHA1, sigMethod);
+
+ String c14nMethod =
+ (String)actionResult.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+ assertEquals(WSConstants.C14N_EXCL_OMIT_COMMENTS, c14nMethod);
+
+ List<String> transformAlgorithms = wsDataRef.getTransformAlgorithms();
+ assertTrue(transformAlgorithms.size() == 1);
+ assertTrue(WSConstants.C14N_EXCL_OMIT_COMMENTS.equals(transformAlgorithms.get(0)));
}
/**