You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2011/07/26 17:22:04 UTC
svn commit: r1151134 - in
/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security:
saml/SamlHeaderOutInterceptor.java xml/EncryptionUtils.java
xml/XmlEncInHandler.java xml/XmlEncOutInterceptor.java
Author: sergeyb
Date: Tue Jul 26 15:22:00 2011
New Revision: 1151134
URL: http://svn.apache.org/viewvc?rev=1151134&view=rev
Log:
[CXF-3677] Some refactoring of encryption tests
Added:
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java (with props)
Modified:
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlHeaderOutInterceptor.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncInHandler.java
cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncOutInterceptor.java
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlHeaderOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlHeaderOutInterceptor.java?rev=1151134&r1=1151133&r2=1151134&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlHeaderOutInterceptor.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/saml/SamlHeaderOutInterceptor.java Tue Jul 26 15:22:00 2011
@@ -55,6 +55,7 @@ public class SamlHeaderOutInterceptor ex
useDeflateEncoding = deflate;
}
+ @SuppressWarnings("unchecked")
public void handleMessage(Message message) throws Fault {
AssertionWrapper assertionWrapper = createAssertion(message);
try {
Added: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java?rev=1151134&view=auto
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java (added)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java Tue Jul 26 15:22:00 2011
@@ -0,0 +1,77 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.systest.jaxrs.security.xml;
+
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.cert.X509Certificate;
+
+import javax.crypto.Cipher;
+
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.encryption.XMLCipher;
+import org.apache.xml.security.encryption.XMLEncryptionException;
+
+public final class EncryptionUtils {
+ private EncryptionUtils() {
+
+ }
+
+ public static Cipher initCipherWithCert(String keyEncAlgo, int mode, X509Certificate cert)
+ throws WSSecurityException {
+ Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
+ try {
+ cipher.init(mode, cert);
+ } catch (InvalidKeyException e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_ENCRYPTION, null, null, e
+ );
+ }
+ return cipher;
+ }
+
+ public static Cipher initCipherWithKey(String keyEncAlgo, int mode, Key key)
+ throws WSSecurityException {
+ Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
+ try {
+ cipher.init(mode, key);
+ } catch (InvalidKeyException e) {
+ throw new WSSecurityException(
+ WSSecurityException.FAILED_ENCRYPTION, null, null, e
+ );
+ }
+ return cipher;
+ }
+
+ public static XMLCipher initXMLCipher(String symEncAlgo, int mode, Key key)
+ throws WSSecurityException {
+ try {
+ XMLCipher cipher = XMLCipher.getInstance(symEncAlgo);
+ cipher.init(mode, key);
+ return cipher;
+ } catch (XMLEncryptionException ex) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, ex
+ );
+ }
+ }
+
+}
+
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/EncryptionUtils.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncInHandler.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncInHandler.java?rev=1151134&r1=1151133&r2=1151134&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncInHandler.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncInHandler.java Tue Jul 26 15:22:00 2011
@@ -24,16 +24,13 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
-import java.security.InvalidKeyException;
import java.security.PrivateKey;
-import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Properties;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
import javax.security.auth.callback.CallbackHandler;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
@@ -43,6 +40,7 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
+
import org.apache.cxf.common.classloader.ClassLoaderUtils;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64Exception;
@@ -63,6 +61,8 @@ import org.apache.ws.security.handler.Re
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.ws.security.validate.Credential;
import org.apache.ws.security.validate.SignatureTrustValidator;
+import org.apache.xml.security.encryption.XMLCipher;
+import org.apache.xml.security.encryption.XMLEncryptionException;
import org.apache.xml.security.utils.Constants;
public class XmlEncInHandler implements RequestHandler {
@@ -90,22 +90,13 @@ public class XmlEncInHandler implements
Element root = doc.getDocumentElement();
- Element encKeyElement = getNode(root, WSConstants.ENC_NS, "EncryptedKey", 0);
- if (encKeyElement == null) {
- throwFault("EncryptedKey element is not available", null);
- }
- byte[] symmetricKeyBytes = getSymmetricKey(message, encKeyElement);
+
+ byte[] symmetricKeyBytes = getSymmetricKeyBytes(message, root);
String algorithm = getEncodingMethodAlgorithm(root);
- Element cipherValue = getNode(root, WSConstants.ENC_NS, "CipherValue", 1);
- if (cipherValue == null) {
- throwFault("CipherValue element is not available", null);
- }
-
byte[] decryptedPayload = null;
try {
- decryptedPayload = decryptPayload(symmetricKeyBytes, cipherValue.getTextContent().trim(),
- algorithm);
+ decryptedPayload = decryptPayload(root, symmetricKeyBytes, algorithm);
} catch (Exception ex) {
throwFault("Payload can not be decrypted", ex);
}
@@ -123,7 +114,14 @@ public class XmlEncInHandler implements
return null;
}
- private byte[] getSymmetricKey(Message message, Element encKeyElement) {
+ protected byte[] getSymmetricKeyBytes(Message message, Element encDataElement) {
+ // Subclasses can overwrite it and return the bytes, assuming they know the actual key
+ Element encKeyElement = getNode(encDataElement, WSConstants.ENC_NS, "EncryptedKey", 0);
+ if (encKeyElement == null) {
+ //TODO: support EncryptedData/ds:KeyInfo - the encrypted key is passed out of band
+ throwFault("EncryptedKey element is not available", null);
+ }
+
Element certNode = getNode(encKeyElement,
Constants.SignatureSpecNS, "X509Certificate", 0);
if (certNode == null) {
@@ -136,22 +134,20 @@ public class XmlEncInHandler implements
throwFault("Base64 decoding has failed", ex);
}
- X509Certificate cert = null;
+ Crypto crypto = null;
try {
- CertificateFactory cf = CertificateFactory.getInstance("X.509");
- cert = (X509Certificate)cf.generateCertificate(new ByteArrayInputStream(certBytes));
+ crypto = getCrypto(message, SecurityConstants.ENCRYPT_PROPERTIES);
} catch (Exception ex) {
- throwFault("X509Certificate can not be created", ex);
+ throwFault("Crypto can not be loaded", ex);
}
- Crypto crypto = null;
+ X509Certificate cert = null;
try {
- crypto = getCrypto(message, SecurityConstants.ENCRYPT_PROPERTIES);
+ cert = crypto.loadCertificate(new ByteArrayInputStream(certBytes));
} catch (Exception ex) {
- throwFault("Crypto can not be loaded", ex);
+ throwFault("X509Certificate can not be created", ex);
}
-
Credential trustCredential = new Credential();
trustCredential.setPublicKey(null);
trustCredential.setCertificates(new X509Certificate[]{cert});
@@ -187,7 +183,8 @@ public class XmlEncInHandler implements
}
return encMethod.getAttribute("Algorithm");
}
-
+
+ //TODO: Support symmetric keys if requested
protected byte[] decryptSymmetricKey(String base64EncodedKey,
X509Certificate cert,
Crypto crypto,
@@ -200,18 +197,11 @@ public class XmlEncInHandler implements
} catch (Exception ex) {
throwFault("Encrypted key can not be decrypted", ex);
}
- Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
- try {
- // see more: WSS4J EncryptedDataProcessor
- cipher.init(Cipher.DECRYPT_MODE, key);
- } catch (InvalidKeyException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, e
- );
- }
+ Cipher cipher =
+ EncryptionUtils.initCipherWithKey(keyEncAlgo, Cipher.DECRYPT_MODE, key);
try {
byte[] encryptedBytes = Base64Utility.decode(base64EncodedKey);
- return doDecrypt(cipher, encryptedBytes);
+ return cipher.doFinal(encryptedBytes);
} catch (Base64Exception ex) {
throwFault("Base64 decoding has failed", ex);
} catch (Exception ex) {
@@ -221,45 +211,22 @@ public class XmlEncInHandler implements
}
- protected byte[] decryptPayload(byte[] secretKeyBytes,
- String base64EncodedPayload,
+ protected byte[] decryptPayload(Element root,
+ byte[] secretKeyBytes,
String symEncAlgo) throws WSSecurityException {
- byte[] encryptedBytes = null;
+ SecretKey key = WSSecurityUtil.prepareSecretKey(symEncAlgo, secretKeyBytes);
try {
- encryptedBytes = Base64Utility.decode(base64EncodedPayload);
- } catch (Base64Exception ex) {
- throwFault("Base64 decoding has failed", ex);
- }
-
- Cipher cipher = WSSecurityUtil.getCipherInstance(symEncAlgo);
- try {
- // see more: WSS4J EncryptedDataProcessor
- SecretKey key = WSSecurityUtil.prepareSecretKey(symEncAlgo, secretKeyBytes);
- // IV spec
- int ivLen = cipher.getBlockSize();
- byte[] ivBytes = new byte[ivLen];
- System.arraycopy(encryptedBytes, 0, ivBytes, 0, ivLen);
- IvParameterSpec iv = new IvParameterSpec(ivBytes);
-
- cipher.init(Cipher.DECRYPT_MODE, key, iv);
-
- return cipher.doFinal(encryptedBytes,
- ivLen,
- encryptedBytes.length - ivLen);
-
- } catch (InvalidKeyException e) {
+ XMLCipher xmlCipher =
+ EncryptionUtils.initXMLCipher(symEncAlgo, XMLCipher.DECRYPT_MODE, key);
+ return xmlCipher.decryptToByteArray(root);
+ } catch (XMLEncryptionException ex) {
throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, e
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, ex
);
- } catch (Exception e) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, e);
}
+
}
- private byte[] doDecrypt(Cipher cipher, byte[] encryptedBytes) throws Exception {
- return cipher.doFinal(encryptedBytes);
- }
private Element getNode(Element parent, String ns, String name, int index) {
NodeList list = parent.getElementsByTagNameNS(ns, name);
Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncOutInterceptor.java?rev=1151134&r1=1151133&r2=1151134&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncOutInterceptor.java (original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/XmlEncOutInterceptor.java Tue Jul 26 15:22:00 2011
@@ -24,7 +24,6 @@ import java.io.PrintWriter;
import java.io.StringWriter;
import java.lang.annotation.Annotation;
import java.net.URL;
-import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
@@ -82,7 +81,6 @@ import org.apache.ws.security.util.UUIDG
import org.apache.ws.security.util.WSSecurityUtil;
import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.encryption.XMLCipher;
-import org.apache.xml.security.encryption.XMLEncryptionException;
public class XmlEncOutInterceptor extends AbstractPhaseInterceptor<Message> {
private static final Logger LOG =
@@ -157,15 +155,9 @@ public class XmlEncOutInterceptor extend
}
// encrypt payloadDoc
- XMLCipher xmlCipher = null;
- try {
- xmlCipher = XMLCipher.getInstance(symEncAlgo);
- } catch (XMLEncryptionException ex) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, ex
- );
- }
- xmlCipher.init(XMLCipher.ENCRYPT_MODE, symmetricKey);
+ XMLCipher xmlCipher =
+ EncryptionUtils.initXMLCipher(symEncAlgo, XMLCipher.ENCRYPT_MODE, symmetricKey);
+
Document result = xmlCipher.doFinal(payloadDoc, payloadDoc.getDocumentElement(), false);
NodeList list = result.getElementsByTagNameNS(WSConstants.ENC_NS, "CipherValue");
if (list.getLength() != 1) {
@@ -231,14 +223,8 @@ public class XmlEncOutInterceptor extend
protected byte[] encryptSymmetricKey(byte[] keyBytes,
X509Certificate remoteCert,
Crypto crypto) throws WSSecurityException {
- Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
- try {
- cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
- } catch (InvalidKeyException e) {
- throw new WSSecurityException(
- WSSecurityException.FAILED_ENCRYPTION, null, null, e
- );
- }
+ Cipher cipher =
+ EncryptionUtils.initCipherWithCert(keyEncAlgo, Cipher.ENCRYPT_MODE, remoteCert);
int blockSize = cipher.getBlockSize();
if (blockSize > 0 && blockSize < keyBytes.length) {
throw new WSSecurityException(