You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by co...@apache.org on 2008/12/18 13:29:53 UTC
svn commit: r727705 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/ src/org/apache/ws/security/message/
src/org/apache/ws/security/message/token/
src/org/apache/ws/security/processor/ test/wssec/
Author: coheigea
Date: Thu Dec 18 04:29:53 2008
New Revision: 727705
URL: http://svn.apache.org/viewvc?rev=727705&view=rev
Log:
[WSS-127] - Added a way of signing messages directly using a derived key from a UsernameToken
- There are now 3 ways of using a derived key from a UsernameToken to sign a message!
- TestWSSecurityNew13 shows the old way, which uses a non-standard key derivation algorithm used by WSE. This corresponds to the action "UT_SIGNING".
- TestWSSecurityUTDK uses the standard key derivation algorithm, but with the wsc:DerivedKeyToken for signature/encryption.
- The new test TestWSSecurityUTSignature uses the standard key derivation algorithm for direct signature.
- I had to make some modifications to the underlying logic, but the changes should be totally backwards compatible. In particular, WSSecUsernameToken.getSecretKey returns a derived key instead if "useDerivedKey" is set.
Added:
webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
webservices/wss4j/trunk/test/wssec/PackageTests.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/WSConstants.java Thu Dec 18 04:29:53 2008
@@ -92,7 +92,7 @@
public static final String REF_LIST_LN = "ReferenceList";
/*
- * The standard namesace definitions
+ * The standard namespace definitions
*/
public static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
public static final String XML_NS = "http://www.w3.org/XML/1998/namespace";
@@ -189,7 +189,7 @@
/**
* Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
- * method to encrypt the symmetric data encryption key with the RSA algoritm.
+ * method to encrypt the symmetric data encryption key with the RSA algorithm.
* <p/>
* This is a required method as defined by XML encryption.
*/
@@ -197,7 +197,7 @@
/**
* Sets the {@link org.apache.ws.security.message.WSEncryptBody#build(Document, Crypto) encryption}
- * method to encrypt the symmetric data encryption key with the RSA algoritm.
+ * method to encrypt the symmetric data encryption key with the RSA algorithm.
* <p/>
* This is a required method as defined by XML encryption.
* <p/>
@@ -286,7 +286,7 @@
* Please refer to WS Security specification X509 profile, chapter 3.3.2
* and to WS Security specification, chapter 7.2
* <p/>
- * Note: only local refernces to BinarySecurityToken are supported
+ * Note: only local references to BinarySecurityToken are supported
*/
public static final int BST_DIRECT_REFERENCE = 1;
@@ -297,7 +297,7 @@
* certificate to the receiver.
* <p/>
* In contrast to {@link #BST_DIRECT_REFERENCE} only the issuer name
- * and the serial number of the signiung certificate are sent to the
+ * and the serial number of the signing certificate are sent to the
* receiver. This reduces the amount of data being sent. The encryption
* method uses the public key associated with this certificate to encrypt
* the symmetric key used to encrypt data.
@@ -406,7 +406,7 @@
public static final int ST_SIGNED = 0x10; // perform SAMLToken signed
public static final int TS = 0x20; // insert Timestamp
- public static final int UT_SIGN = 0x40; // perform sinagture with UT secrect key
+ public static final int UT_SIGN = 0x40; // perform signature with UT secret key
public static final int SC = 0x80; // this is a SignatureConfirmation
public static final int NO_SERIALIZE = 0x100;
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java Thu Dec 18 04:29:53 2008
@@ -111,17 +111,22 @@
* Get the derived secret key.
*
* After the <code>prepare()</code> method was called use this method
- * to compute a derived secret key. The generation of this secret key is according
- * to WS-Trust specification.
+ * to compute a derived secret key. If "useDerivedKey" is set, then the returned secret
+ * key is derived as per the UsernameToken 1.1 specification. Otherwise, the generation
+ * of this secret key is according to the WS-Trust specifications.
*
* @return Return the derived secret key of this token or null if <code>prepare()</code>
* was not called before.
*/
- public byte[] getSecretKey() {
+ public byte[] getSecretKey() throws WSSecurityException {
if (ut == null) {
return null;
}
- return ut.getSecretKey();
+ if (useDerivedKey) {
+ return UsernameToken.generateDerivedKey(password, saltValue, iteration);
+ } else {
+ return ut.getSecretKey();
+ }
}
/**
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java Thu Dec 18 04:29:53 2008
@@ -678,6 +678,35 @@
}
return K;
}
+
+
+ /**
+ * This method gets a derived key as defined in WSS Username Token Profile.
+ *
+ * @return Returns the derived key as a byte array
+ * @throws WSSecurityException
+ */
+ public byte[] getDerivedKey() throws WSSecurityException {
+ int iteration = getIteration();
+ byte[] salt = getSalt();
+ return generateDerivedKey(raw_password, salt, iteration);
+ }
+
+ /**
+ * Return whether the UsernameToken represented by this class is to be used
+ * for key derivation as per the UsernameToken Profile 1.1. It does this by
+ * checking that the username token has salt and iteration values.
+ *
+ * @throws WSSecurityException
+ */
+ public boolean isDerivedKey() throws WSSecurityException {
+ if (elementSalt != null && elementIteration != null) {
+ return true;
+ }
+ return false;
+ }
+
+
/**
* This static method generates a 128 bit salt value as defined in WSS
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/processor/SignatureProcessor.java Thu Dec 18 04:29:53 2008
@@ -130,7 +130,7 @@
* @param crypto the object that implements the access to the keystore and the
* handling of certificates.
* @param returnCert verifyXMLSignature stores the certificate in the first
- * entry of this array. Ther caller may then further validate
+ * entry of this array. The caller may then further validate
* the certificate
* @param returnElements verifyXMLSignature adds the wsu:ID attribute values for
* the signed elements to this Set
@@ -208,7 +208,11 @@
UsernameTokenProcessor utProcessor =
(UsernameTokenProcessor) wsDocInfo.getProcessor(id);
ut = utProcessor.getUt();
- secretKey = ut.getSecretKey();
+ if (ut.isDerivedKey()) {
+ secretKey = ut.getDerivedKey();
+ } else {
+ secretKey = ut.getSecretKey();
+ }
} else if(el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_02) ||
el.equals(WSSecurityEngine.DERIVED_KEY_TOKEN_05_12)) {
dkt = new DerivedKeyToken(token);
@@ -390,7 +394,7 @@
if (certs != null) {
returnCert[0] = certs[0];
return certs[0].getSubjectDN();
- } else if(ut != null){
+ } else if (ut != null){
WSUsernameTokenPrincipal principal = new WSUsernameTokenPrincipal(
ut.getName(), ut.isHashed());
principal.setNonce(ut.getNonce());
@@ -416,12 +420,12 @@
}
principal.setBasetokenId(basetokenId);
return principal;
- } else if(samlKi != null) {
+ } else if (samlKi != null) {
final SAMLAssertion assertion = samlKi.getAssertion();
CustomTokenPrincipal principal = new CustomTokenPrincipal(assertion.getId());
principal.setTokenObject(assertion);
return principal;
- } else if(secretKey != null) {
+ } else if (secretKey != null) {
//This is the custom key scenario
CustomTokenPrincipal principal = new CustomTokenPrincipal(customTokenId);
return principal;
Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Thu Dec 18 04:29:53 2008
@@ -80,6 +80,8 @@
suite.addTestSuite(TestWSSecurityDataRef1.class);
suite.addTestSuite(TestWSSecurityCertError.class);
suite.addTestSuite(TestWSSecuritySignatureParts.class);
+ suite.addTestSuite(TestWSSecurityUTSignature.class);
+
return suite;
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java?rev=727705&r1=727704&r2=727705&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java Thu Dec 18 04:29:53 2008
@@ -336,7 +336,7 @@
String tokenIdentifier = builder.getId();
//
- // Derived key encryption
+ // Derived key signature
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
@@ -386,7 +386,7 @@
String tokenIdentifier = builder.getId();
//
- // Derived key encryption
+ // Derived key signature
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
@@ -430,7 +430,7 @@
String tokenIdentifier = builder.getId();
//
- // Derived key encryption
+ // Derived key signature
//
WSSecDKSign sigBuilder = new WSSecDKSign();
sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java?rev=727705&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java Thu Dec 18 04:29:53 2008
@@ -0,0 +1,246 @@
+/*
+ * Copyright 2003-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package wssec;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+import org.apache.axis.Message;
+import org.apache.axis.MessageContext;
+import org.apache.axis.client.AxisClient;
+import org.apache.axis.configuration.NullProvider;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.message.WSSecDKEncrypt;
+import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncrypt;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.processor.Processor;
+import org.apache.ws.security.processor.UsernameTokenProcessor;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.signature.XMLSignature;
+import org.w3c.dom.Document;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+
+import java.util.Vector;
+
+/**
+ * WS-Security Test Case for UsernameToken Key Derivation, as defined in the
+ * UsernameTokenProfile 1.1 specification. The derived keys are used for signature.
+ * Note that this functionality is different to the TestWSSecurityUTDK test case,
+ * which uses the derived key in conjunction with wsc:DerivedKeyToken. It's also
+ * different to TestWSSecurityNew13, which derives a key for signature using a
+ * non-standard implementation.
+ */
+public class TestWSSecurityUTSignature extends TestCase implements CallbackHandler {
+ private static Log log = LogFactory.getLog(TestWSSecurityUTDK.class);
+ static final String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" +
+ " <soapenv:Body>" +
+ " <ns1:testMethod xmlns:ns1=\"uri:LogTestService2\"></ns1:testMethod>" +
+ " </soapenv:Body>" +
+ "</soapenv:Envelope>";
+
+ static final WSSecurityEngine secEngine = new WSSecurityEngine();
+ static final Crypto crypto = CryptoFactory.getInstance();
+ MessageContext msgContext;
+ SOAPEnvelope unsignedEnvelope;
+
+ /**
+ * TestWSSecurity constructor
+ * <p/>
+ *
+ * @param name name of the test
+ */
+ public TestWSSecurityUTSignature(String name) {
+ super(name);
+ }
+
+ /**
+ * JUnit suite
+ * <p/>
+ *
+ * @return a junit test suite
+ */
+ public static Test suite() {
+ return new TestSuite(TestWSSecurityUTDK.class);
+ }
+
+ /**
+ * Main method
+ * <p/>
+ *
+ * @param args command line args
+ */
+ public static void main(String[] args) {
+ junit.textui.TestRunner.run(suite());
+ }
+
+ /**
+ * Setup method
+ * <p/>
+ *
+ * @throws Exception Thrown when there is a problem in setup
+ */
+ protected void setUp() throws Exception {
+ AxisClient tmpEngine = new AxisClient(new NullProvider());
+ msgContext = new MessageContext(tmpEngine);
+ unsignedEnvelope = getSOAPEnvelope();
+ }
+
+ /**
+ * Constructs a soap envelope
+ * <p/>
+ *
+ * @return soap envelope
+ * @throws java.lang.Exception if there is any problem constructing the soap envelope
+ */
+ protected SOAPEnvelope getSOAPEnvelope() throws Exception {
+ InputStream in = new ByteArrayInputStream(soapMsg.getBytes());
+ Message msg = new Message(in);
+ msg.setMessageContext(msgContext);
+ return msg.getSOAPEnvelope();
+ }
+
+
+ /**
+ * Test using a UsernameToken derived key for signing a SOAP body
+ */
+ public void testSignature() throws Exception {
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setUserInfo("bob", "security");
+ builder.addDerivedKey(true, null, 1000);
+ builder.prepare(doc);
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setUsernameToken(builder);
+ sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ Document signedDoc = sign.build(doc, null, secHeader);
+ builder.prependToHeader(secHeader);
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ assertTrue(outputString.indexOf("wsse:Username") != -1);
+ assertTrue(outputString.indexOf("wsse:Password") == -1);
+ assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+ assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+ if (log.isDebugEnabled()) {
+ log.debug(outputString);
+ }
+
+ Vector results = verify(signedDoc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.UT_SIGN);
+ java.security.Principal principal =
+ (java.security.Principal) actionResult.get(WSSecurityEngineResult.TAG_PRINCIPAL);
+ assertTrue(principal.getName().indexOf("bob") != -1);
+ }
+
+
+ /**
+ * Test using a UsernameToken derived key for signing a SOAP body. In this test the
+ * user is "alice" rather than "bob", and so signature verification should fail.
+ */
+ public void testBadUserSignature() throws Exception {
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setUserInfo("alice", "security");
+ builder.addDerivedKey(true, null, 1000);
+ builder.prepare(doc);
+
+ WSSecSignature sign = new WSSecSignature();
+ sign.setUsernameToken(builder);
+ sign.setKeyIdentifierType(WSConstants.UT_SIGNING);
+ sign.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ Document signedDoc = sign.build(doc, null, secHeader);
+ builder.prependToHeader(secHeader);
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ if (log.isDebugEnabled()) {
+ log.debug(outputString);
+ }
+
+ try {
+ verify(signedDoc);
+ throw new Exception("Failure expected on a bad derived signature");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() == WSSecurityException.FAILED_AUTHENTICATION);
+ // expected
+ }
+ }
+
+ /**
+ * Verifies the soap envelope.
+ *
+ * @param env soap envelope
+ * @throws java.lang.Exception Thrown when there is a problem in verification
+ */
+ private Vector verify(Document doc) throws Exception {
+ return secEngine.processSecurityHeader(doc, null, this, crypto);
+ }
+
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ WSPasswordCallback pc = (WSPasswordCallback) callbacks[i];
+ if (pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN
+ && "bob".equals(pc.getIdentifier())) {
+ pc.setPassword("security");
+ } else {
+ throw new IOException("Authentication failed");
+ }
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+}
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTSignature.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org