You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/08/19 15:14:51 UTC
[cxf] 01/01: Update to Apache WSS4J 2.3.0-SNAPSHOT
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3bf2dcafccb3d8243dea1afdedc333e307dddde0
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jan 25 11:27:40 2019 +0000
Update to Apache WSS4J 2.3.0-SNAPSHOT
---
parent/pom.xml | 9 +-
.../saml/sso/AbstractSAMLCallbackHandler.java | 11 +-
.../ws/security/trust/STSStaxTokenValidator.java | 3 +-
.../wss4j/AbstractWSS4JStaxInterceptor.java | 2 +
.../security/wss4j/AlgorithmSuiteTranslater.java | 4 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 4 +-
.../wss4j/PolicyBasedWSS4JOutInterceptor.java | 4 +-
.../wss4j/PolicyBasedWSS4JStaxInInterceptor.java | 9 +-
.../policyhandlers/AbstractBindingBuilder.java | 58 ++--
.../policyhandlers/AbstractStaxBindingHandler.java | 4 +-
.../policyhandlers/AsymmetricBindingHandler.java | 274 +++++++++--------
.../StaxAsymmetricBindingHandler.java | 6 +-
.../StaxSymmetricBindingHandler.java | 6 +-
.../StaxTransportBindingHandler.java | 18 +-
.../policyhandlers/SymmetricBindingHandler.java | 335 ++++++++++++---------
.../policyhandlers/TransportBindingHandler.java | 38 ++-
.../AlgorithmSuitePolicyValidator.java | 4 +-
.../security/wss4j/CustomPolicyAlgorithmsTest.java | 4 +-
.../wss4j/saml/AbstractSAMLCallbackHandler.java | 14 +-
.../cxf/sts/operation/AbstractOperation.java | 14 +-
.../sts/token/provider/DefaultSubjectProvider.java | 16 +-
.../cxf/sts/token/provider/TokenProviderUtils.java | 10 +-
.../cxf/sts/operation/IssueSamlUnitTest.java | 10 +-
.../server/CustomUsernameTokenInterceptor.java | 14 +-
.../cxf/systest/ws/x509/SHA512PolicyLoader.java | 2 +-
25 files changed, 516 insertions(+), 357 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 8938529..7f93d18 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -217,7 +217,7 @@
<cxf.woodstox.core.version>5.0.3</cxf.woodstox.core.version>
<cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
- <cxf.wss4j.version>2.2.4</cxf.wss4j.version>
+ <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version>
<cxf.xalan.version>2.7.2</cxf.xalan.version>
<cxf.xbean.version>4.14</cxf.xbean.version>
<cxf.xerces.version>2.12.0</cxf.xerces.version>
@@ -263,7 +263,7 @@
<cxf.xalan.bundle.version>2.7.2_3</cxf.xalan.bundle.version>
<cxf.xerces.bundle.version>2.12.0_1</cxf.xerces.bundle.version>
<cxf.xmlresolver.bundle.version>1.2_5</cxf.xmlresolver.bundle.version>
- <cxf.xmlsec.bundle.version>2.1.4</cxf.xmlsec.bundle.version>
+ <cxf.xmlsec.bundle.version>2.2.0-SNAPSHOT</cxf.xmlsec.bundle.version>
<cxf.xpp3.bundle.version>1.1.4c_6</cxf.xpp3.bundle.version>
</properties>
<build>
@@ -1344,11 +1344,6 @@
</exclusions>
</dependency>
<dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>${cxf.guava.version}</version>
- </dependency>
- <dependency>
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>2.1.4</version>
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index f5f051c..e473bdf 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.joda.time.DateTime;
@@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey.prepare(null, symmetricKey);
+ ephemeralKey = symmetricKey.getEncoded();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index ffb99e4..57429e2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.AttachmentUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.stax.ext.WSSConstants;
@@ -329,7 +330,7 @@ public class STSStaxTokenValidator
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
- String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+ String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword());
if (!passwordType.getValue().equals(passDigest)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index d5cd6b6..585e908 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -179,6 +179,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
boolean validateSchemas =
MessageUtils.getContextualBoolean(msg, "schema-validation-enabled", false);
securityProperties.setDisableSchemaValidation(!validateSchemas);
+
+ securityProperties.setSoap12(WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace()));
}
private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index 595d419..ef73d10 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -126,8 +126,8 @@ public final class AlgorithmSuiteTranslater {
algorithmSuite.addDigestAlgorithm(algorithmSuiteType.getDigest());
}
- algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getAsymmetricSignature());
- algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getSymmetricSignature());
+ algorithmSuite.addSignatureMethod(algorithmSuiteType.getAsymmetricSignature());
+ algorithmSuite.addSignatureMethod(algorithmSuiteType.getSymmetricSignature());
algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 767be4c..640165e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -486,10 +486,10 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
- algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
- algSuite.setSymmetricSignature(symSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
index 1a68fe0..9cb373e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
@@ -164,13 +164,13 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
String asymSignatureAlgorithm =
(String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
- binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
- binding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
try {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
index a455cf8..b321e5b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
@@ -55,6 +55,7 @@ import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.stax.OperationPolicy;
import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
+import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
@@ -271,10 +272,10 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
- algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
- algSuite.setSymmetricSignature(symSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
@@ -426,7 +427,6 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
if (soapAction == null) {
soapAction = "";
}
-
String actor = (String)msg.getContextualProperty(SecurityConstants.ACTOR);
final Collection<org.apache.cxf.message.Attachment> attachments = msg.getAttachments();
int attachmentCount = 0;
@@ -435,7 +435,8 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
}
return new PolicyEnforcer(operationPolicies, soapAction, isRequestor(msg),
actor, attachmentCount,
- new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class)));
+ new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class)),
+ WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace()));
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 619d4b5..8cd7c24 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.XMLConstants;
import javax.xml.crypto.dsig.Reference;
@@ -102,6 +103,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
@@ -579,7 +581,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
} else {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
}
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
Crypto crypto = secToken.getCrypto();
@@ -610,19 +612,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
protected void handleUsernameTokenSupportingToken(
UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret
) throws WSSecurityException {
- if (endorse) {
- WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
+ if (endorse && isTokenRequired(token.getIncludeTokenType())) {
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken utBuilder = addDKUsernameToken(token, salt, true);
if (utBuilder != null) {
- utBuilder.prepare();
+ utBuilder.prepare(salt);
addSupportingElement(utBuilder.getUsernameTokenElement());
- ret.add(new SupportingToken(token, utBuilder, null));
+ ret.add(new SupportingToken(token, utBuilder, null, salt));
if (encryptedToken) {
WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
part.setElement(utBuilder.getUsernameTokenElement());
encryptedTokensList.add(part);
}
}
- } else {
+ } else if (!endorse) {
WSSecUsernameToken utBuilder = addUsernameToken(token);
if (utBuilder != null) {
utBuilder.prepare();
@@ -862,7 +865,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) {
+ protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, byte[] salt, boolean useMac) {
assertToken(token);
if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
@@ -883,8 +886,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
if (!StringUtils.isEmpty(password)) {
// If the password is available then build the token
utBuilder.setUserInfo(userName, password);
- utBuilder.addDerivedKey(useMac, null, 1000);
- utBuilder.prepare();
+ utBuilder.addDerivedKey(useMac, 1000);
+ utBuilder.prepare(salt);
} else {
unassertPolicy(token, "No password available");
return null;
@@ -1502,7 +1505,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
+ protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token,
+ SecretKey symmetricKey) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
@@ -1523,11 +1527,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
- encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
- encrKey.prepare(crypto);
+ encrKey.prepare(crypto, symmetricKey);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
@@ -1898,7 +1901,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
}
sig.setUserInfo(user, password);
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
@@ -1990,8 +1993,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
try {
- byte[] secret = utBuilder.getDerivedKey();
+ byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt());
secToken.setSecret(secret);
+ Arrays.fill(supportingToken.getSalt(), (byte)0);
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts,
@@ -2040,7 +2044,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
if (ref != null) {
ref = cloneElement(ref);
- dkSign.setExternalKey(tok.getSecret(), ref);
+ dkSign.setStrElem(ref);
} else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
@@ -2051,14 +2055,14 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
}
- dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+ dkSign.setStrElem(tokenRef.getElement());
} else {
- dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ dkSign.setTokenIdentifier(tok.getId());
}
//Set the algo info
- dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
@@ -2070,7 +2074,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
}
- dkSign.prepare();
+ dkSign.prepare(tok.getSecret());
if (isTokenProtection) {
String sigTokId = XMLUtils.getIDFromReference(tok.getId());
@@ -2093,6 +2097,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
addSig(dkSign.getSignatureValue());
+ dkSign.clean();
}
private void doSymmSignature(AbstractToken policyToken, SecurityToken tok,
@@ -2149,7 +2154,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
sigTokId = XMLUtils.getIDFromReference(sigTokId);
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
@@ -2355,12 +2360,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
private final AbstractToken token;
private final Object tokenImplementation;
private final List<WSEncryptionPart> signedParts;
+ private final byte[] salt;
SupportingToken(AbstractToken token, Object tokenImplementation,
- List<WSEncryptionPart> signedParts) {
+ List<WSEncryptionPart> signedParts) {
+ this(token, tokenImplementation, signedParts, null);
+ }
+
+ SupportingToken(AbstractToken token, Object tokenImplementation,
+ List<WSEncryptionPart> signedParts, byte[] salt) {
this.token = token;
this.tokenImplementation = tokenImplementation;
this.signedParts = signedParts;
+ this.salt = salt;
}
public AbstractToken getToken() {
@@ -2375,6 +2387,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return signedParts;
}
+ public byte[] getSalt() {
+ return salt;
+ }
+
}
protected void addSig(byte[] val) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index c674c99..b5a2d6b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -540,10 +540,10 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
if (binding instanceof SymmetricBinding) {
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
properties.setSignatureAlgorithm(
- binding.getAlgorithmSuite().getSymmetricSignature());
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(
- binding.getAlgorithmSuite().getAsymmetricSignature());
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(
binding.getAlgorithmSuite().getC14n().getValue());
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index df31bc7..ff716f1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -28,6 +28,8 @@ import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -224,12 +227,24 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
encToken = abinding.getInitiatorToken();
}
}
- doEncryption(encToken, enc, false);
+
if (encToken != null) {
+ WSSecBase encr = null;
+ if (encToken.getToken() != null && !enc.isEmpty()) {
+ if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encToken, enc);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+ encr = doEncryption(encToken, enc, false, symmetricKey);
+ }
+
+ encr.clean();
+ }
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
-
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
@@ -333,9 +348,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
WSSecBase encrBase = null;
+ SecretKey symmetricKey = null;
if (encryptionToken != null && !encrParts.isEmpty()) {
- encrBase = doEncryption(wrapper, encrParts, true);
- handleEncryptedSignedHeaders(encrParts, sigParts);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encrBase = doEncryptionDerived(wrapper, encrParts);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ try {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ encrBase = doEncryption(wrapper, encrParts, true, symmetricKey);
+ } catch (WSSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ throw new Fault(ex);
+ }
+ }
}
if (!isRequestor()) {
@@ -369,12 +396,15 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
if (encrBase != null) {
- encryptTokensInSecurityHeader(encryptionToken, encrBase);
+ encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey);
+ encrBase.clean();
}
}
- private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) {
+ private void encryptTokensInSecurityHeader(AbstractToken encryptionToken,
+ WSSecBase encrBase,
+ SecretKey symmetricKey) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
// Check for signature protection
@@ -428,7 +458,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
} else {
this.insertBeforeBottomUp(secondRefList);
}
- ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
+ ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -439,125 +469,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private WSSecBase doEncryption(AbstractTokenWrapper recToken,
List<WSEncryptionPart> encrParts,
- boolean externalRef) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
-
- Crypto crypto = getEncryptionCrypto();
-
- SecurityToken securityToken = getSecurityToken();
- if (!isRequestor() && securityToken != null
- && recToken.getToken() instanceof SamlToken) {
- String tokenType = securityToken.getTokenType();
- if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else {
- setKeyIdentifierType(encr, encrToken);
- }
+ boolean externalRef,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+
+ Crypto crypto = getEncryptionCrypto();
+
+ SecurityToken securityToken = getSecurityToken();
+ if (!isRequestor() && securityToken != null
+ && recToken.getToken() instanceof SamlToken) {
+ String tokenType = securityToken.getTokenType();
+ if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
} else {
setKeyIdentifierType(encr, encrToken);
}
- //
- // Using a stored cert is only suitable for the Issued Token case, where
- // we're extracting the cert from a SAML Assertion on the provider side
- //
- if (!isRequestor() && securityToken != null
- && securityToken.getX509Certificate() != null) {
- encr.setUseThisCert(securityToken.getX509Certificate());
- } else if (!isRequestor() && securityToken != null
- && securityToken.getKey() instanceof PublicKey) {
- encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
- encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
- } else {
- setEncryptionUser(encr, encrToken, false, crypto);
- }
- if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
- unassertPolicy(recToken, "Missing security configuration. "
- + "Make sure jaxws:client element is configured "
- + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
- }
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- encr.setSymmetricEncAlgorithm(algType.getEncryption());
- encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
- encr.setMGFAlgorithm(algType.getMGFAlgo());
- encr.setDigestAlgorithm(algType.getEncryptionDigest());
- encr.prepare(crypto);
-
- Element encryptedKeyElement = encr.getEncryptedKeyElement();
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- //Encrypt, get hold of the ref list and add it
- if (externalRef) {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null) {
- insertBeforeBottomUp(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.insertBeforeBottomUp(attachment);
- }
- }
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
- } else {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
-
- // Add internal refs
- if (refList != null) {
- encryptedKeyElement.appendChild(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.addEncryptedKeyElement(attachment);
- }
+ } else {
+ setKeyIdentifierType(encr, encrToken);
+ }
+ //
+ // Using a stored cert is only suitable for the Issued Token case, where
+ // we're extracting the cert from a SAML Assertion on the provider side
+ //
+ if (!isRequestor() && securityToken != null
+ && securityToken.getX509Certificate() != null) {
+ encr.setUseThisCert(securityToken.getX509Certificate());
+ } else if (!isRequestor() && securityToken != null
+ && securityToken.getKey() instanceof PublicKey) {
+ encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
+ encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
+ } else {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
+ if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
+ unassertPolicy(recToken, "Missing security configuration. "
+ + "Make sure jaxws:client element is configured "
+ + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
+ }
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+ encr.setSymmetricEncAlgorithm(algType.getEncryption());
+ encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
+ encr.setMGFAlgorithm(algType.getMGFAlgo());
+ encr.setDigestAlgorithm(algType.getEncryptionDigest());
+ encr.prepare(crypto, symmetricKey);
+
+ Element encryptedKeyElement = encr.getEncryptedKeyElement();
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ //Encrypt, get hold of the ref list and add it
+ if (externalRef) {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null) {
+ insertBeforeBottomUp(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.insertBeforeBottomUp(attachment);
}
}
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
+ } else {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
- // Put BST before EncryptedKey element
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ // Add internal refs
+ if (refList != null) {
+ encryptedKeyElement.appendChild(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.addEncryptedKeyElement(attachment);
+ }
}
+ }
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ // Put BST before EncryptedKey element
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
- AbstractToken encrToken,
- List<WSEncryptionPart> encrParts,
- AlgorithmSuite algorithmSuite) {
+ List<WSEncryptionPart> encrParts) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -575,14 +601,16 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
setupEncryptedKey(encrToken);
}
- dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+ dkEncr.setTokenIdentifier(this.encryptedKeyId);
dkEncr.getParts().addAll(encrParts);
dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#"
+ WSS4JConstants.ENC_KEY_VALUE_TYPE);
+
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
- dkEncr.prepare();
+ dkEncr.prepare(this.encryptedKeyValue);
addDerivedKeyElement(dkEncr.getdktElement());
Element refList = dkEncr.encryptForExternalRef(null, encrParts);
@@ -639,6 +667,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
sig.appendBSTElementToHeader();
+ sig.clean();
}
return;
}
@@ -657,10 +686,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
- dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+ dkSign.setTokenIdentifier(this.encryptedKeyId);
// Set the algo info
- dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
@@ -675,7 +704,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
dkSign.setAddInclusivePrefixes(includePrefixes);
try {
- dkSign.prepare();
+ dkSign.prepare(this.encryptedKeyValue);
if (abinding.isProtectTokens()) {
assertPolicy(
@@ -711,6 +740,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
mainSigId = dkSign.getSignatureId();
}
+ dkSign.clean();
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
@@ -757,6 +787,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
mainSigId = sig.getId();
}
+
+ sig.clean();
}
}
@@ -797,7 +829,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private void createEncryptedKey(AbstractToken token)
throws WSSecurityException {
//Set up the encrypted key to use
- encrKey = this.getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey = this.getEncryptedKeyBuilder(token, symmetricKey);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
// If a BST is available then use it
@@ -806,7 +842,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
// Add the EncryptedKey
this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
- encryptedKeyValue = encrKey.getEphemeralKey();
+ encryptedKeyValue = symmetricKey.getEncoded();
encryptedKeyId = encrKey.getId();
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
index bc96d32..19d8af1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
@@ -89,12 +89,12 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) {
- abinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) {
- abinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
if (abinding.getProtectionOrder()
@@ -451,7 +451,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- abinding.getAlgorithmSuite().getSymmetricSignature());
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index 3d0866a..ab85195 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -112,12 +112,12 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
- sbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
- sbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
// Set up CallbackHandler which wraps the configured Handler
@@ -593,7 +593,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- sbinding.getAlgorithmSuite().getSymmetricSignature());
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index 3f9dcf5..b64e186 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -94,12 +94,12 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
- tbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
- tbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
TransportToken token = tbinding.getTransportToken();
@@ -315,9 +315,11 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
WSSSecurityProperties properties = getProperties();
if (securityToken != null && securityToken.getSecret() != null) {
- properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
+ properties.setSignatureAlgorithm(
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
} else {
- properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
+ properties.setSignatureAlgorithm(
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -344,7 +346,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
properties.setIncludeSignatureToken(true);
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -357,7 +359,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
WSSSecurityProperties properties = getProperties();
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getAsymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -373,7 +375,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -397,7 +399,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
configureSignature(token, false);
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 87a6a30..263982d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -21,9 +21,12 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -53,6 +56,7 @@ import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -206,7 +210,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sigParts.addAll(this.getSignedParts(null));
List<WSEncryptionPart> encrParts = getEncryptedParts();
- WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
+
+ WSSecBase encr = null;
+ SecretKey symmetricKey = null;
+ if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) {
+ if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true);
+ } else {
+ byte[] ephemeralKey = tok.getSecret();
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey);
+ }
+ }
handleEncryptedSignedHeaders(encrParts, sigParts);
if (!isRequestor()) {
@@ -248,20 +269,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
secondEncrParts.addAll(encryptedTokensList);
}
- Element secondRefList = null;
+ if (!secondEncrParts.isEmpty()) {
+ Element secondRefList = null;
- if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys
- && !secondEncrParts.isEmpty()) {
- secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,
- secondEncrParts);
- } else if (!secondEncrParts.isEmpty()) {
- //Encrypt, get hold of the ref list and add it
- secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts);
- }
- if (secondRefList != null) {
- this.addDerivedKeyElement(secondRefList);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts);
+ } else {
+ //Encrypt, get hold of the ref list and add it
+ secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey);
+ }
+ if (secondRefList != null) {
+ this.addDerivedKeyElement(secondRefList);
+ }
}
}
+
+ if (encr != null) {
+ encr.clean();
+ }
}
} catch (RuntimeException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -385,23 +410,41 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
- doEncryption(encrAbstractTokenWrapper,
- encrTok,
- tokIncluded,
- enc,
- false);
+
+ if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) {
+ WSSecBase encr = null;
+ if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
+ } else {
+ byte[] ephemeralKey = encrTok.getSecret();
+ SecretKey symmetricKey = null;
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ encr = doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey);
+ }
+
+ encr.clean();
+ }
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
- private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
+ private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken,
SecurityToken encrTok,
- AbstractToken encrToken,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
+
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -416,13 +459,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
if (attached && encrTok.getAttachedReference() != null) {
- dkEncr.setExternalKey(
- encrTok.getSecret(), cloneElement(encrTok.getAttachedReference())
- );
+ dkEncr.setStrElem(cloneElement(encrTok.getAttachedReference()));
} else if (encrTok.getUnattachedReference() != null) {
- dkEncr.setExternalKey(
- encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference())
- );
+ dkEncr.setStrElem(cloneElement(encrTok.getUnattachedReference()));
} else if (!isRequestor() && encrTok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
@@ -441,7 +480,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
}
tokenRef.addTokenType(tokenType);
- dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
+ dkEncr.setStrElem(tokenRef.getElement());
} else {
if (attached) {
String id = encrTok.getWsuId();
@@ -456,10 +495,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
if (id.startsWith("#")) {
id = id.substring(1);
}
- dkEncr.setExternalKey(encrTok.getSecret(), id);
+ dkEncr.setTokenIdentifier(id);
} else {
dkEncr.setTokenIdDirectId(true);
- dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
+ dkEncr.setTokenIdentifier(encrTok.getId());
}
}
@@ -489,7 +528,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
- dkEncr.prepare();
+ dkEncr.prepare(encrTok.getSecret());
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
addDerivedKeyElement(encrDKTokenElem);
@@ -506,114 +545,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
return null;
}
- private WSSecBase doEncryption(AbstractTokenWrapper recToken,
+ private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
- boolean atEnd) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrTok, encrToken,
- attached, encrParts, atEnd);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
- String encrTokId = encrTok.getId();
- if (attached) {
- encrTokId = encrTok.getWsuId();
- if (encrTokId == null
- && (encrToken instanceof SecureConversationToken
- || encrToken instanceof SecurityContextToken)) {
- encr.setEncKeyIdDirectId(true);
- encrTokId = encrTok.getId();
- } else if (encrTokId == null) {
- encrTokId = encrTok.getId();
- }
- if (encrTokId.startsWith("#")) {
- encrTokId = encrTokId.substring(1);
- }
- } else {
+ boolean atEnd,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+ String encrTokId = encrTok.getId();
+ if (attached) {
+ encrTokId = encrTok.getWsuId();
+ if (encrTokId == null
+ && (encrToken instanceof SecureConversationToken
+ || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
+ encrTokId = encrTok.getId();
+ } else if (encrTokId == null) {
+ encrTokId = encrTok.getId();
}
- if (encrTok.getTokenType() != null) {
- encr.setCustomReferenceValue(encrTok.getTokenType());
- }
- encr.setEncKeyId(encrTokId);
- encr.setEphemeralKey(encrTok.getSecret());
- Crypto crypto = getEncryptionCrypto();
- if (crypto != null) {
- setEncryptionUser(encr, encrToken, false, crypto);
+ if (encrTokId.startsWith("#")) {
+ encrTokId = encrTokId.substring(1);
}
+ } else {
+ encr.setEncKeyIdDirectId(true);
+ }
+ if (encrTok.getTokenType() != null) {
+ encr.setCustomReferenceValue(encrTok.getTokenType());
+ }
+ encr.setEncKeyId(encrTokId);
+ AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
+ Crypto crypto = getEncryptionCrypto();
+ if (crypto != null) {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
- encr.setEncryptSymmKey(false);
- encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
- encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
- encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
-
- if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
- || encrToken instanceof SecureConversationToken) {
- //Setting the AttachedReference or the UnattachedReference according to the flag
- Element ref;
- if (attached) {
- ref = encrTok.getAttachedReference();
- } else {
- ref = encrTok.getUnattachedReference();
- }
+ encr.setEncryptSymmKey(false);
+ encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
+ encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
- String tokenType = encrTok.getTokenType();
- if (ref != null) {
- SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
- encr.setSecurityTokenReference(secRef);
- } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else {
- encr.setCustomReferenceValue(tokenType);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- }
- } else if (encrToken instanceof UsernameToken) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
- } else if (encrToken instanceof KerberosToken && !isRequestor()) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
- encr.setEncKeyId(encrTok.getSHA1());
- } else if (!isRequestor() && encrTok.getSHA1() != null) {
- encr.setCustomReferenceValue(encrTok.getSHA1());
- encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
+ || encrToken instanceof SecureConversationToken) {
+ //Setting the AttachedReference or the UnattachedReference according to the flag
+ Element ref;
+ if (attached) {
+ ref = encrTok.getAttachedReference();
+ } else {
+ ref = encrTok.getUnattachedReference();
}
- encr.prepare(crypto);
-
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ String tokenType = encrTok.getTokenType();
+ if (ref != null) {
+ SecurityTokenReference secRef =
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
+ encr.setSecurityTokenReference(secRef);
+ } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else {
+ encr.setCustomReferenceValue(tokenType);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
+ } else if (encrToken instanceof UsernameToken) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+ } else if (encrToken instanceof KerberosToken && !isRequestor()) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
+ encr.setEncKeyId(encrTok.getSHA1());
+ } else if (!isRequestor() && encrTok.getSHA1() != null) {
+ encr.setCustomReferenceValue(encrTok.getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
- Element refList = encr.encryptForRef(null, encrParts);
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- addAttachmentsForEncryption(atEnd, refList, attachments);
+ encr.prepare(crypto, symmetricKey);
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ addAttachmentsForEncryption(atEnd, refList, attachments);
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
@@ -672,7 +704,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
if (ref != null) {
- dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
+ dkSign.setStrElem(cloneElement(ref));
} else if (!isRequestor() && policyToken.getDerivedKeys()
== DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
@@ -694,17 +726,17 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
tokenRef.addTokenType(tokenType);
}
- dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+ dkSign.setStrElem(tokenRef.getElement());
} else {
if ((!attached && !isRequestor()) || policyToken instanceof SecureConversationToken
|| policyToken instanceof SecurityContextToken) {
dkSign.setTokenIdDirectId(true);
}
- dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ dkSign.setTokenIdentifier(tok.getId());
}
//Set the algo info
- dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
@@ -740,7 +772,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
}
- dkSign.prepare();
+ dkSign.prepare(tok.getSecret());
if (sbinding.isProtectTokens()) {
String sigTokId = tok.getId();
@@ -775,8 +807,11 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
this.mainSigId = dkSign.getSignatureId();
+ dkSign.clean();
return dkSign.getSignatureValue();
}
+
+ dkSign.clean();
return null;
}
@@ -877,7 +912,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
- sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
boolean includePrefixes =
MessageUtils.getContextualBoolean(
@@ -908,16 +943,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
bottomUpElement = sig.getSignatureElement();
this.mainSigId = sig.getId();
+
+ sig.clean();
return sig.getSignatureValue();
}
+
+ sig.clean();
return null;
}
private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
- WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey);
assertTokenWrapper(wrapper);
String id = encrKey.getId();
- byte[] secret = encrKey.getEphemeralKey();
+ byte[] secret = symmetricKey.getEncoded();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
@@ -932,7 +975,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
// Set the SHA1 value of the encrypted key, this is used when the encrypted
// key is referenced via a key identifier of type EncryptedKeySHA1
- tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));
+ tempTok.setSHA1(encrKey.getEncryptedKeySHA1());
tokenStore.add(tempTok);
// Create another cache entry with the SHA1 Identifier as the key for easy retrieval
@@ -958,20 +1001,26 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
- boolean useMac = hasSignedPartsOrElements();
- WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
- String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ assertToken(sigToken);
+ if (isTokenRequired(sigToken.getIncludeTokenType())) {
+ boolean useMac = hasSignedPartsOrElements();
+ byte[] salt = UsernameTokenUtil.generateSalt(useMac);
+ WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, salt, useMac);
+ String id = usernameToken.getId();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
- Instant created = Instant.now();
- Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
- SecurityToken tempTok =
- new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
- tempTok.setSecret(secret);
+ Instant created = Instant.now();
+ Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+ SecurityToken tempTok =
+ new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
+ tempTok.setSecret(secret);
- tokenStore.add(tempTok);
+ tokenStore.add(tempTok);
- return id;
+ return id;
+ }
+ return null;
}
private SecurityToken getEncryptedKey() {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 3a1b7c4..f0fc873 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -21,10 +21,13 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
@@ -51,6 +54,8 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.message.WSSecDKSign;
@@ -331,9 +336,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
addSig(doIssuedTokenSignature(token, wrapper));
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the security token
- WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, salt, true);
String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
@@ -357,7 +364,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey);
assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -374,18 +385,17 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
- dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSig.setStoreBytesInAttachment(storeBytesInAttachment);
dkSig.setExpandXopInclude(isExpandXopInclude());
dkSig.setWsDocInfo(wsDocInfo);
- AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
- dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+ dkSig.setTokenIdentifier(encrKey.getId());
- dkSig.prepare();
+ dkSig.prepare(symmetricKey.getEncoded());
dkSig.getParts().addAll(sigParts);
List<Reference> referenceList = dkSig.addReferencesToSign(sigParts);
@@ -394,6 +404,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
dkSig.appendDKElementToHeader();
dkSig.computeSignature(referenceList, false, null);
+ dkSig.clean();
return dkSig.getSignatureValue();
}
WSSecSignature sig = getSignatureBuilder(token, false, false);
@@ -478,9 +489,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
if (ref != null) {
- dkSign.setExternalKey(secTok.getSecret(), cloneElement(ref));
+ dkSign.setStrElem(cloneElement(ref));
} else {
- dkSign.setExternalKey(secTok.getSecret(), secTok.getId());
+ dkSign.setTokenIdentifier(secTok.getId());
}
if (token instanceof UsernameToken) {
@@ -488,13 +499,13 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
// Set the algo info
- dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
- dkSign.prepare();
+ dkSign.prepare(secTok.getSecret());
addDerivedKeyElement(dkSign.getdktElement());
@@ -504,6 +515,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
//Do signature
dkSign.computeSignature(referenceList, false, null);
+ dkSign.clean();
return dkSign.getSignatureValue();
}
@@ -594,11 +606,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
sig.setUserInfo(uname, password);
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
} else {
crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 0042681..b66bf1e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -117,8 +117,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
) {
String signatureMethod =
(String)result.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
- if (!algorithmPolicy.getAsymmetricSignature().equals(signatureMethod)
- && !algorithmPolicy.getSymmetricSignature().equals(signatureMethod)) {
+ if (!algorithmPolicy.getAlgorithmSuiteType().getAsymmetricSignature().equals(signatureMethod)
+ && !algorithmPolicy.getAlgorithmSuiteType().getSymmetricSignature().equals(signatureMethod)) {
ai.setNotAsserted(
"The signature method does not match the requirement"
);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
index 4f4f0bb..989b3d2 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
@@ -44,9 +44,9 @@ public class CustomPolicyAlgorithmsTest extends AbstractPolicySecurityTest {
AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
// set Signature Algorithm to RSA SHA-256
- binding.getAlgorithmSuite().setAsymmetricSignature(rsaSha2SigMethod);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(rsaSha2SigMethod);
- String sigMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
+ String sigMethod = binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature();
assertNotNull(sigMethod);
assertEquals(rsaSha2SigMethod, sigMethod);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
index 750aa90..158e5f8 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -59,7 +62,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
protected X509Certificate[] certs;
protected Statement statement = Statement.AUTHN;
protected CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT;
- protected byte[] ephemeralKey;
protected boolean multiValue = true;
public void setConfirmationMethod(String confMethod) {
@@ -78,10 +80,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
this.certs = certs;
}
- public byte[] getEphemeralKey() {
- return ephemeralKey;
- }
-
/**
* Note that the SubjectBean parameter should be null for SAML2.0
*/
@@ -175,8 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+ encrKey.prepare(null, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index ba5bb13..0b4b80c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -29,6 +29,8 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.DateUtil;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -375,10 +378,17 @@ public abstract class AbstractOperation {
WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
builder.setUserInfo(name);
builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- builder.setEphemeralKey(secret);
builder.setKeyEncAlgo(keyWrapAlgorithm);
- builder.prepare(stsProperties.getEncryptionCrypto());
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
return builder.getEncryptedKeyElement();
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index d5f2284..c080d4b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -27,6 +27,8 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
/**
@@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider {
// Create an EncryptedKey
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- encrKey.setEphemeralKey(secret);
- encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
encrKey.setUseThisCert(certificate);
encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
- encrKey.prepare(encryptionCrypto);
+
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ encrKey.prepare(encryptionCrypto, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index b4cb1a7..e907da1 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -25,6 +25,8 @@ import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -171,8 +174,11 @@ public final class TokenProviderUtils {
WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
encryptionPart.setElement(element);
- builder.prepare(stsProperties.getEncryptionCrypto());
- builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
+ builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
return (Element)frag.getFirstChild();
}
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 0a31958..ca8f151 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -26,6 +26,8 @@ import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -70,6 +72,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
@@ -839,9 +842,12 @@ public class IssueSamlUnitTest {
builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
- builder.prepare(stsProperties.getSignatureCrypto());
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey);
Element encryptedKeyElement = builder.getEncryptedKeyElement();
- byte[] secret = builder.getEphemeralKey();
+ byte[] secret = symmetricKey.getEncoded();
EntropyType entropyType = new EntropyType();
entropyType.getAny().add(encryptedKeyElement);
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
index e04d7b5..50ea95b 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
@@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
-import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
+import org.apache.xml.security.utils.XMLUtils;
public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
@@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
// add roles this user is in
String roleName = "Alice".equals(name) ? "developers" : "pms";
- String expectedPassword = "Alice".equals(name) ? "ecilA"
- : UsernameToken.doPasswordDigest(nonce, created, "invalid-password");
- if (!password.equals(expectedPassword)) {
+ try {
+ String expectedPassword = "Alice".equals(name) ? "ecilA"
+ : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password");
+ if (!password.equals(expectedPassword)) {
+ throw new SecurityException("Wrong Password");
+ }
+ } catch (org.apache.wss4j.common.ext.WSSecurityException ex) {
throw new SecurityException("Wrong Password");
}
+
subject.getPrincipals().add(new SimpleGroup(roleName, name));
subject.setReadOnly();
return subject;
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
index 3c1910b..c99c9f8 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
@@ -91,7 +91,7 @@ public class SHA512PolicyLoader implements AlgorithmSuiteLoader {
SHA512AlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
super(version, nestedPolicy);
- setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
+ getAlgorithmSuiteType().setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
}
@Override