You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/01/29 17:11:33 UTC
[cxf] branch wss4j_2.3.0 updated: Picking up changes to
symmetricKey in WSSEcEncryptedKey
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push:
new ac7d439 Picking up changes to symmetricKey in WSSEcEncryptedKey
ac7d439 is described below
commit ac7d4392ae003e789ef6f4b0da56ac61e803ef9c
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jan 29 17:11:03 2019 +0000
Picking up changes to symmetricKey in WSSEcEncryptedKey
---
.../saml/sso/AbstractSAMLCallbackHandler.java | 11 +-
.../policyhandlers/AbstractBindingBuilder.java | 7 +-
.../policyhandlers/AsymmetricBindingHandler.java | 256 +++++++++++---------
.../policyhandlers/SymmetricBindingHandler.java | 261 ++++++++++++---------
.../policyhandlers/TransportBindingHandler.java | 12 +-
.../wss4j/saml/AbstractSAMLCallbackHandler.java | 8 +-
.../cxf/sts/operation/AbstractOperation.java | 14 +-
.../sts/token/provider/DefaultSubjectProvider.java | 16 +-
.../cxf/sts/token/provider/TokenProviderUtils.java | 10 +-
.../cxf/sts/operation/IssueSamlUnitTest.java | 10 +-
10 files changed, 358 insertions(+), 247 deletions(-)
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index 35d3deb..e473bdf 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.joda.time.DateTime;
@@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getSymmetricKey().getEncoded();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey.prepare(null, symmetricKey);
+ ephemeralKey = symmetricKey.getEncoded();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index f754061..7e5162c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.XMLConstants;
import javax.xml.crypto.dsig.Reference;
@@ -1493,7 +1494,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
+ protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token,
+ SecretKey symmetricKey) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
@@ -1514,11 +1516,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
- encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
- encrKey.prepare(crypto);
+ encrKey.prepare(crypto, symmetricKey);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 39ad0ce..a20c52b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -28,6 +28,8 @@ import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -224,12 +227,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
encToken = abinding.getInitiatorToken();
}
}
- doEncryption(encToken, enc, false);
+
if (encToken != null) {
+ if (encToken.getToken() != null && !enc.isEmpty()) {
+ if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ doEncryptionDerived(encToken, enc);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+ doEncryption(encToken, enc, false, symmetricKey);
+ }
+ }
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
-
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
@@ -333,9 +345,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
WSSecBase encrBase = null;
+ SecretKey symmetricKey = null;
if (encryptionToken != null && !encrParts.isEmpty()) {
- encrBase = doEncryption(wrapper, encrParts, true);
- handleEncryptedSignedHeaders(encrParts, sigParts);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encrBase = doEncryptionDerived(wrapper, encrParts);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ try {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ encrBase = doEncryption(wrapper, encrParts, true, symmetricKey);
+ } catch (WSSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ throw new Fault(ex);
+ }
+ }
}
if (!isRequestor()) {
@@ -369,12 +393,14 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
if (encrBase != null) {
- encryptTokensInSecurityHeader(encryptionToken, encrBase);
+ encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey);
}
}
- private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) {
+ private void encryptTokensInSecurityHeader(AbstractToken encryptionToken,
+ WSSecBase encrBase,
+ SecretKey symmetricKey) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
// Check for signature protection
@@ -428,7 +454,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
} else {
this.insertBeforeBottomUp(secondRefList);
}
- ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
+ ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -439,125 +465,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private WSSecBase doEncryption(AbstractTokenWrapper recToken,
List<WSEncryptionPart> encrParts,
- boolean externalRef) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
-
- Crypto crypto = getEncryptionCrypto();
-
- SecurityToken securityToken = getSecurityToken();
- if (!isRequestor() && securityToken != null
- && recToken.getToken() instanceof SamlToken) {
- String tokenType = securityToken.getTokenType();
- if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else {
- setKeyIdentifierType(encr, encrToken);
- }
+ boolean externalRef,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+
+ Crypto crypto = getEncryptionCrypto();
+
+ SecurityToken securityToken = getSecurityToken();
+ if (!isRequestor() && securityToken != null
+ && recToken.getToken() instanceof SamlToken) {
+ String tokenType = securityToken.getTokenType();
+ if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
} else {
setKeyIdentifierType(encr, encrToken);
}
- //
- // Using a stored cert is only suitable for the Issued Token case, where
- // we're extracting the cert from a SAML Assertion on the provider side
- //
- if (!isRequestor() && securityToken != null
- && securityToken.getX509Certificate() != null) {
- encr.setUseThisCert(securityToken.getX509Certificate());
- } else if (!isRequestor() && securityToken != null
- && securityToken.getKey() instanceof PublicKey) {
- encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
- encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
- } else {
- setEncryptionUser(encr, encrToken, false, crypto);
- }
- if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
- unassertPolicy(recToken, "Missing security configuration. "
- + "Make sure jaxws:client element is configured "
- + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
- }
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- encr.setSymmetricEncAlgorithm(algType.getEncryption());
- encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
- encr.setMGFAlgorithm(algType.getMGFAlgo());
- encr.setDigestAlgorithm(algType.getEncryptionDigest());
- encr.prepare(crypto);
-
- Element encryptedKeyElement = encr.getEncryptedKeyElement();
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- //Encrypt, get hold of the ref list and add it
- if (externalRef) {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null) {
- insertBeforeBottomUp(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.insertBeforeBottomUp(attachment);
- }
- }
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
- } else {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
-
- // Add internal refs
- if (refList != null) {
- encryptedKeyElement.appendChild(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.addEncryptedKeyElement(attachment);
- }
+ } else {
+ setKeyIdentifierType(encr, encrToken);
+ }
+ //
+ // Using a stored cert is only suitable for the Issued Token case, where
+ // we're extracting the cert from a SAML Assertion on the provider side
+ //
+ if (!isRequestor() && securityToken != null
+ && securityToken.getX509Certificate() != null) {
+ encr.setUseThisCert(securityToken.getX509Certificate());
+ } else if (!isRequestor() && securityToken != null
+ && securityToken.getKey() instanceof PublicKey) {
+ encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
+ encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
+ } else {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
+ if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
+ unassertPolicy(recToken, "Missing security configuration. "
+ + "Make sure jaxws:client element is configured "
+ + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
+ }
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+ encr.setSymmetricEncAlgorithm(algType.getEncryption());
+ encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
+ encr.setMGFAlgorithm(algType.getMGFAlgo());
+ encr.setDigestAlgorithm(algType.getEncryptionDigest());
+ encr.prepare(crypto, symmetricKey);
+
+ Element encryptedKeyElement = encr.getEncryptedKeyElement();
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ //Encrypt, get hold of the ref list and add it
+ if (externalRef) {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null) {
+ insertBeforeBottomUp(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.insertBeforeBottomUp(attachment);
}
}
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
+ } else {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
- // Put BST before EncryptedKey element
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ // Add internal refs
+ if (refList != null) {
+ encryptedKeyElement.appendChild(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.addEncryptedKeyElement(attachment);
+ }
}
+ }
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ // Put BST before EncryptedKey element
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
- AbstractToken encrToken,
- List<WSEncryptionPart> encrParts,
- AlgorithmSuite algorithmSuite) {
+ List<WSEncryptionPart> encrParts) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -579,6 +601,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
dkEncr.getParts().addAll(encrParts);
dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#"
+ WSS4JConstants.ENC_KEY_VALUE_TYPE);
+
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
@@ -797,7 +821,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private void createEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken token)
throws WSSecurityException {
//Set up the encrypted key to use
- encrKey = this.getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey = this.getEncryptedKeyBuilder(token, symmetricKey);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
// If a BST is available then use it
@@ -806,7 +834,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
// Add the EncryptedKey
this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
- encryptedKeyValue = encrKey.getSymmetricKey().getEncoded();
+ encryptedKeyValue = symmetricKey.getEncoded();
encryptedKeyId = encrKey.getId();
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index e56fc39..e96cbfe 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -24,6 +24,8 @@ import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -206,7 +208,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sigParts.addAll(this.getSignedParts(null));
List<WSEncryptionPart> encrParts = getEncryptedParts();
- WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
+
+ WSSecBase encr = null;
+ SecretKey symmetricKey = null;
+ if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) {
+ if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true);
+ } else {
+ byte[] ephemeralKey = tok.getSecret();
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey);
+ }
+ }
handleEncryptedSignedHeaders(encrParts, sigParts);
if (!isRequestor()) {
@@ -248,18 +267,18 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
secondEncrParts.addAll(encryptedTokensList);
}
- Element secondRefList = null;
+ if (!secondEncrParts.isEmpty()) {
+ Element secondRefList = null;
- if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys
- && !secondEncrParts.isEmpty()) {
- secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,
- secondEncrParts);
- } else if (!secondEncrParts.isEmpty()) {
- //Encrypt, get hold of the ref list and add it
- secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts);
- }
- if (secondRefList != null) {
- this.addDerivedKeyElement(secondRefList);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts);
+ } else {
+ //Encrypt, get hold of the ref list and add it
+ secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey);
+ }
+ if (secondRefList != null) {
+ this.addDerivedKeyElement(secondRefList);
+ }
}
}
}
@@ -385,23 +404,38 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
- doEncryption(encrAbstractTokenWrapper,
- encrTok,
- tokIncluded,
- enc,
- false);
+
+ if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) {
+ if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
+ } else {
+ byte[] ephemeralKey = encrTok.getSecret();
+ SecretKey symmetricKey = null;
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey);
+ }
+ }
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
- private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
+ private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken,
SecurityToken encrTok,
- AbstractToken encrToken,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
+
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -506,114 +540,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
return null;
}
- private WSSecBase doEncryption(AbstractTokenWrapper recToken,
+ private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
- boolean atEnd) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrTok, encrToken,
- attached, encrParts, atEnd);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
- String encrTokId = encrTok.getId();
- if (attached) {
- encrTokId = encrTok.getWsuId();
- if (encrTokId == null
- && (encrToken instanceof SecureConversationToken
- || encrToken instanceof SecurityContextToken)) {
- encr.setEncKeyIdDirectId(true);
- encrTokId = encrTok.getId();
- } else if (encrTokId == null) {
- encrTokId = encrTok.getId();
- }
- if (encrTokId.startsWith("#")) {
- encrTokId = encrTokId.substring(1);
- }
- } else {
+ boolean atEnd,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+ String encrTokId = encrTok.getId();
+ if (attached) {
+ encrTokId = encrTok.getWsuId();
+ if (encrTokId == null
+ && (encrToken instanceof SecureConversationToken
+ || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
+ encrTokId = encrTok.getId();
+ } else if (encrTokId == null) {
+ encrTokId = encrTok.getId();
}
- if (encrTok.getTokenType() != null) {
- encr.setCustomReferenceValue(encrTok.getTokenType());
+ if (encrTokId.startsWith("#")) {
+ encrTokId = encrTokId.substring(1);
}
- encr.setEncKeyId(encrTokId);
- encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
- encr.setEphemeralKey(encrTok.getSecret());
- Crypto crypto = getEncryptionCrypto();
- if (crypto != null) {
- setEncryptionUser(encr, encrToken, false, crypto);
- }
-
- encr.setEncryptSymmKey(false);
- encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
- encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
+ } else {
+ encr.setEncKeyIdDirectId(true);
+ }
+ if (encrTok.getTokenType() != null) {
+ encr.setCustomReferenceValue(encrTok.getTokenType());
+ }
+ encr.setEncKeyId(encrTokId);
+ AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
+ Crypto crypto = getEncryptionCrypto();
+ if (crypto != null) {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
- if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
- || encrToken instanceof SecureConversationToken) {
- //Setting the AttachedReference or the UnattachedReference according to the flag
- Element ref;
- if (attached) {
- ref = encrTok.getAttachedReference();
- } else {
- ref = encrTok.getUnattachedReference();
- }
+ encr.setEncryptSymmKey(false);
+ encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
+ encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
- String tokenType = encrTok.getTokenType();
- if (ref != null) {
- SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
- encr.setSecurityTokenReference(secRef);
- } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else {
- encr.setCustomReferenceValue(tokenType);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- }
- } else if (encrToken instanceof UsernameToken) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
- } else if (encrToken instanceof KerberosToken && !isRequestor()) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
- encr.setEncKeyId(encrTok.getSHA1());
- } else if (!isRequestor() && encrTok.getSHA1() != null) {
- encr.setCustomReferenceValue(encrTok.getSHA1());
- encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
+ || encrToken instanceof SecureConversationToken) {
+ //Setting the AttachedReference or the UnattachedReference according to the flag
+ Element ref;
+ if (attached) {
+ ref = encrTok.getAttachedReference();
+ } else {
+ ref = encrTok.getUnattachedReference();
}
- encr.prepare(crypto);
-
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ String tokenType = encrTok.getTokenType();
+ if (ref != null) {
+ SecurityTokenReference secRef =
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
+ encr.setSecurityTokenReference(secRef);
+ } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else {
+ encr.setCustomReferenceValue(tokenType);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
+ } else if (encrToken instanceof UsernameToken) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+ } else if (encrToken instanceof KerberosToken && !isRequestor()) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
+ encr.setEncKeyId(encrTok.getSHA1());
+ } else if (!isRequestor() && encrTok.getSHA1() != null) {
+ encr.setCustomReferenceValue(encrTok.getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
- Element refList = encr.encryptForRef(null, encrParts);
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- addAttachmentsForEncryption(atEnd, refList, attachments);
+ encr.prepare(crypto, symmetricKey);
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ addAttachmentsForEncryption(atEnd, refList, attachments);
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
@@ -914,10 +941,14 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
- WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey);
assertTokenWrapper(wrapper);
String id = encrKey.getId();
- byte[] secret = encrKey.getSymmetricKey().getEncoded();
+ byte[] secret = symmetricKey.getEncoded();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 2723478..d25b1fd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -25,6 +25,8 @@ import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
@@ -50,6 +52,7 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.message.WSSecDKSign;
@@ -356,7 +359,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey);
assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -379,10 +386,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
dkSig.setExpandXopInclude(isExpandXopInclude());
dkSig.setWsDocInfo(wsDocInfo);
- AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
- dkSig.setExternalKey(encrKey.getSymmetricKey().getEncoded(), encrKey.getId());
+ dkSig.setExternalKey(symmetricKey.getEncoded(), encrKey.getId());
dkSig.prepare();
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
index 0e54cf2..158e5f8 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -170,7 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+ encrKey.prepare(null, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index ba5bb13..0b4b80c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -29,6 +29,8 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.DateUtil;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -375,10 +378,17 @@ public abstract class AbstractOperation {
WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
builder.setUserInfo(name);
builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- builder.setEphemeralKey(secret);
builder.setKeyEncAlgo(keyWrapAlgorithm);
- builder.prepare(stsProperties.getEncryptionCrypto());
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
return builder.getEncryptedKeyElement();
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index d5f2284..c080d4b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -27,6 +27,8 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
/**
@@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider {
// Create an EncryptedKey
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- encrKey.setEphemeralKey(secret);
- encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
encrKey.setUseThisCert(certificate);
encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
- encrKey.prepare(encryptionCrypto);
+
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ encrKey.prepare(encryptionCrypto, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index b4cb1a7..e907da1 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -25,6 +25,8 @@ import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -171,8 +174,11 @@ public final class TokenProviderUtils {
WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
encryptionPart.setElement(element);
- builder.prepare(stsProperties.getEncryptionCrypto());
- builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
+ builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
return (Element)frag.getFirstChild();
}
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 6c555ba..e6756a7 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -27,6 +27,8 @@ import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -71,6 +73,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
@@ -839,9 +842,12 @@ public class IssueSamlUnitTest {
builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
- builder.prepare(stsProperties.getSignatureCrypto());
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey);
Element encryptedKeyElement = builder.getEncryptedKeyElement();
- byte[] secret = builder.getSymmetricKey().getEncoded();
+ byte[] secret = symmetricKey.getEncoded();
EntropyType entropyType = new EntropyType();
entropyType.getAny().add(encryptedKeyElement);