You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2020/04/20 14:43:10 UTC
[ws-wss4j] branch 2_2_x-fixes updated (44431e3 -> 28d9993)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 2_2_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git.
from 44431e3 Fixing potential NPEs when searching for elements, if the Ids are null
new 3c97792 Expected signature algorithm is overwriten with default in case of DSA (#11)
new 28d9993 Adding Saml ECDSA SHA1 test
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../wss4j/common/saml/SamlAssertionWrapper.java | 16 +++----
.../wss4j/dom/saml/SamlAlgorithmSuiteTest.java | 50 +++++++++++++++++++++-
2 files changed, 56 insertions(+), 10 deletions(-)
[ws-wss4j] 01/02: Expected signature algorithm is overwriten with
default in case of DSA (#11)
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_2_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 3c97792850bf14f79419fc5e9fc8d9e555e9b807
Author: Thomas Papke <we...@thopap.de>
AuthorDate: Mon Apr 20 15:27:38 2020 +0200
Expected signature algorithm is overwriten with default in case of DSA (#11)
and EC Keys (WSS-670)
* prevent overriding configured signature algorithm
Co-authored-by: Thomas Papke <th...@icw.de>
---
.../apache/wss4j/common/saml/SamlAssertionWrapper.java | 16 ++++++++--------
.../apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java | 2 +-
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
index bc120ac..0657a48 100644
--- a/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
+++ b/ws-security-common/src/main/java/org/apache/wss4j/common/saml/SamlAssertionWrapper.java
@@ -484,7 +484,7 @@ public class SamlAssertionWrapper {
signAssertion(issuerKeyName, issuerKeyPassword, issuerCrypto,
sendKeyValue, defaultCanonicalizationAlgorithm,
- defaultRSASignatureAlgorithm, defaultSignatureDigestAlgorithm);
+ null, defaultSignatureDigestAlgorithm);
}
/**
@@ -550,13 +550,13 @@ public class SamlAssertionWrapper {
String sigAlgo = signatureAlgorithm;
if (sigAlgo == null) {
sigAlgo = defaultRSASignatureAlgorithm;
- }
- String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
- LOG.debug("automatic sig algo detection: {}", pubKeyAlgo);
- if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
- sigAlgo = defaultDSASignatureAlgorithm;
- } else if (pubKeyAlgo.equalsIgnoreCase("EC")) {
- sigAlgo = defaultECDSASignatureAlgorithm;
+ String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
+ LOG.debug("automatic sig algo detection: {}", pubKeyAlgo);
+ if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+ sigAlgo = defaultDSASignatureAlgorithm;
+ } else if (pubKeyAlgo.equalsIgnoreCase("EC")) {
+ sigAlgo = defaultECDSASignatureAlgorithm;
+ }
}
LOG.debug("Using Signature algorithm {}", sigAlgo);
PrivateKey privateKey;
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
index 75f54cb..393154b 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
@@ -233,7 +233,7 @@ public class SamlAlgorithmSuiteTest extends org.junit.Assert {
assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
}
- algorithmSuite.addSignatureMethod(WSConstants.ECDSA_SHA1);
+ algorithmSuite.addSignatureMethod(WSConstants.ECDSA_SHA256);
verify(securityHeader, algorithmSuite, crypto);
}
[ws-wss4j] 02/02: Adding Saml ECDSA SHA1 test
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_2_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
commit 28d9993bf0d6d032b1325227e1b774a02d425b87
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Apr 20 14:51:06 2020 +0100
Adding Saml ECDSA SHA1 test
---
.../wss4j/dom/saml/SamlAlgorithmSuiteTest.java | 50 +++++++++++++++++++++-
1 file changed, 48 insertions(+), 2 deletions(-)
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
index 393154b..8c3b6ad 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/saml/SamlAlgorithmSuiteTest.java
@@ -193,7 +193,7 @@ public class SamlAlgorithmSuiteTest extends org.junit.Assert {
}
@Test
- public void signWithEcdsaAlgorithm() throws Exception {
+ public void signWithEcdsaAlgorithmSHA1() throws Exception {
crypto = CryptoFactory.getInstance("wss40.properties");
SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
@@ -206,7 +206,7 @@ public class SamlAlgorithmSuiteTest extends org.junit.Assert {
samlAssertion.signAssertion(
"wss40ec", "security", crypto, false,
- CanonicalizationMethod.EXCLUSIVE, WSConstants.ECDSA_SHA256);
+ CanonicalizationMethod.EXCLUSIVE, WSConstants.ECDSA_SHA1);
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
@@ -233,6 +233,52 @@ public class SamlAlgorithmSuiteTest extends org.junit.Assert {
assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
}
+ algorithmSuite.addSignatureMethod(WSConstants.ECDSA_SHA1);
+
+ verify(securityHeader, algorithmSuite, crypto);
+ }
+
+ @Test
+ public void signWithEcdsaAlgorithmSHA256() throws Exception {
+ crypto = CryptoFactory.getInstance("wss40.properties");
+ SAML1CallbackHandler callbackHandler = new SAML1CallbackHandler();
+ callbackHandler.setStatement(SAML1CallbackHandler.Statement.AUTHN);
+ callbackHandler.setConfirmationMethod(SAML1Constants.CONF_HOLDER_KEY);
+ callbackHandler.setIssuer("www.example.com");
+
+ SAMLCallback samlCallback = new SAMLCallback();
+ SAMLUtil.doSAMLCallback(callbackHandler, samlCallback);
+ SamlAssertionWrapper samlAssertion = new SamlAssertionWrapper(samlCallback);
+
+ samlAssertion.signAssertion(
+ "wss40ec", "security", crypto, false,
+ CanonicalizationMethod.EXCLUSIVE, WSConstants.ECDSA_SHA256);
+
+
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader(doc);
+ secHeader.insertSecurityHeader();
+
+ WSSecSAMLToken wsSign = new WSSecSAMLToken(secHeader);
+
+ Document signedDoc = wsSign.build(samlAssertion);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ XMLUtils.prettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ Element securityHeader = WSSecurityUtil.getSecurityHeader(signedDoc, null);
+ AlgorithmSuite algorithmSuite = createAlgorithmSuite();
+
+ try {
+ verify(securityHeader, algorithmSuite, crypto);
+ fail("Expected failure as C14n algorithm is not allowed");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
+
algorithmSuite.addSignatureMethod(WSConstants.ECDSA_SHA256);
verify(securityHeader, algorithmSuite, crypto);