You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Ric Emery (JIRA)" <ji...@apache.org> on 2007/04/06 01:04:32 UTC
[jira] Created: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Using Policy configuration - a SOAP Message cannot be Encrypted only.
----------------------------------------------------------------------
Key: RAMPART-31
URL: https://issues.apache.org/jira/browse/RAMPART-31
Project: Rampart
Issue Type: Bug
Components: rampart-core
Affects Versions: 1.1
Reporter: Ric Emery
Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
Thanks
public void build(RampartMessageData rmd) throws RampartException {
log.debug("AsymmetricBindingBuilder build invoked");
RampartPolicyData rpd = rmd.getPolicyData();
if (rpd.isIncludeTimestamp()) {
this.addTimestamp(rmd);
}
if (shouldEncryptOnly(rmd))
this.doEncrypt(rmd);
else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
this.doEncryptBeforeSig(rmd);
} else {
this.doSignBeforeEncrypt(rmd);
}
log.debug("AsymmetricBindingBuilder build invoked : DONE");
}
private boolean shouldEncryptOnly(RampartMessageData rmd)
{
// Is there a better way to determine if signatures should be disabled?
RampartPolicyData rampartPolicyData = rmd.getPolicyData();
Vector parts = rampartPolicyData.getSignedParts();
return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
}
private void doEncrypt(RampartMessageData rmd)
throws RampartException {
RampartPolicyData rpd = rmd.getPolicyData();
Document doc = rmd.getDocument();
RampartConfig config = rpd.getRampartConfig();
/*
* We need to hold on to these two element to use them as refence in the
* case of encypting the signature
*/
Element encrDKTokenElem = null;
WSSecEncrypt encr = null;
Element refList = null;
WSSecDKEncrypt dkEncr = null;
/*
* We MUST use keys derived from the same token
*/
Token encryptionToken = rpd.getRecipientToken();
Vector encrParts = RampartUtil.getEncryptedParts(rmd);
if(encryptionToken == null && encrParts.size() > 0) {
throw new RampartException("encryptionTokenMissing");
}
if (encryptionToken != null && encrParts.size() > 0) {
if (encryptionToken.isDerivedKeys()) {
try {
this.setupEncryptedKey(rmd, encryptionToken);
// Create the DK encryption builder
dkEncr = new WSSecDKEncrypt();
dkEncr.setParts(encrParts);
dkEncr.setExternalKey(this.encryptedKeyValue,
this.encryptedKeyId);
dkEncr.prepare(doc);
// Get and add the DKT element
this.encrDKTElement = dkEncr.getdktElement();
encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
refList = dkEncr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorCreatingEncryptedKey", e);
} catch (ConversationException e) {
throw new RampartException("errorInDKEncr", e);
}
} else {
try {
encr = new WSSecEncrypt();
encr.setParts(encrParts);
encr.setWsConfig(rmd.getConfig());
encr.setDocument(doc);
RampartUtil.setEncryptionUser(rmd, encr);
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
Element bstElem = encr.getBinarySecurityTokenElement();
if (bstElem != null) {
RampartUtil.appendChildToSecHeader(rmd, bstElem);
}
this.encrTokenElement = encr.getEncryptedKeyElement();
this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
encrTokenElement);
refList = encr.encryptForExternalRef(null, encrParts);
} catch (WSSecurityException e) {
throw new RampartException("errorInEncryption", e);
}
}
RampartUtil.appendChildToSecHeader(rmd, refList);
this.setInsertionLocation(encrTokenElement);
}
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Ric Emery (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ric Emery updated RAMPART-31:
-----------------------------
Attachment: diff.txt
As request by Rudchith -
Here is a subversion diff that contains a proposed fix for this issue. The diff is against Revision:537897 of org.apache.rampart.builder.AsymetricBindingBuilder.java.
Thanks
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Attachments: diff.txt
>
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya resolved RAMPART-31.
-----------------------------------------------
Resolution: Fixed
Fixed in Revision 611737.
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Assignee: Nandana Mihindukulasooriya
> Attachments: diff.txt
>
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12546215 ]
Nandana Mihindukulasooriya commented on RAMPART-31:
---------------------------------------------------
This fixed in the Rampart trunk. Patch [1] for issue [2] introduces two test scenarios to check encryption only in the Symmetric Binding and in the Asymmetric Binding.
[1] - RAMPART-105-1.patch
[2] - https://issues.apache.org/jira/browse/RAMPART-105
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Attachments: diff.txt
>
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Ric Emery (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12495808 ]
Ric Emery commented on RAMPART-31:
----------------------------------
Done. I attached the output from svn diff to the issue. If you need anything
else just ask.
Thanks,
ric
On 5/14/07 7:36 AM, "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org>
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Attachments: diff.txt
>
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Ruchith Udayanga Fernando (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12495627 ]
Ruchith Udayanga Fernando commented on RAMPART-31:
--------------------------------------------------
Please submit your patch against the latest source [1].
Thanks,
Ruchith
[1] https://svn.apache.org/repos/asf/webservices/rampart/trunk/java
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (RAMPART-31) Using Policy configuration - a SOAP
Message cannot be Encrypted only.
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya reassigned RAMPART-31:
-------------------------------------------------
Assignee: Nandana Mihindukulasooriya
> Using Policy configuration - a SOAP Message cannot be Encrypted only.
> ----------------------------------------------------------------------
>
> Key: RAMPART-31
> URL: https://issues.apache.org/jira/browse/RAMPART-31
> Project: Rampart
> Issue Type: Bug
> Components: rampart-core
> Affects Versions: 1.1
> Reporter: Ric Emery
> Assignee: Nandana Mihindukulasooriya
> Attachments: diff.txt
>
>
> Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be applied. Logically I would think that leaving out the Policy sp:SignedParts element and/or the sp:InitiatorToken element would result in a message that is encrypted (assuming the Policy configures encryption), but not signed. Leaving out the InitiatorToken out of the profile results in a NullPointerException. Leaving out the sp:SignedParts does not disable signatures. I modified AssymetircBindingBuilder.java to allow encryption without signatures. Being new to the source base I am not sure that this is the correct fix.
> I modified build method adding a call to determine if signatures are disabled. Added a method to make the determination. And added a doEncryption method.. I can submit a diff in the proper format if requested.
> Thanks
> public void build(RampartMessageData rmd) throws RampartException {
> log.debug("AsymmetricBindingBuilder build invoked");
> RampartPolicyData rpd = rmd.getPolicyData();
> if (rpd.isIncludeTimestamp()) {
> this.addTimestamp(rmd);
> }
> if (shouldEncryptOnly(rmd))
> this.doEncrypt(rmd);
> else if (Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
> this.doEncryptBeforeSig(rmd);
> } else {
> this.doSignBeforeEncrypt(rmd);
> }
> log.debug("AsymmetricBindingBuilder build invoked : DONE");
> }
> private boolean shouldEncryptOnly(RampartMessageData rmd)
> {
> // Is there a better way to determine if signatures should be disabled?
> RampartPolicyData rampartPolicyData = rmd.getPolicyData();
> Vector parts = rampartPolicyData.getSignedParts();
> return !rampartPolicyData.isSignBody() && (null == parts || parts.size() == 0);
> }
> private void doEncrypt(RampartMessageData rmd)
> throws RampartException {
> RampartPolicyData rpd = rmd.getPolicyData();
> Document doc = rmd.getDocument();
> RampartConfig config = rpd.getRampartConfig();
> /*
> * We need to hold on to these two element to use them as refence in the
> * case of encypting the signature
> */
> Element encrDKTokenElem = null;
> WSSecEncrypt encr = null;
> Element refList = null;
> WSSecDKEncrypt dkEncr = null;
> /*
> * We MUST use keys derived from the same token
> */
> Token encryptionToken = rpd.getRecipientToken();
> Vector encrParts = RampartUtil.getEncryptedParts(rmd);
> if(encryptionToken == null && encrParts.size() > 0) {
> throw new RampartException("encryptionTokenMissing");
> }
> if (encryptionToken != null && encrParts.size() > 0) {
> if (encryptionToken.isDerivedKeys()) {
> try {
> this.setupEncryptedKey(rmd, encryptionToken);
> // Create the DK encryption builder
> dkEncr = new WSSecDKEncrypt();
> dkEncr.setParts(encrParts);
> dkEncr.setExternalKey(this.encryptedKeyValue,
> this.encryptedKeyId);
> dkEncr.prepare(doc);
> // Get and add the DKT element
> this.encrDKTElement = dkEncr.getdktElement();
> encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, this.encrDKTElement);
> refList = dkEncr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorCreatingEncryptedKey", e);
> } catch (ConversationException e) {
> throw new RampartException("errorInDKEncr", e);
> }
> } else {
> try {
> encr = new WSSecEncrypt();
> encr.setParts(encrParts);
> encr.setWsConfig(rmd.getConfig());
> encr.setDocument(doc);
> RampartUtil.setEncryptionUser(rmd, encr);
> encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
> encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
> encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, rmd.getCustomClassLoader()));
> Element bstElem = encr.getBinarySecurityTokenElement();
> if (bstElem != null) {
> RampartUtil.appendChildToSecHeader(rmd, bstElem);
> }
> this.encrTokenElement = encr.getEncryptedKeyElement();
> this.encrTokenElement = RampartUtil.appendChildToSecHeader(rmd,
> encrTokenElement);
> refList = encr.encryptForExternalRef(null, encrParts);
> } catch (WSSecurityException e) {
> throw new RampartException("errorInEncryption", e);
> }
> }
> RampartUtil.appendChildToSecHeader(rmd, refList);
> this.setInsertionLocation(encrTokenElement);
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.