You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2017/11/15 18:00:17 UTC

[cxf] 01/02: Adding some encryption tests for tampering

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 35ffd86a41420cd510500373943c72f098c1e1a3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Nov 15 17:09:03 2017 +0000

    Adding some encryption tests for tampering
    
    (cherry picked from commit ffca1ae7d06ec471e95a65966662a41b05a53709)
    
    # Conflicts:
    #	systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JweJwsAlgorithmTest.java
---
 .../security/jose/jwejws/JweJwsAlgorithmTest.java  | 55 +++++++++++++++++++++-
 1 file changed, 54 insertions(+), 1 deletion(-)

diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JweJwsAlgorithmTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JweJwsAlgorithmTest.java
index 25c4db6..7762317 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JweJwsAlgorithmTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwejws/JweJwsAlgorithmTest.java
@@ -67,6 +67,7 @@ public class JweJwsAlgorithmTest extends AbstractBusClientServerTestBase {
     //
     // Encryption tests
     //
+
     @org.junit.Test
     public void testEncryptionProperties() throws Exception {
 
@@ -260,10 +261,62 @@ public class JweJwsAlgorithmTest extends AbstractBusClientServerTestBase {
         assertNotEquals(response.getStatus(), 200);
     }
 
+    @org.junit.Test
+    public void testManualEncryption() throws Exception {
+
+        URL busFile = JweJwsAlgorithmTest.class.getResource("client.xml");
+
+        List<Object> providers = new ArrayList<>();
+        providers.add(new JacksonJsonProvider());
+
+        String address = "http://localhost:" + PORT + "/jweoaepgcm/bookstore/books";
+        WebClient client =
+            WebClient.create(address, providers, busFile.toString());
+        client.type("application/json").accept("application/json");
+
+        Map<String, Object> properties = new HashMap<>();
+        properties.put("rs.security.encryption.properties",
+                       "org/apache/cxf/systest/jaxrs/security/bob.jwk.properties");
+        WebClient.getConfig(client).getRequestContext().putAll(properties);
+
+        String header = "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00iLCJjdHkiOiJqc29uIn0";
+        String encryptedKey = "f_Njrwn8fLxvIfftV27lSqEgvyIvkfx5tcI6xJdzXqxSL-Xssaq9TFwbhiJIU6k23i1uLFDd3r7rL"
+            + "V9THMcAo80C-m_SIbA6X4daeIm7ANmREZ9sw9QkD0URis6MAuZkoYIRB6z9g7TDmPTdrpTUWJbwYaBAe-_VYaoVBwRv_A"
+            + "ikPdKJEUWSMxouJEq4TZUVveNjI_tflZpudz1mYXKv9Lw_5byYpwgIB9crI9BR0kfCK9x3BXVFMZHJAg0yIuAKDkcs9Ts"
+            + "TIV0jLXRnb50Uc62OuJ6VFGQw-AL3tNHLRKYXjwDnE492wAZmsaxefql9wbv7b8BLmRUNeKER-26tdA";
+        String iv = "rqUxWbEenVnC3QFx";
+        String cipherText = "8iE2vM79BkXVJ0afH6fbig5uFpQ71nxc-i2SbokQtZO7";
+        String authnTag = "bZk8RwVMZgawyFNSOkMLaw";
+
+
+        // Successful test
+        Response response = client.post(header + "." + encryptedKey + "." + iv + "." + cipherText + "." + authnTag);
+        assertEquals(response.getStatus(), 200);
+
+        // Tamper with the values
+        response = client.post(header + "xyz." + encryptedKey + "." + iv + "." + cipherText + "." + authnTag);
+        assertNotEquals(response.getStatus(), 200);
+
+        response =  client.post(header + "." + encryptedKey + "xyz." + iv + "." + cipherText + "." + authnTag);
+        assertNotEquals(response.getStatus(), 200);
+
+        response = client.post(header + "." + encryptedKey + "." + iv + "xyz." + cipherText + "." + authnTag);
+        assertNotEquals(response.getStatus(), 200);
+
+        response = client.post(header + "." + encryptedKey + "." + iv + "." + cipherText + "xyz." + authnTag);
+        assertNotEquals(response.getStatus(), 200);
+
+        response = client.post(header + "." + encryptedKey + "." + iv + "." + cipherText + "." + authnTag + "xyz");
+        assertNotEquals(response.getStatus(), 200);
+
+        response = client.post(header + "." + encryptedKey + "." + iv + "." + cipherText + ".");
+        assertNotEquals(response.getStatus(), 200);
+    }
+
     //
     // Signature tests
     //
-    
+
     @org.junit.Test
     public void testSignatureProperties() throws Exception {
 

-- 
To stop receiving notification emails like this one, please contact
"commits@cxf.apache.org" <co...@cxf.apache.org>.