You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2020/03/03 15:41:07 UTC
[ws-wss4j] branch 2_2_x-fixes updated: WSS-666 - Support processing
SignatureValue bytes stored in attachments
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_2_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/2_2_x-fixes by this push:
new 8aaa0f3 WSS-666 - Support processing SignatureValue bytes stored in attachments
8aaa0f3 is described below
commit 8aaa0f37698001518b5b9bc771bb73d1d1cfbd47
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Mar 3 15:33:36 2020 +0000
WSS-666 - Support processing SignatureValue bytes stored in attachments
---
.../wss4j/dom/processor/SignatureProcessor.java | 8 ++++
.../wss4j/dom/message/XOPAttachmentTest.java | 53 ++++++++++++++++++++++
2 files changed, 61 insertions(+)
diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
index a6d3d2d..86f01e7 100644
--- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
+++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
@@ -344,6 +344,13 @@ public class SignatureProcessor implements Processor {
key = KeyUtils.prepareSecretKey(signatureMethod, secretKey);
}
+ if (data.isExpandXopInclude()) {
+ // Look for xop:Include Nodes and expand them
+ List<Element> includeElements =
+ XMLUtils.findElements(elem.getFirstChild(), "Include", WSConstants.XOP_NS);
+ WSSecurityUtil.inlineAttachments(includeElements, data.getAttachmentCallbackHandler(), true);
+ }
+
XMLValidateContext context = new DOMValidateContext(key, elem);
context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE);
context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE);
@@ -372,6 +379,7 @@ public class SignatureProcessor implements Processor {
testMessageReplay(elem, xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo);
setElementsOnContext(xmlSignature, (DOMValidateContext)context, data, wsDocInfo);
+
boolean signatureOk = xmlSignature.validate(context);
if (signatureOk) {
return xmlSignature;
diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
index b1ba666..11f30b5 100644
--- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
+++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
@@ -25,6 +25,7 @@ import java.io.InputStream;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
+import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.UUID;
@@ -660,6 +661,57 @@ public class XOPAttachmentTest extends org.junit.Assert {
assertTrue(processedDoc.contains(SOAP_BODY));
}
+ // We can't put the SignatureValue bytes into an attachment as we are using the JSR-105 API, but for now
+ // let's test that we can process such messages
+ @Test
+ public void testSignatureValueInAttachment() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader(doc);
+ secHeader.insertSecurityHeader();
+
+ WSSecSignature builder = new WSSecSignature(secHeader);
+ builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+ builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+
+ AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler();
+ builder.setAttachmentCallbackHandler(outboundAttachmentCallback);
+ builder.setStoreBytesInAttachment(true);
+
+ Document signedDoc = builder.build(crypto);
+
+ List<Attachment> signedAttachments = outboundAttachmentCallback.getResponseAttachments();
+ assertNotNull(signedAttachments);
+ assertTrue(signedAttachments.size() == 1);
+
+ // Find the SignatureValue + replace with a xop:Include to the attachment!
+ Element signatureValue = XMLUtils.findElement(signedDoc.getDocumentElement(), "SignatureValue", WSConstants.SIG_NS);
+ assertNotNull(signatureValue);
+
+ String attachmentId = UUID.randomUUID().toString();
+ final Attachment attachment = new Attachment();
+ attachment.setId(attachmentId);
+ byte[] decodedBytes = Base64.getMimeDecoder().decode(signatureValue.getTextContent());
+ attachment.setSourceStream(new ByteArrayInputStream(decodedBytes));
+ signedAttachments.add(attachment);
+
+ XMLUtils.setNamespace(signatureValue, WSS4JConstants.XOP_NS, "xop");
+
+ Element signatureValueChild = signedDoc.createElementNS(WSConstants.XOP_NS, "xop:Include");
+ signatureValueChild.setAttributeNS(null, "href", "cid:" + attachmentId);
+ signatureValue.replaceChild(signatureValueChild, signatureValue.getFirstChild());
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("After Signing....");
+ String outputString =
+ XMLUtils.prettyDocumentToString(signedDoc);
+ LOG.debug(outputString);
+ }
+
+ AttachmentCallbackHandler inboundAttachmentCallback =
+ new AttachmentCallbackHandler(signedAttachments);
+ verify(signedDoc, inboundAttachmentCallback);
+ }
+
/**
* Verifies the soap envelope.
* This method verifies all the signature generated.
@@ -672,6 +724,7 @@ public class XOPAttachmentTest extends org.junit.Assert {
requestData.setSigVerCrypto(crypto);
requestData.setDecCrypto(crypto);
requestData.setCallbackHandler(new KeystoreCallbackHandler());
+ requestData.setExpandXopInclude(true);
return secEngine.processSecurityHeader(doc, requestData);
}
}