You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2022/07/07 11:36:31 UTC
[cxf] branch main updated: Removing calls to WSSecurityUtil.generateNonce
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/main by this push:
new ff995172b7 Removing calls to WSSecurityUtil.generateNonce
ff995172b7 is described below
commit ff995172b7a80ea31c9e944011dce331dc138a29
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Jul 7 12:36:14 2022 +0100
Removing calls to WSSecurityUtil.generateNonce
---
.../ws/security/policy/interceptors/STSInvoker.java | 16 ++++++++++++----
.../SpnegoContextTokenInInterceptor.java | 4 ++--
.../cxf/ws/security/trust/AbstractSTSClient.java | 20 +++++++++++++-------
.../cxf/sts/token/provider/SymmetricKeyHandler.java | 6 ++++--
.../apache/cxf/sts/operation/IssueSamlUnitTest.java | 19 +++++++++++--------
.../sts/token/provider/SAMLProviderKeyTypeTest.java | 17 +++++++++++++----
.../cxf/systest/sts/batch/SimpleBatchSTSClient.java | 20 +++++++++++++-------
7 files changed, 68 insertions(+), 34 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
index 6dd090322d..ccd0f2f55b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/STSInvoker.java
@@ -27,6 +27,8 @@ import java.util.logging.Logger;
import javax.xml.stream.XMLStreamException;
import javax.xml.transform.dom.DOMSource;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -206,17 +208,23 @@ abstract class STSInvoker implements Invoker {
) throws NoSuchAlgorithmException, WSSecurityException, XMLStreamException {
final byte[] secret;
writer.writeStartElement(prefix, "RequestedProofToken", namespace);
+ byte[] randomBytes = null;
+ try {
+ randomBytes = XMLSecurityConstants.generateBytes(keySize / 8);
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
+ }
+
if (clientEntropy == null) {
- secret = WSSecurityUtil.generateNonce(keySize / 8);
+ secret = randomBytes;
writer.writeStartElement(prefix, "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
writer.writeCharacters(XMLUtils.encodeToString(secret));
writer.writeEndElement();
} else {
- byte[] entropy = WSSecurityUtil.generateNonce(keySize / 8);
P_SHA1 psha1 = new P_SHA1();
- secret = psha1.createKey(clientEntropy, entropy, 0, keySize / 8);
+ secret = psha1.createKey(clientEntropy, randomBytes, 0, keySize / 8);
writer.writeStartElement(prefix, "ComputedKey", namespace);
writer.writeCharacters(namespace + "/CK/PSHA1");
@@ -226,7 +234,7 @@ abstract class STSInvoker implements Invoker {
writer.writeStartElement(prefix, "Entropy", namespace);
writer.writeStartElement(prefix, "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
- writer.writeCharacters(XMLUtils.encodeToString(entropy));
+ writer.writeCharacters(XMLUtils.encodeToString(randomBytes));
writer.writeEndElement();
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
index b0d99d65a9..328e159055 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/SpnegoContextTokenInInterceptor.java
@@ -24,6 +24,7 @@ import java.util.Collection;
import javax.security.auth.callback.CallbackHandler;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.w3c.dom.Element;
import org.apache.cxf.binding.soap.SoapBindingConstants;
@@ -60,7 +61,6 @@ import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.spnego.SpnegoTokenContext;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.message.token.SecurityContextToken;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.policy.SPConstants;
import org.apache.xml.security.utils.XMLUtils;
@@ -231,7 +231,7 @@ class SpnegoContextTokenInInterceptor extends AbstractPhaseInterceptor<SoapMessa
writer.writeCharacters(Integer.toString(keySize));
writer.writeEndElement();
- byte[] secret = WSSecurityUtil.generateNonce(keySize / 8);
+ byte[] secret = XMLSecurityConstants.generateBytes(keySize / 8);
byte[] key = spnegoToken.wrapKey(secret);
writeProofToken(writer, prefix, namespace, key);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
index 56fd82726f..d25ef285ff 100755
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
@@ -50,6 +50,8 @@ import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -131,7 +133,6 @@ import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.X509Util;
import org.apache.wss4j.policy.SPConstants;
import org.apache.wss4j.policy.SPConstants.SPVersion;
@@ -944,13 +945,18 @@ public abstract class AbstractSTSClient implements Configurable, InterceptorProv
writer.writeStartElement("wst", "Entropy", namespace);
writer.writeStartElement("wst", "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
- if (algorithmSuite == null) {
- requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
- } else {
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- requestorEntropy = WSSecurityUtil
- .generateNonce(algType.getMaximumSymmetricKeyLength() / 8);
+
+ try {
+ if (algorithmSuite == null) {
+ requestorEntropy = XMLSecurityConstants.generateBytes(keySize / 8);
+ } else {
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+ requestorEntropy = XMLSecurityConstants.generateBytes(algType.getMaximumSymmetricKeyLength() / 8);
+ }
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
+
writer.writeCharacters(org.apache.xml.security.utils.XMLUtils.encodeToString(requestorEntropy));
writer.writeEndElement();
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SymmetricKeyHandler.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SymmetricKeyHandler.java
index ef47df8367..79df00e99d 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SymmetricKeyHandler.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SymmetricKeyHandler.java
@@ -34,6 +34,8 @@ import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.derivedKey.P_SHA1;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.dom.util.WSSecurityUtil;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
/**
* Some common functionality relating to parsing and generating Symmetric Keys.
@@ -167,9 +169,9 @@ public class SymmetricKeyHandler {
if (generateEntropy) {
try {
- entropyBytes = WSSecurityUtil.generateNonce(keySize / 8);
+ entropyBytes = XMLSecurityConstants.generateBytes(keySize / 8);
secret = entropyBytes;
- } catch (WSSecurityException ex) {
+ } catch (XMLSecurityException ex) {
LOG.log(Level.WARNING, "", ex);
throw new STSException("Error in creating symmetric key", ex, STSException.INVALID_REQUEST);
}
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 4409969440..ef3d27bc47 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -20,11 +20,7 @@ package org.apache.cxf.sts.operation;
import java.security.Principal;
import java.security.cert.X509Certificate;
-import java.util.Arrays;
-import java.util.Base64;
-import java.util.Collections;
-import java.util.List;
-import java.util.Properties;
+import java.util.*;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
@@ -78,7 +74,6 @@ import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.apache.wss4j.dom.saml.WSSSAMLKeyInfoProcessor;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
@@ -645,7 +640,11 @@ public class IssueSamlUnitTest {
// Now add Entropy
BinarySecretType binarySecretType = new BinarySecretType();
binarySecretType.setType(STSConstants.NONCE_TYPE);
- binarySecretType.setValue(WSSecurityUtil.generateNonce(256 / 8));
+
+ Random random = new Random();
+ byte[] secret = new byte[256 / 8];
+ random.nextBytes(secret);
+ binarySecretType.setValue(secret);
JAXBElement<BinarySecretType> binarySecretTypeJaxb =
new JAXBElement<BinarySecretType>(
QNameConstants.BINARY_SECRET, BinarySecretType.class, binarySecretType
@@ -737,7 +736,11 @@ public class IssueSamlUnitTest {
// Now add Entropy
BinarySecretType binarySecretType = new BinarySecretType();
binarySecretType.setType(STSConstants.SYMMETRIC_KEY_TYPE);
- binarySecretType.setValue(WSSecurityUtil.generateNonce(256 / 8));
+
+ Random random = new Random();
+ byte[] secret = new byte[256 / 8];
+ random.nextBytes(secret);
+ binarySecretType.setValue(secret);
JAXBElement<BinarySecretType> binarySecretTypeJaxb =
new JAXBElement<BinarySecretType>(
QNameConstants.BINARY_SECRET, BinarySecretType.class, binarySecretType
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
index fcbd0b0460..95938a8e9d 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
@@ -21,6 +21,7 @@ package org.apache.cxf.sts.token.provider;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Properties;
+import java.util.Random;
import org.w3c.dom.Element;
@@ -48,7 +49,6 @@ import org.apache.wss4j.common.principal.CustomTokenPrincipal;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
@@ -200,7 +200,10 @@ public class SAMLProviderKeyTypeTest {
Entropy entropy = new Entropy();
BinarySecret binarySecret = new BinarySecret();
- binarySecret.setBinarySecretValue(WSSecurityUtil.generateNonce(256 / 8));
+ Random random = new Random();
+ byte[] secret = new byte[256 / 8];
+ random.nextBytes(secret);
+ binarySecret.setBinarySecretValue(secret);
entropy.setBinarySecret(binarySecret);
providerParameters.getKeyRequirements().setEntropy(entropy);
@@ -265,7 +268,10 @@ public class SAMLProviderKeyTypeTest {
Entropy entropy = new Entropy();
BinarySecret binarySecret = new BinarySecret();
- binarySecret.setBinarySecretValue(WSSecurityUtil.generateNonce(256 / 8));
+ Random random = new Random();
+ byte[] secret = new byte[256 / 8];
+ random.nextBytes(secret);
+ binarySecret.setBinarySecretValue(secret);
entropy.setBinarySecret(binarySecret);
providerParameters.getKeyRequirements().setEntropy(entropy);
@@ -299,7 +305,10 @@ public class SAMLProviderKeyTypeTest {
Entropy entropy = new Entropy();
BinarySecret binarySecret = new BinarySecret();
- binarySecret.setBinarySecretValue(WSSecurityUtil.generateNonce(256 / 8));
+ Random random = new Random();
+ byte[] secret = new byte[256 / 8];
+ random.nextBytes(secret);
+ binarySecret.setBinarySecretValue(secret);
entropy.setBinarySecret(binarySecret);
providerParameters.getKeyRequirements().setEntropy(entropy);
diff --git a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/batch/SimpleBatchSTSClient.java b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/batch/SimpleBatchSTSClient.java
index 0088e8d0f2..0d73ef9501 100644
--- a/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/batch/SimpleBatchSTSClient.java
+++ b/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/batch/SimpleBatchSTSClient.java
@@ -41,6 +41,8 @@ import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamWriter;
import javax.xml.transform.dom.DOMSource;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.stax.ext.XMLSecurityConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -106,7 +108,6 @@ import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.processor.EncryptedKeyProcessor;
-import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.X509Util;
import org.apache.wss4j.policy.model.AbstractBinding;
import org.apache.wss4j.policy.model.AlgorithmSuite;
@@ -658,13 +659,18 @@ public class SimpleBatchSTSClient implements Configurable, InterceptorProvider {
writer.writeStartElement("wst", "Entropy", namespace);
writer.writeStartElement("wst", "BinarySecret", namespace);
writer.writeAttribute("Type", namespace + "/Nonce");
- if (algorithmSuite == null) {
- requestorEntropy = WSSecurityUtil.generateNonce(keySize / 8);
- } else {
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- requestorEntropy = WSSecurityUtil
- .generateNonce(algType.getMaximumSymmetricKeyLength() / 8);
+
+ try {
+ if (algorithmSuite == null) {
+ requestorEntropy = XMLSecurityConstants.generateBytes(keySize / 8);
+ } else {
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+ requestorEntropy = XMLSecurityConstants.generateBytes(algType.getMaximumSymmetricKeyLength() / 8);
+ }
+ } catch (XMLSecurityException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e);
}
+
writer.writeCharacters(Base64.getMimeEncoder().encodeToString(requestorEntropy));
writer.writeEndElement();