You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by fa...@apache.org on 2008/04/17 20:47:45 UTC
svn commit: r649227 - in /webservices/wss4j/trunk:
src/org/apache/ws/security/message/WSSecUsernameToken.java
src/org/apache/ws/security/message/token/UsernameToken.java
test/wssec/PackageTests.java test/wssec/TestWSSecurityUTDK.java
Author: fadushin
Date: Thu Apr 17 11:47:44 2008
New Revision: 649227
URL: http://svn.apache.org/viewvc?rev=649227&view=rev
Log:
WSS-111 WS-Security 1.1 DerivedKey fixes
* Applied Colm's fixes to derived key generation.
Note: I also forced conversion of pre-hashed passwords
to UTF-8, per the WS-Security 1.1 UsernameToken profile
(line 386).
Added:
webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java (with props)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/test/wssec/PackageTests.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java?rev=649227&r1=649226&r2=649227&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java Thu Apr 17 11:47:44 2008
@@ -20,6 +20,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.UsernameToken;
import org.apache.ws.security.util.WSSecurityUtil;
import org.w3c.dom.Document;
@@ -44,6 +45,14 @@
private boolean nonce = false;
private boolean created = false;
+
+ private boolean useDerivedKey = false;
+
+ private boolean useMac = false;
+
+ private byte[] saltValue;
+
+ private int iteration = UsernameToken.DEFAULT_ITERATION;
private Document document = null;
@@ -80,6 +89,22 @@
public void addCreated() {
created = true;
}
+
+ /**
+ * Add a derived key to the UsernameToken
+ * @param useMac whether the derived key is to be used for a MAC or not
+ * @param saltValue The saltvalue to use
+ * @param iteration The number of iterations to use in deriving a key
+ */
+ public void addDerivedKey(boolean useMac, byte[] saltValue, int iteration) {
+ passwordType = null;
+ useDerivedKey = true;
+ this.useMac = useMac;
+ this.saltValue = saltValue;
+ if (iteration > 0) {
+ this.iteration = iteration;
+ }
+ }
/**
@@ -98,6 +123,23 @@
}
return ut.getSecretKey();
}
+
+ /**
+ * Get the derived key.
+ *
+ * After the <code>prepare()</code> method was called use this method
+ * to compute a derived key. The generation of this secret key is according
+ * to the UsernameTokenProfile 1.1 specification (section 4 - Key Derivation).
+ *
+ * @return Return the derived key of this token or null if <code>prepare()</code>
+ * was not called before.
+ */
+ public byte[] getDerivedKey() throws WSSecurityException {
+ if (ut == null || !useDerivedKey) {
+ return null;
+ }
+ return UsernameToken.generateDerivedKey(password, saltValue, iteration);
+ }
/**
* Get the id generated during <code>prepare()</code>.
@@ -131,7 +173,12 @@
ut = new UsernameToken(wssConfig.isPrecisionInMilliSeconds(), doc,
passwordType);
ut.setName(user);
- ut.setPassword(password);
+ if (useDerivedKey) {
+ saltValue = ut.addSalt(doc, saltValue, useMac);
+ ut.addIteration(doc, iteration);
+ } else {
+ ut.setPassword(password);
+ }
if (nonce) {
ut.addNonce(doc);
}
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=649227&r1=649226&r2=649227&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java Thu Apr 17 11:47:44 2008
@@ -77,7 +77,7 @@
private static SecureRandom random = null;
- private static int DEFAULT_ITERATION = 1000;
+ public static final int DEFAULT_ITERATION = 1000;
public static final QName TOKEN = new QName(WSConstants.WSSE_NS,
WSConstants.USERNAME_TOKEN_LN);
@@ -109,31 +109,36 @@
"badTokenType00", new Object[] { el });
}
elementUsername = (Element) WSSecurityUtil.getDirectChild(element,
- "Username", WSConstants.WSSE_NS);
+ WSConstants.USERNAME_LN, WSConstants.WSSE_NS);
elementPassword = (Element) WSSecurityUtil.getDirectChild(element,
- "Password", WSConstants.WSSE_NS);
+ WSConstants.PASSWORD_LN, WSConstants.WSSE_NS);
elementNonce = (Element) WSSecurityUtil.getDirectChild(element,
- "Nonce", WSConstants.WSSE_NS);
+ WSConstants.NONCE_LN, WSConstants.WSSE_NS);
elementCreated = (Element) WSSecurityUtil.getDirectChild(element,
- "Created", WSConstants.WSU_NS);
- elementSalt = (Element) WSSecurityUtil.getDirectChild(element, "Salt",
- WSConstants.WSSE11_NS);
+ WSConstants.CREATED_LN, WSConstants.WSU_NS);
+ elementSalt = (Element) WSSecurityUtil.getDirectChild(element,
+ WSConstants.SALT_LN, WSConstants.WSSE11_NS);
elementIteration = (Element) WSSecurityUtil.getDirectChild(element,
- "Interation", WSConstants.WSSE11_NS);
+ WSConstants.ITERATION_LN, WSConstants.WSSE11_NS);
if (elementUsername == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badTokenType01", new Object[] { el });
}
+ hashed = false;
if (elementSalt != null) {
- if (elementPassword != null) {
+ //
+ // If the UsernameToken is to be used for key derivation, the (1.1)
+ // spec says that it cannot contain a password, and it must contain
+ // an Iteration element
+ //
+ if (elementPassword != null || elementIteration == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"badTokenType01", new Object[] { el });
}
return;
}
- hashed = false;
if (elementPassword != null) {
passwordType = elementPassword.getAttribute("Type");
}
@@ -615,7 +620,12 @@
if (iteration == 0) {
iteration = DEFAULT_ITERATION;
}
- byte[] pwBytes = password.getBytes();
+ byte[] pwBytes = null;
+ try {
+ pwBytes = password.getBytes("UTF-8");
+ } catch (final java.io.UnsupportedEncodingException e) {
+ throw new WSSecurityException("Unable to convert password to UTF-8", e);
+ }
byte[] pwSalt = new byte[salt.length + pwBytes.length];
System.arraycopy(pwBytes, 0, pwSalt, 0, pwBytes.length);
@@ -634,9 +644,9 @@
*/
byte[] K = sha.digest(pwSalt);
/*
- * Perform the 2nd up to iteration hash rounds
+ * Perform the 1st up to iteration-1 hash rounds
*/
- for (int i = 2; i <= iteration; i++) {
+ for (int i = 1; i < iteration; i++) {
sha.reset();
K = sha.digest(K);
}
Modified: webservices/wss4j/trunk/test/wssec/PackageTests.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/PackageTests.java?rev=649227&r1=649226&r2=649227&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/wssec/PackageTests.java Thu Apr 17 11:47:44 2008
@@ -73,6 +73,7 @@
suite.addTestSuite(TestWSSecurityX509v1.class);
suite.addTestSuite(TestWSSecurityUserProcessor.class);
suite.addTestSuite(TestWSSecurityFaultCodes.class);
+ suite.addTestSuite(TestWSSecurityUTDK.class);
suite.addTestSuite(TestWSSecurityDataRef.class);
suite.addTestSuite(TestWSSecurityDataRef1.class);
return suite;
Added: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java?rev=649227&view=auto
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java (added)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java Thu Apr 17 11:47:44 2008
@@ -0,0 +1,284 @@
+/*
+ * Copyright 2003-2004 The Apache Software Foundation.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package wssec;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+import org.apache.axis.Message;
+import org.apache.axis.MessageContext;
+import org.apache.axis.client.AxisClient;
+import org.apache.axis.configuration.NullProvider;
+import org.apache.axis.message.SOAPEnvelope;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSSecurityException;
+import org.apache.ws.security.WSPasswordCallback;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.message.WSSecDKEncrypt;
+import org.apache.ws.security.message.WSSecDKSign;
+import org.apache.ws.security.message.WSSecEncrypt;
+import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.WSSecSignature;
+import org.apache.ws.security.message.WSSecUsernameToken;
+import org.apache.ws.security.message.token.UsernameToken;
+import org.apache.ws.security.processor.Processor;
+import org.apache.ws.security.processor.UsernameTokenProcessor;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.signature.XMLSignature;
+import org.w3c.dom.Document;
+
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.UnsupportedCallbackException;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintWriter;
+
+import java.util.Vector;
+
+/**
+ * WS-Security Test Case for UsernameToken Key Derivation, as defined in the
+ * UsernameTokenProfile 1.1 specification. Note that the processing of UsernameTokens
+ * with derived keys is not yet supported.
+ */
+public class TestWSSecurityUTDK extends TestCase implements CallbackHandler {
+ private static Log log = LogFactory.getLog(TestWSSecurityUTDK.class);
+ static final String soapMsg = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
+ "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" +
+ " <soapenv:Body>" +
+ " <ns1:testMethod xmlns:ns1=\"uri:LogTestService2\"></ns1:testMethod>" +
+ " </soapenv:Body>" +
+ "</soapenv:Envelope>";
+
+ static final WSSecurityEngine secEngine = new WSSecurityEngine();
+ static final Crypto crypto = CryptoFactory.getInstance();
+ MessageContext msgContext;
+ SOAPEnvelope unsignedEnvelope;
+
+ /**
+ * TestWSSecurity constructor
+ * <p/>
+ *
+ * @param name name of the test
+ */
+ public TestWSSecurityUTDK(String name) {
+ super(name);
+ }
+
+ /**
+ * JUnit suite
+ * <p/>
+ *
+ * @return a junit test suite
+ */
+ public static Test suite() {
+ return new TestSuite(TestWSSecurityUTDK.class);
+ }
+
+ /**
+ * Main method
+ * <p/>
+ *
+ * @param args command line args
+ */
+ public static void main(String[] args) {
+ junit.textui.TestRunner.run(suite());
+ }
+
+ /**
+ * Setup method
+ * <p/>
+ *
+ * @throws Exception Thrown when there is a problem in setup
+ */
+ protected void setUp() throws Exception {
+ AxisClient tmpEngine = new AxisClient(new NullProvider());
+ msgContext = new MessageContext(tmpEngine);
+ unsignedEnvelope = getSOAPEnvelope();
+ }
+
+ /**
+ * Constructs a soap envelope
+ * <p/>
+ *
+ * @return soap envelope
+ * @throws java.lang.Exception if there is any problem constructing the soap envelope
+ */
+ protected SOAPEnvelope getSOAPEnvelope() throws Exception {
+ InputStream in = new ByteArrayInputStream(soapMsg.getBytes());
+ Message msg = new Message(in);
+ msg.setMessageContext(msgContext);
+ return msg.getSOAPEnvelope();
+ }
+
+ /**
+ * Unit test for the UsernameToken derived key functionality
+ */
+ public void testUsernameTokenUnit() throws Exception {
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ UsernameToken usernameToken = new UsernameToken(true, doc, null);
+ usernameToken.setName("bob");
+
+ byte[] salt = usernameToken.addSalt(doc, null, false);
+ assertTrue(salt.length == 16);
+ assertTrue(salt[15] == 0x02);
+ byte[] utSalt = usernameToken.getSalt();
+ assertTrue(salt.length == utSalt.length);
+ for (int i = 0; i < salt.length; i++) {
+ assertTrue(salt[i] == utSalt[i]);
+ }
+
+ usernameToken.addIteration(doc, 500);
+ assertTrue(usernameToken.getIteration() == 500);
+
+ WSSecurityUtil.prependChildElement(
+ doc, secHeader.getSecurityHeader(), usernameToken.getElement(), false
+ );
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ assertTrue(outputString.indexOf("wsse:Username") != -1);
+ assertTrue(outputString.indexOf("wsse:Password") == -1);
+ assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+ assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+
+ byte[] derivedKey = UsernameToken.generateDerivedKey("security", salt, 500);
+ assertTrue(derivedKey.length == 20);
+
+ }
+
+
+ /**
+ * Test using a UsernameToken derived key for encrypting a SOAP body
+ */
+ public void testDerivedKeyEncryption() throws Exception {
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setUserInfo("bob", "security");
+ builder.addDerivedKey(false, null, 1000);
+ builder.prepare(doc);
+
+ byte[] derivedKey = builder.getDerivedKey();
+ assertTrue(derivedKey.length == 20);
+
+ String tokenIdentifier = builder.getId();
+
+ //
+ // Derived key encryption
+ //
+ WSSecDKEncrypt encrBuilder = new WSSecDKEncrypt();
+ encrBuilder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+ encrBuilder.setExternalKey(derivedKey, tokenIdentifier);
+ Document encryptedDoc = encrBuilder.build(doc, secHeader);
+
+ builder.prependToHeader(secHeader);
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
+ assertTrue(outputString.indexOf("wsse:Username") != -1);
+ assertTrue(outputString.indexOf("wsse:Password") == -1);
+ assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+ assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+ if (log.isDebugEnabled()) {
+ log.debug(outputString);
+ }
+
+ // verify(encryptedDoc);
+ }
+
+ /**
+ * Test using a UsernameToken derived key for signing a SOAP body
+ */
+ public void testDerivedKeySignature() throws Exception {
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setUserInfo("bob", "security");
+ builder.addDerivedKey(true, null, 1000);
+ builder.prepare(doc);
+
+ byte[] derivedKey = builder.getDerivedKey();
+ assertTrue(derivedKey.length == 20);
+
+ String tokenIdentifier = builder.getId();
+
+ //
+ // Derived key encryption
+ //
+ WSSecDKSign sigBuilder = new WSSecDKSign();
+ sigBuilder.setExternalKey(derivedKey, tokenIdentifier);
+ sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ Document signedDoc = sigBuilder.build(doc, secHeader);
+
+ builder.prependToHeader(secHeader);
+
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(signedDoc);
+ assertTrue(outputString.indexOf("wsse:Username") != -1);
+ assertTrue(outputString.indexOf("wsse:Password") == -1);
+ assertTrue(outputString.indexOf("wsse11:Salt") != -1);
+ assertTrue(outputString.indexOf("wsse11:Iteration") != -1);
+ if (log.isDebugEnabled()) {
+ log.debug(outputString);
+ }
+
+ // verify(signedDoc);
+ }
+
+ /**
+ * Verifies the soap envelope.
+ *
+ * @param env soap envelope
+ * @throws java.lang.Exception Thrown when there is a problem in verification
+ */
+ private void verify(Document doc) throws Exception {
+ secEngine.processSecurityHeader(doc, null, this, crypto);
+ }
+
+
+ public void handle(Callback[] callbacks)
+ throws IOException, UnsupportedCallbackException {
+ for (int i = 0; i < callbacks.length; i++) {
+ if (callbacks[i] instanceof WSPasswordCallback) {
+ //
+ // Do nothing
+ //
+ } else {
+ throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");
+ }
+ }
+ }
+
+}
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/wss4j/trunk/test/wssec/TestWSSecurityUTDK.java
------------------------------------------------------------------------------
svn:keywords = Rev Date
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org