You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/01/29 14:00:51 UTC
svn commit: r1780798 - in /axis/axis2/java/rampart/branches/RAMPART-252: ./
modules/rampart-core/src/main/java/org/apache/rampart/
modules/rampart-core/src/main/java/org/apache/rampart/builder/
Author: veithen
Date: Sun Jan 29 14:00:51 2017
New Revision: 1780798
URL: http://svn.apache.org/viewvc?rev=1780798&view=rev
Log:
RAMPART-252: Commit patch provided by Prabath Siriwardena.
Modified:
axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
axis/axis2/java/rampart/branches/RAMPART-252/pom.xml
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java?rev=1780798&r1=1780797&r2=1780798&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java Sun Jan 29 14:00:51 2017
@@ -453,6 +453,8 @@ public class PolicyBasedResultsValidator
}
+ //validate the algorithms
+ validateEncryptionAlgorithm(encrRefs, rpd.getAlgorithmSuite());
//Check for encrypted body
if(rpd.isEncryptBody()&& !rpd.isEncryptBodyOptional()) {
@@ -546,6 +548,7 @@ public class PolicyBasedResultsValidator
throws RampartException {
RampartMessageData rmd = data.getRampartMessageData();
+ RampartPolicyData rpd = rmd.getPolicyData();
Node envelope = rmd.getDocument().getFirstChild();
@@ -553,9 +556,35 @@ public class PolicyBasedResultsValidator
// Find elements that are signed
Vector actuallySigned = new Vector();
- if (actionResults != null) {
+ if (actionResults != null) {
+
+ AlgorithmSuite suite = rpd.getAlgorithmSuite();
+
for (int j = 0; j < actionResults.length; j++) {
WSSecurityEngineResult actionResult = actionResults[j];
+
+ // Validate signature algorithms
+ String sigMethod = null;
+ String canonMethod = null;
+ sigMethod = (String) actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ canonMethod = (String) actionResult
+ .get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+
+ if (sigMethod == null || canonMethod == null) {
+ throw new RampartException("algorithmNotFound");
+ }
+ // Check whether signature algorithm is correct
+ if (!(sigMethod.equals(suite.getAsymmetricSignature()) || sigMethod.equals(suite
+ .getSymmetricSignature()))) {
+ throw new RampartException("invalidAlgorithm", new String[] {
+ suite.getAsymmetricSignature(), sigMethod });
+ }
+ // Check whether the canonicalization algorithm is correct
+ if (!canonMethod.equals(suite.getInclusiveC14n())) {
+ throw new RampartException("invalidAlgorithm", new String[] {
+ suite.getInclusiveC14n(), canonMethod });
+ }
+
Set signedIDs = (Set) actionResult
.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
for (Iterator i = signedIDs.iterator(); i.hasNext();) {
@@ -942,6 +971,22 @@ public class PolicyBasedResultsValidator
.size()]);
}
+ private void validateEncryptionAlgorithm(ArrayList refList, AlgorithmSuite algorithmSuite) throws RampartException {
+
+ for (int i = 0; i < refList.size(); i++) {
+ WSDataRef dataRef = (WSDataRef) refList.get(i);
+
+ //ArrayList can contain null elements
+ if (dataRef == null) {
+ continue;
+ }
+
+ if (!(algorithmSuite.getEncryption().equals(dataRef.getAlgo()))) {
+ throw new RampartException("invalidAlgorithm", new String[]{algorithmSuite.getEncryption(), dataRef.getAlgo()});
+ }
+ }
+ }
+
private boolean isRefIdPresent(ArrayList refList , QName qname) {
for (int i = 0; i < refList.size() ; i++) {
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java?rev=1780798&r1=1780797&r2=1780798&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java Sun Jan 29 14:00:51 2017
@@ -17,6 +17,9 @@
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.OMFactory;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.om.impl.dom.DOOMAbstractFactory;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -58,6 +61,8 @@ import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
+import javax.xml.stream.XMLStreamReader;
+
public class SymmetricBindingBuilder extends BindingBuilder {
@@ -538,6 +543,12 @@ public class SymmetricBindingBuilder ext
//Encryption
Token encrToken = rpd.getEncryptionToken();
+
+ boolean isIssuedToken = false;
+ if (encrToken instanceof IssuedToken) {
+ isIssuedToken = true;
+ }
+
Element encrTokElem = null;
if(sigToken.equals(encrToken)) {
//Use the same token
@@ -659,12 +670,22 @@ public class SymmetricBindingBuilder ext
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
// Use key identifier in the KeyInfo in server side
if (!rmd.isInitiator()) {
- if(encrTok instanceof EncryptedKeyToken) {
+ if (encrTok instanceof EncryptedKeyToken) {
encr.setUseKeyIdentifier(true);
- encr.setCustomReferenceValue(((EncryptedKeyToken)encrTok).getSHA1());
+ encr.setCustomReferenceValue(((EncryptedKeyToken) encrTok).getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
- }
+ }
+ } else if (isIssuedToken) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(encrTokId);
+ encr.setKeyIdentifierType(WSConstants.SAML_ASSERTION_IDENTIFIER);
+ try {
+ // RampartUtil.insertSiblingAfter(rmd,this.timestampElement,getLLOMfromOM(encrTok.getToken()));
+ } catch (Exception e) {
+ log.debug("error while converting SAML issued token to a dom element");
+ }
}
+
encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()));
@@ -696,6 +717,18 @@ public class SymmetricBindingBuilder ext
}
+ private Element getLLOMfromOM(OMElement element) {
+ // Get the StAX reader from the created element
+ XMLStreamReader llomReader = element.getXMLStreamReader();
+ // Create the DOOM OMFactory
+ OMFactory doomFactory = DOOMAbstractFactory.getOMFactory();
+ // Create the new builder
+ StAXOMBuilder doomBuilder = new StAXOMBuilder(doomFactory, llomReader);
+ // Get the document element
+ OMElement newElem = doomBuilder.getDocumentElement();
+ return (Element) newElem;
+ }
+
/**
* @param rmd
* @param sigToken
Modified: axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties?rev=1780798&r1=1780797&r2=1780798&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties Sun Jan 29 14:00:51 2017
@@ -97,4 +97,6 @@ unexprectedSignature = Unexpected signat
invalidTransport = Expected transport is "https" but incoming transport found : \"{0}\"
requiredElementsMissing = Required Elements not found in the incoming message : {0}
repeatingNonceValue = Nonce value : {0}, already seen before for user name : {1}. Possibly this could be a replay attack.
-invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart configuration file.
\ No newline at end of file
+invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart configuration file.
+algorithmNotFound = Couldn't find the algorithm used
+invalidAlgorithm = Algorithm verification failed. Required Algorithm : {0}, Algorithm found {1}
Modified: axis/axis2/java/rampart/branches/RAMPART-252/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/RAMPART-252/pom.xml?rev=1780798&r1=1780797&r2=1780798&view=diff
==============================================================================
--- axis/axis2/java/rampart/branches/RAMPART-252/pom.xml (original)
+++ axis/axis2/java/rampart/branches/RAMPART-252/pom.xml Sun Jan 29 14:00:51 2017
@@ -369,7 +369,7 @@
<axis2.version>SNAPSHOT</axis2.version>
<addressing.mar.version>SNAPSHOT</addressing.mar.version>
- <wss4j.version>1.5.8</wss4j.version>
+ <wss4j.version>1.5.9</wss4j.version>
<xmlsec.version>1.4.2</xmlsec.version>
<opensaml.version>1.1</opensaml.version>