You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2012/02/27 12:23:32 UTC
svn commit: r1294114 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/ main/java/org/apache/ws/security/processor/
test/java/org/apache/ws/security/message/
Author: coheigea
Date: Mon Feb 27 11:23:30 2012
New Revision: 1294114
URL: http://svn.apache.org/viewvc?rev=1294114&view=rev
Log:
Only decrypt a Data Reference in the ReferenceListProcessor, if it hasn't already been decrypted by the EncryptedDataProcessor
Added:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptedDataInHeaderTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java?rev=1294114&r1=1294113&r2=1294114&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSDocInfo.java Mon Feb 27 11:23:30 2012
@@ -255,6 +255,30 @@ public class WSDocInfo {
}
return foundResults;
}
+
+ /**
+ * Get a WSSecurityEngineResult of the given Integer tag for the given Id
+ */
+ public WSSecurityEngineResult getResultByTag(Integer tag, String uri) {
+ String id = uri;
+ if (id == null) {
+ return null;
+ } else if (id.charAt(0) == '#') {
+ id = id.substring(1);
+ }
+ if (resultsList != null) {
+ for (WSSecurityEngineResult result : resultsList) {
+ if (result != null) {
+ Integer resultTag = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+ String cId = (String)result.get(WSSecurityEngineResult.TAG_ID);
+ if ((tag.intValue() == resultTag.intValue()) && id.equals(cId)) {
+ return result;
+ }
+ }
+ }
+ }
+ return null;
+ }
/**
* @return the signature crypto class used to process
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java?rev=1294114&r1=1294113&r2=1294114&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java Mon Feb 27 11:23:30 2012
@@ -20,6 +20,7 @@
package org.apache.ws.security.processor;
import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSDocInfo;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
@@ -37,6 +38,7 @@ import javax.crypto.SecretKey;
import javax.xml.namespace.QName;
import java.util.ArrayList;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -133,7 +135,28 @@ public class EncryptedDataProcessor impl
);
}
+ WSDataRef dataRef = new WSDataRef();
+ dataRef.setWsuId(elem.getAttributeNS(null, "Id"));
+ dataRef.setAlgorithm(symEncAlgo);
+ dataRef.setContent(false);
+
+ Node decryptedNode;
+ if (previousSibling == null) {
+ decryptedNode = parent.getFirstChild();
+ } else {
+ decryptedNode = previousSibling.getNextSibling();
+ }
+ if (decryptedNode != null && Node.ELEMENT_NODE == decryptedNode.getNodeType()) {
+ dataRef.setProtectedElement((Element)decryptedNode);
+ }
+ dataRef.setXpath(ReferenceListProcessor.getXPath(decryptedNode));
+
+ WSSecurityEngineResult result =
+ new WSSecurityEngineResult(WSConstants.ENCR, Collections.singletonList(dataRef));
+ result.put(WSSecurityEngineResult.TAG_ID, elem.getAttributeNS(null, "Id"));
+ wsDocInfo.addResult(result);
wsDocInfo.addTokenElement(elem);
+
WSSConfig wssConfig = request.getWssConfig();
if (wssConfig != null) {
// Get hold of the plain text element
@@ -156,10 +179,12 @@ public class EncryptedDataProcessor impl
if (encrKeyResults != null) {
completeResults.addAll(encrKeyResults);
}
+ completeResults.add(result);
completeResults.addAll(0, results);
return completeResults;
}
}
+ encrKeyResults.add(result);
return encrKeyResults;
}
@@ -180,7 +205,9 @@ public class EncryptedDataProcessor impl
// EncryptionAlgorithm must be 3DES, or AES128, or AES256
if (!WSConstants.TRIPLE_DES.equals(encAlgo)
&& !WSConstants.AES_128.equals(encAlgo)
- && !WSConstants.AES_256.equals(encAlgo)) {
+ && !WSConstants.AES_128_GCM.equals(encAlgo)
+ && !WSConstants.AES_256.equals(encAlgo)
+ && !WSConstants.AES_256_GCM.equals(encAlgo)) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY, "badEncAlgo", new Object[]{encAlgo}
);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=1294114&r1=1294113&r2=1294114&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java Mon Feb 27 11:23:30 2012
@@ -147,7 +147,7 @@ public class EncryptedKeyProcessor imple
WSSecurityEngineResult.TAG_ENCRYPTED_KEY_TRANSPORT_METHOD,
encryptedKeyTransportMethod
);
- result.put(WSSecurityEngineResult.TAG_ID, elem.getAttribute("Id"));
+ result.put(WSSecurityEngineResult.TAG_ID, elem.getAttributeNS(null, "Id"));
wsDocInfo.addResult(result);
wsDocInfo.addTokenElement(elem);
return java.util.Collections.singletonList(result);
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=1294114&r1=1294113&r2=1294114&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java Mon Feb 27 11:23:30 2012
@@ -60,6 +60,7 @@ public class ReferenceListProcessor impl
List<WSDataRef> dataRefs = handleReferenceList(elem, data, wsDocInfo);
WSSecurityEngineResult result =
new WSSecurityEngineResult(WSConstants.ENCR, dataRefs);
+ result.put(WSSecurityEngineResult.TAG_ID, elem.getAttributeNS(null, "Id"));
wsDocInfo.addTokenElement(elem);
wsDocInfo.addResult(result);
return java.util.Collections.singletonList(result);
@@ -94,10 +95,13 @@ public class ReferenceListProcessor impl
if (dataRefURI.charAt(0) == '#') {
dataRefURI = dataRefURI.substring(1);
}
- WSDataRef dataRef =
- decryptDataRefEmbedded(
- elem.getOwnerDocument(), dataRefURI, data, wsDocInfo, asymBinding);
- dataRefs.add(dataRef);
+
+ if (wsDocInfo.getResultByTag(WSConstants.ENCR, dataRefURI) == null) {
+ WSDataRef dataRef =
+ decryptDataRefEmbedded(
+ elem.getOwnerDocument(), dataRefURI, data, wsDocInfo, asymBinding);
+ dataRefs.add(dataRef);
+ }
}
}
Added: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptedDataInHeaderTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptedDataInHeaderTest.java?rev=1294114&view=auto
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptedDataInHeaderTest.java (added)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptedDataInHeaderTest.java Mon Feb 27 11:23:30 2012
@@ -0,0 +1,127 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.ws.security.message;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.security.auth.callback.CallbackHandler;
+
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSEncryptionPart;
+import org.apache.ws.security.WSSConfig;
+import org.apache.ws.security.WSSecurityEngine;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.common.KeystoreCallbackHandler;
+import org.apache.ws.security.common.SOAPUtil;
+import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.util.WSSecurityUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+/**
+ * This test encrypts a Timestamp and the SOAP Body, and appends the ReferenceList Element after the
+ * EncryptedData Element that is the Timestamp. When processing, the EncryptedData Element gets decrypted,
+ * and then the ReferenceListProcessor must check to see whether the Data Reference pointing to the
+ * encrypted Timestamp needs to be decrypted or not.
+ */
+public class EncryptedDataInHeaderTest extends org.junit.Assert {
+ private static final org.apache.commons.logging.Log LOG =
+ org.apache.commons.logging.LogFactory.getLog(EncryptedDataInHeaderTest.class);
+
+ private WSSecurityEngine secEngine = new WSSecurityEngine();
+ private CallbackHandler callbackHandler = new KeystoreCallbackHandler();
+ private Crypto crypto = null;
+
+ public EncryptedDataInHeaderTest() throws Exception {
+ crypto = CryptoFactory.getInstance();
+ WSSConfig.init();
+ }
+
+ @org.junit.Test
+ public void testEncryptedDataInHeader() throws Exception {
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecTimestamp timestamp = new WSSecTimestamp();
+ timestamp.setTimeToLive(300);
+ timestamp.build(doc, secHeader);
+
+ // Encrypt the Timestamp and SOAP Body
+ List<WSEncryptionPart> parts = new ArrayList<WSEncryptionPart>();
+ WSEncryptionPart encP =
+ new WSEncryptionPart(
+ "Timestamp", WSConstants.WSU_NS, "");
+ parts.add(encP);
+ String soapNamespace = WSSecurityUtil.getSOAPNamespace(doc.getDocumentElement());
+ encP =
+ new WSEncryptionPart(
+ WSConstants.ELEM_BODY, soapNamespace, "Content"
+ );
+ parts.add(encP);
+
+ WSSecEncrypt encrypt = new WSSecEncrypt();
+ encrypt.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
+ encrypt.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
+ encrypt.setParts(parts);
+
+ encrypt.prepare(doc, crypto);
+ encrypt.prependToHeader(secHeader);
+
+ // Append Reference List to security header
+ Element refs = encrypt.encryptForRef(null, parts);
+ secHeader.getSecurityHeader().appendChild(refs);
+
+ if (LOG.isDebugEnabled()) {
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ List<WSSecurityEngineResult> results = verify(doc);
+ WSSecurityEngineResult actionResult =
+ WSSecurityUtil.fetchActionResult(results, WSConstants.ENCR);
+ assertTrue(actionResult != null);
+ assertFalse(actionResult.isEmpty());
+ }
+
+
+ /**
+ * Verifies the soap envelope
+ * <p/>
+ *
+ * @param doc
+ * @throws Exception Thrown when there is a problem in verification
+ */
+ private List<WSSecurityEngineResult> verify(Document doc) throws Exception {
+ List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, callbackHandler, null, crypto);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Verified and decrypted message:");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+ return results;
+ }
+
+}