You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/08/19 15:14:50 UTC
[cxf] branch wss4j_2.3.0 updated (407e31e -> 3bf2dca)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git.
discard 407e31e Picking up more changes in WSS4J
discard 2517ffb Use newer guava version from WSS4J
discard 8c8de03 Fixing up latest policy change in WSS4J
discard c68290f Set the SOAP namespace on the streaming policy validation code
discard 02b88f6 Picking up more derived key changes in WSS4J
discard 3800d5c Picking up derived key changes from WSS4J
discard eae9751 Create salt instead of getting it from WSS4J
discard 10752ce Picking up changes to symmetricKey in WSSEcEncryptedKey
discard 78faeae WSSecEncryptedKey.getEphemeralKey() is removed in WSS4J
discard 187d3c1 Get the encrypted key SHA value directly from WSS4J
new 3bf2dca Update to Apache WSS4J 2.3.0-SNAPSHOT
This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version. This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:
* -- * -- B -- O -- O -- O (407e31e)
\
N -- N -- N refs/heads/wss4j_2.3.0 (3bf2dca)
You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.
Any revisions marked "omit" are not gone; other references still
refer to them. Any revisions marked "discard" are gone forever.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
[cxf] 01/01: Update to Apache WSS4J 2.3.0-SNAPSHOT
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3bf2dcafccb3d8243dea1afdedc333e307dddde0
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jan 25 11:27:40 2019 +0000
Update to Apache WSS4J 2.3.0-SNAPSHOT
---
parent/pom.xml | 9 +-
.../saml/sso/AbstractSAMLCallbackHandler.java | 11 +-
.../ws/security/trust/STSStaxTokenValidator.java | 3 +-
.../wss4j/AbstractWSS4JStaxInterceptor.java | 2 +
.../security/wss4j/AlgorithmSuiteTranslater.java | 4 +-
.../wss4j/PolicyBasedWSS4JInInterceptor.java | 4 +-
.../wss4j/PolicyBasedWSS4JOutInterceptor.java | 4 +-
.../wss4j/PolicyBasedWSS4JStaxInInterceptor.java | 9 +-
.../policyhandlers/AbstractBindingBuilder.java | 58 ++--
.../policyhandlers/AbstractStaxBindingHandler.java | 4 +-
.../policyhandlers/AsymmetricBindingHandler.java | 274 +++++++++--------
.../StaxAsymmetricBindingHandler.java | 6 +-
.../StaxSymmetricBindingHandler.java | 6 +-
.../StaxTransportBindingHandler.java | 18 +-
.../policyhandlers/SymmetricBindingHandler.java | 335 ++++++++++++---------
.../policyhandlers/TransportBindingHandler.java | 38 ++-
.../AlgorithmSuitePolicyValidator.java | 4 +-
.../security/wss4j/CustomPolicyAlgorithmsTest.java | 4 +-
.../wss4j/saml/AbstractSAMLCallbackHandler.java | 14 +-
.../cxf/sts/operation/AbstractOperation.java | 14 +-
.../sts/token/provider/DefaultSubjectProvider.java | 16 +-
.../cxf/sts/token/provider/TokenProviderUtils.java | 10 +-
.../cxf/sts/operation/IssueSamlUnitTest.java | 10 +-
.../server/CustomUsernameTokenInterceptor.java | 14 +-
.../cxf/systest/ws/x509/SHA512PolicyLoader.java | 2 +-
25 files changed, 516 insertions(+), 357 deletions(-)
diff --git a/parent/pom.xml b/parent/pom.xml
index 8938529..7f93d18 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -217,7 +217,7 @@
<cxf.woodstox.core.version>5.0.3</cxf.woodstox.core.version>
<cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version>
<cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version>
- <cxf.wss4j.version>2.2.4</cxf.wss4j.version>
+ <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version>
<cxf.xalan.version>2.7.2</cxf.xalan.version>
<cxf.xbean.version>4.14</cxf.xbean.version>
<cxf.xerces.version>2.12.0</cxf.xerces.version>
@@ -263,7 +263,7 @@
<cxf.xalan.bundle.version>2.7.2_3</cxf.xalan.bundle.version>
<cxf.xerces.bundle.version>2.12.0_1</cxf.xerces.bundle.version>
<cxf.xmlresolver.bundle.version>1.2_5</cxf.xmlresolver.bundle.version>
- <cxf.xmlsec.bundle.version>2.1.4</cxf.xmlsec.bundle.version>
+ <cxf.xmlsec.bundle.version>2.2.0-SNAPSHOT</cxf.xmlsec.bundle.version>
<cxf.xpp3.bundle.version>1.1.4c_6</cxf.xpp3.bundle.version>
</properties>
<build>
@@ -1344,11 +1344,6 @@
</exclusions>
</dependency>
<dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- <version>${cxf.guava.version}</version>
- </dependency>
- <dependency>
<groupId>org.apache.hbase</groupId>
<artifactId>hbase-client</artifactId>
<version>2.1.4</version>
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index f5f051c..e473bdf 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
import org.joda.time.DateTime;
@@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey.prepare(null, symmetricKey);
+ ephemeralKey = symmetricKey.getEncoded();
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
index ffb99e4..57429e2 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java
@@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.PKIPathSecurity;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.AttachmentUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.apache.wss4j.dom.message.token.UsernameToken;
import org.apache.wss4j.stax.ext.WSSConstants;
@@ -329,7 +330,7 @@ public class STSStaxTokenValidator
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
- String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword());
+ String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword());
if (!passwordType.getValue().equals(passDigest)) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION);
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
index d5cd6b6..585e908 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java
@@ -179,6 +179,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor,
boolean validateSchemas =
MessageUtils.getContextualBoolean(msg, "schema-validation-enabled", false);
securityProperties.setDisableSchemaValidation(!validateSchemas);
+
+ securityProperties.setSoap12(WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace()));
}
private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
index 595d419..ef73d10 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java
@@ -126,8 +126,8 @@ public final class AlgorithmSuiteTranslater {
algorithmSuite.addDigestAlgorithm(algorithmSuiteType.getDigest());
}
- algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getAsymmetricSignature());
- algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getSymmetricSignature());
+ algorithmSuite.addSignatureMethod(algorithmSuiteType.getAsymmetricSignature());
+ algorithmSuite.addSignatureMethod(algorithmSuiteType.getSymmetricSignature());
algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue());
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
index 767be4c..640165e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
@@ -486,10 +486,10 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
- algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
- algSuite.setSymmetricSignature(symSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
index 1a68fe0..9cb373e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java
@@ -164,13 +164,13 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa
String asymSignatureAlgorithm =
(String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
- binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) {
- binding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
try {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
index a455cf8..b321e5b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java
@@ -55,6 +55,7 @@ import org.apache.wss4j.policy.model.AlgorithmSuite;
import org.apache.wss4j.policy.stax.OperationPolicy;
import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor;
+import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSSecurityProperties;
import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl;
import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
@@ -271,10 +272,10 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
for (AssertionInfo algorithmSuite : algorithmSuites) {
AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion();
if (asymSignatureAlgorithm != null) {
- algSuite.setAsymmetricSignature(asymSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
if (symSignatureAlgorithm != null) {
- algSuite.setSymmetricSignature(symSignatureAlgorithm);
+ algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
}
}
@@ -426,7 +427,6 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
if (soapAction == null) {
soapAction = "";
}
-
String actor = (String)msg.getContextualProperty(SecurityConstants.ACTOR);
final Collection<org.apache.cxf.message.Attachment> attachments = msg.getAttachments();
int attachmentCount = 0;
@@ -435,7 +435,8 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor {
}
return new PolicyEnforcer(operationPolicies, soapAction, isRequestor(msg),
actor, attachmentCount,
- new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class)));
+ new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class)),
+ WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace()));
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 619d4b5..8cd7c24 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.XMLConstants;
import javax.xml.crypto.dsig.Reference;
@@ -102,6 +103,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
@@ -579,7 +581,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
} else {
sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
}
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
Crypto crypto = secToken.getCrypto();
@@ -610,19 +612,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
protected void handleUsernameTokenSupportingToken(
UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret
) throws WSSecurityException {
- if (endorse) {
- WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
+ if (endorse && isTokenRequired(token.getIncludeTokenType())) {
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken utBuilder = addDKUsernameToken(token, salt, true);
if (utBuilder != null) {
- utBuilder.prepare();
+ utBuilder.prepare(salt);
addSupportingElement(utBuilder.getUsernameTokenElement());
- ret.add(new SupportingToken(token, utBuilder, null));
+ ret.add(new SupportingToken(token, utBuilder, null, salt));
if (encryptedToken) {
WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
part.setElement(utBuilder.getUsernameTokenElement());
encryptedTokensList.add(part);
}
}
- } else {
+ } else if (!endorse) {
WSSecUsernameToken utBuilder = addUsernameToken(token);
if (utBuilder != null) {
utBuilder.prepare();
@@ -862,7 +865,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) {
+ protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, byte[] salt, boolean useMac) {
assertToken(token);
if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
@@ -883,8 +886,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
if (!StringUtils.isEmpty(password)) {
// If the password is available then build the token
utBuilder.setUserInfo(userName, password);
- utBuilder.addDerivedKey(useMac, null, 1000);
- utBuilder.prepare();
+ utBuilder.addDerivedKey(useMac, 1000);
+ utBuilder.prepare(salt);
} else {
unassertPolicy(token, "No password available");
return null;
@@ -1502,7 +1505,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
+ protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token,
+ SecretKey symmetricKey) throws WSSecurityException {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
encrKey.setIdAllocator(wssConfig.getIdAllocator());
encrKey.setCallbackLookup(callbackLookup);
@@ -1523,11 +1527,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
String encrUser = setEncryptionUser(encrKey, token, false, crypto);
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
- encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
encrKey.setMGFAlgorithm(algType.getMGFAlgo());
- encrKey.prepare(crypto);
+ encrKey.prepare(crypto, symmetricKey);
if (alsoIncludeToken) {
X509Certificate encCert = getEncryptCert(crypto, encrUser);
@@ -1898,7 +1901,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
password = getPassword(user, token, WSPasswordCallback.SIGNATURE);
}
sig.setUserInfo(user, password);
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
@@ -1990,8 +1993,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
try {
- byte[] secret = utBuilder.getDerivedKey();
+ byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt());
secToken.setSecret(secret);
+ Arrays.fill(supportingToken.getSalt(), (byte)0);
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts,
@@ -2040,7 +2044,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
if (ref != null) {
ref = cloneElement(ref);
- dkSign.setExternalKey(tok.getSecret(), ref);
+ dkSign.setStrElem(ref);
} else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
@@ -2051,14 +2055,14 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1());
tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE);
}
- dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+ dkSign.setStrElem(tokenRef.getElement());
} else {
- dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ dkSign.setTokenIdentifier(tok.getId());
}
//Set the algo info
- dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
@@ -2070,7 +2074,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
}
- dkSign.prepare();
+ dkSign.prepare(tok.getSecret());
if (isTokenProtection) {
String sigTokId = XMLUtils.getIDFromReference(tok.getId());
@@ -2093,6 +2097,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
addSig(dkSign.getSignatureValue());
+ dkSign.clean();
}
private void doSymmSignature(AbstractToken policyToken, SecurityToken tok,
@@ -2149,7 +2154,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
sigTokId = XMLUtils.getIDFromReference(sigTokId);
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
sig.setDigestAlgo(algType.getDigest());
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
@@ -2355,12 +2360,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
private final AbstractToken token;
private final Object tokenImplementation;
private final List<WSEncryptionPart> signedParts;
+ private final byte[] salt;
SupportingToken(AbstractToken token, Object tokenImplementation,
- List<WSEncryptionPart> signedParts) {
+ List<WSEncryptionPart> signedParts) {
+ this(token, tokenImplementation, signedParts, null);
+ }
+
+ SupportingToken(AbstractToken token, Object tokenImplementation,
+ List<WSEncryptionPart> signedParts, byte[] salt) {
this.token = token;
this.tokenImplementation = tokenImplementation;
this.signedParts = signedParts;
+ this.salt = salt;
}
public AbstractToken getToken() {
@@ -2375,6 +2387,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return signedParts;
}
+ public byte[] getSalt() {
+ return salt;
+ }
+
}
protected void addSig(byte[] val) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
index c674c99..b5a2d6b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java
@@ -540,10 +540,10 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa
if (binding instanceof SymmetricBinding) {
userNameKey = SecurityConstants.ENCRYPT_USERNAME;
properties.setSignatureAlgorithm(
- binding.getAlgorithmSuite().getSymmetricSignature());
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
} else {
properties.setSignatureAlgorithm(
- binding.getAlgorithmSuite().getAsymmetricSignature());
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(
binding.getAlgorithmSuite().getC14n().getValue());
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index df31bc7..ff716f1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -28,6 +28,8 @@ import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -224,12 +227,24 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
encToken = abinding.getInitiatorToken();
}
}
- doEncryption(encToken, enc, false);
+
if (encToken != null) {
+ WSSecBase encr = null;
+ if (encToken.getToken() != null && !enc.isEmpty()) {
+ if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encToken, enc);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+ encr = doEncryption(encToken, enc, false, symmetricKey);
+ }
+
+ encr.clean();
+ }
assertTokenWrapper(encToken);
assertToken(encToken.getToken());
}
-
} catch (Exception e) {
String reason = e.getMessage();
LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
@@ -333,9 +348,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
WSSecBase encrBase = null;
+ SecretKey symmetricKey = null;
if (encryptionToken != null && !encrParts.isEmpty()) {
- encrBase = doEncryption(wrapper, encrParts, true);
- handleEncryptedSignedHeaders(encrParts, sigParts);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encrBase = doEncryptionDerived(wrapper, encrParts);
+ } else {
+ String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ try {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ encrBase = doEncryption(wrapper, encrParts, true, symmetricKey);
+ } catch (WSSecurityException ex) {
+ LOG.log(Level.FINE, ex.getMessage(), ex);
+ throw new Fault(ex);
+ }
+ }
}
if (!isRequestor()) {
@@ -369,12 +396,15 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
}
if (encrBase != null) {
- encryptTokensInSecurityHeader(encryptionToken, encrBase);
+ encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey);
+ encrBase.clean();
}
}
- private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) {
+ private void encryptTokensInSecurityHeader(AbstractToken encryptionToken,
+ WSSecBase encrBase,
+ SecretKey symmetricKey) {
List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
// Check for signature protection
@@ -428,7 +458,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
} else {
this.insertBeforeBottomUp(secondRefList);
}
- ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
+ ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey);
} catch (WSSecurityException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -439,125 +469,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private WSSecBase doEncryption(AbstractTokenWrapper recToken,
List<WSEncryptionPart> encrParts,
- boolean externalRef) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
-
- Crypto crypto = getEncryptionCrypto();
-
- SecurityToken securityToken = getSecurityToken();
- if (!isRequestor() && securityToken != null
- && recToken.getToken() instanceof SamlToken) {
- String tokenType = securityToken.getTokenType();
- if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- encr.setCustomEKTokenId(securityToken.getId());
- } else {
- setKeyIdentifierType(encr, encrToken);
- }
+ boolean externalRef,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+
+ Crypto crypto = getEncryptionCrypto();
+
+ SecurityToken securityToken = getSecurityToken();
+ if (!isRequestor() && securityToken != null
+ && recToken.getToken() instanceof SamlToken) {
+ String tokenType = securityToken.getTokenType();
+ if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ encr.setCustomEKTokenId(securityToken.getId());
} else {
setKeyIdentifierType(encr, encrToken);
}
- //
- // Using a stored cert is only suitable for the Issued Token case, where
- // we're extracting the cert from a SAML Assertion on the provider side
- //
- if (!isRequestor() && securityToken != null
- && securityToken.getX509Certificate() != null) {
- encr.setUseThisCert(securityToken.getX509Certificate());
- } else if (!isRequestor() && securityToken != null
- && securityToken.getKey() instanceof PublicKey) {
- encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
- encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
- } else {
- setEncryptionUser(encr, encrToken, false, crypto);
- }
- if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
- unassertPolicy(recToken, "Missing security configuration. "
- + "Make sure jaxws:client element is configured "
- + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
- }
- AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
- encr.setSymmetricEncAlgorithm(algType.getEncryption());
- encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
- encr.setMGFAlgorithm(algType.getMGFAlgo());
- encr.setDigestAlgorithm(algType.getEncryptionDigest());
- encr.prepare(crypto);
-
- Element encryptedKeyElement = encr.getEncryptedKeyElement();
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- //Encrypt, get hold of the ref list and add it
- if (externalRef) {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null) {
- insertBeforeBottomUp(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.insertBeforeBottomUp(attachment);
- }
- }
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
- } else {
- Element refList = encr.encryptForRef(null, encrParts);
- if (refList != null || (attachments != null && !attachments.isEmpty())) {
- this.addEncryptedKeyElement(encryptedKeyElement);
- }
-
- // Add internal refs
- if (refList != null) {
- encryptedKeyElement.appendChild(refList);
- }
- if (attachments != null) {
- for (Element attachment : attachments) {
- this.addEncryptedKeyElement(attachment);
- }
+ } else {
+ setKeyIdentifierType(encr, encrToken);
+ }
+ //
+ // Using a stored cert is only suitable for the Issued Token case, where
+ // we're extracting the cert from a SAML Assertion on the provider side
+ //
+ if (!isRequestor() && securityToken != null
+ && securityToken.getX509Certificate() != null) {
+ encr.setUseThisCert(securityToken.getX509Certificate());
+ } else if (!isRequestor() && securityToken != null
+ && securityToken.getKey() instanceof PublicKey) {
+ encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
+ encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
+ } else {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
+ if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
+ unassertPolicy(recToken, "Missing security configuration. "
+ + "Make sure jaxws:client element is configured "
+ + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
+ }
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
+ AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+ encr.setSymmetricEncAlgorithm(algType.getEncryption());
+ encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
+ encr.setMGFAlgorithm(algType.getMGFAlgo());
+ encr.setDigestAlgorithm(algType.getEncryptionDigest());
+ encr.prepare(crypto, symmetricKey);
+
+ Element encryptedKeyElement = encr.getEncryptedKeyElement();
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ //Encrypt, get hold of the ref list and add it
+ if (externalRef) {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null) {
+ insertBeforeBottomUp(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.insertBeforeBottomUp(attachment);
}
}
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
+ } else {
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ if (refList != null || (attachments != null && !attachments.isEmpty())) {
+ this.addEncryptedKeyElement(encryptedKeyElement);
+ }
- // Put BST before EncryptedKey element
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ // Add internal refs
+ if (refList != null) {
+ encryptedKeyElement.appendChild(refList);
+ }
+ if (attachments != null) {
+ for (Element attachment : attachments) {
+ this.addEncryptedKeyElement(attachment);
+ }
}
+ }
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ // Put BST before EncryptedKey element
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
- AbstractToken encrToken,
- List<WSEncryptionPart> encrParts,
- AlgorithmSuite algorithmSuite) {
+ List<WSEncryptionPart> encrParts) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -575,14 +601,16 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
setupEncryptedKey(encrToken);
}
- dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+ dkEncr.setTokenIdentifier(this.encryptedKeyId);
dkEncr.getParts().addAll(encrParts);
dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#"
+ WSS4JConstants.ENC_KEY_VALUE_TYPE);
+
+ AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
- dkEncr.prepare();
+ dkEncr.prepare(this.encryptedKeyValue);
addDerivedKeyElement(dkEncr.getdktElement());
Element refList = dkEncr.encryptForExternalRef(null, encrParts);
@@ -639,6 +667,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) {
WSSecSignature sig = getSignatureBuilder(sigToken, attached, false);
sig.appendBSTElementToHeader();
+ sig.clean();
}
return;
}
@@ -657,10 +686,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
- dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId);
+ dkSign.setTokenIdentifier(this.encryptedKeyId);
// Set the algo info
- dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
@@ -675,7 +704,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
dkSign.setAddInclusivePrefixes(includePrefixes);
try {
- dkSign.prepare();
+ dkSign.prepare(this.encryptedKeyValue);
if (abinding.isProtectTokens()) {
assertPolicy(
@@ -711,6 +740,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
mainSigId = dkSign.getSignatureId();
}
+ dkSign.clean();
} catch (Exception ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
throw new Fault(ex);
@@ -757,6 +787,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
mainSigId = sig.getId();
}
+
+ sig.clean();
}
}
@@ -797,7 +829,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
private void createEncryptedKey(AbstractToken token)
throws WSSecurityException {
//Set up the encrypted key to use
- encrKey = this.getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ encrKey = this.getEncryptedKeyBuilder(token, symmetricKey);
Element bstElem = encrKey.getBinarySecurityTokenElement();
if (bstElem != null) {
// If a BST is available then use it
@@ -806,7 +842,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
// Add the EncryptedKey
this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
- encryptedKeyValue = encrKey.getEphemeralKey();
+ encryptedKeyValue = symmetricKey.getEncoded();
encryptedKeyId = encrKey.getId();
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
index bc96d32..19d8af1 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java
@@ -89,12 +89,12 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) {
- abinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) {
- abinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
if (abinding.getProtectionOrder()
@@ -451,7 +451,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler {
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- abinding.getAlgorithmSuite().getSymmetricSignature());
+ abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
index 3d0866a..ab85195 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java
@@ -112,12 +112,12 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
- sbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) {
- sbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
// Set up CallbackHandler which wraps the configured Handler
@@ -593,7 +593,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler {
if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- sbinding.getAlgorithmSuite().getSymmetricSignature());
+ sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
index 3f9dcf5..b64e186 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java
@@ -94,12 +94,12 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
String asymSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM);
if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
- tbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm);
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm);
}
String symSignatureAlgorithm =
(String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM);
if (symSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) {
- tbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm);
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm);
}
TransportToken token = tbinding.getTransportToken();
@@ -315,9 +315,11 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
WSSSecurityProperties properties = getProperties();
if (securityToken != null && securityToken.getSecret() != null) {
- properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature());
+ properties.setSignatureAlgorithm(
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
} else {
- properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature());
+ properties.setSignatureAlgorithm(
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
}
properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -344,7 +346,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
properties.setIncludeSignatureToken(true);
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -357,7 +359,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
WSSSecurityProperties properties = getProperties();
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getAsymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -373,7 +375,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
properties.setSignatureCanonicalizationAlgorithm(
tbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType();
@@ -397,7 +399,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler {
configureSignature(token, false);
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
properties.setSignatureAlgorithm(
- tbinding.getAlgorithmSuite().getSymmetricSignature());
+ tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
}
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index 87a6a30..263982d 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -21,9 +21,12 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.namespace.QName;
import javax.xml.soap.SOAPException;
@@ -53,6 +56,7 @@ import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -206,7 +210,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sigParts.addAll(this.getSignedParts(null));
List<WSEncryptionPart> encrParts = getEncryptedParts();
- WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
+
+ WSSecBase encr = null;
+ SecretKey symmetricKey = null;
+ if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) {
+ if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true);
+ } else {
+ byte[] ephemeralKey = tok.getSecret();
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey);
+ }
+ }
handleEncryptedSignedHeaders(encrParts, sigParts);
if (!isRequestor()) {
@@ -248,20 +269,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
secondEncrParts.addAll(encryptedTokensList);
}
- Element secondRefList = null;
+ if (!secondEncrParts.isEmpty()) {
+ Element secondRefList = null;
- if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys
- && !secondEncrParts.isEmpty()) {
- secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,
- secondEncrParts);
- } else if (!secondEncrParts.isEmpty()) {
- //Encrypt, get hold of the ref list and add it
- secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts);
- }
- if (secondRefList != null) {
- this.addDerivedKeyElement(secondRefList);
+ if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts);
+ } else {
+ //Encrypt, get hold of the ref list and add it
+ secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey);
+ }
+ if (secondRefList != null) {
+ this.addDerivedKeyElement(secondRefList);
+ }
}
}
+
+ if (encr != null) {
+ encr.clean();
+ }
}
} catch (RuntimeException ex) {
LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -385,23 +410,41 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
if (isRequestor()) {
enc.addAll(encryptedTokensList);
}
- doEncryption(encrAbstractTokenWrapper,
- encrTok,
- tokIncluded,
- enc,
- false);
+
+ if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) {
+ WSSecBase encr = null;
+ if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+ encr = doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
+ } else {
+ byte[] ephemeralKey = encrTok.getSecret();
+ SecretKey symmetricKey = null;
+ String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+ if (ephemeralKey != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+ symmetricKey = keyGen.generateKey();
+ }
+ encr = doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey);
+ }
+
+ encr.clean();
+ }
} catch (Exception e) {
LOG.log(Level.FINE, e.getMessage(), e);
throw new Fault(e);
}
}
- private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
+ private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken,
SecurityToken encrTok,
- AbstractToken encrToken,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
+
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
try {
WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -416,13 +459,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
if (attached && encrTok.getAttachedReference() != null) {
- dkEncr.setExternalKey(
- encrTok.getSecret(), cloneElement(encrTok.getAttachedReference())
- );
+ dkEncr.setStrElem(cloneElement(encrTok.getAttachedReference()));
} else if (encrTok.getUnattachedReference() != null) {
- dkEncr.setExternalKey(
- encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference())
- );
+ dkEncr.setStrElem(cloneElement(encrTok.getUnattachedReference()));
} else if (!isRequestor() && encrTok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
// attached use key identifier as defined in WSS1.1 section
@@ -441,7 +480,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
}
tokenRef.addTokenType(tokenType);
- dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement());
+ dkEncr.setStrElem(tokenRef.getElement());
} else {
if (attached) {
String id = encrTok.getWsuId();
@@ -456,10 +495,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
if (id.startsWith("#")) {
id = id.substring(1);
}
- dkEncr.setExternalKey(encrTok.getSecret(), id);
+ dkEncr.setTokenIdentifier(id);
} else {
dkEncr.setTokenIdDirectId(true);
- dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId());
+ dkEncr.setTokenIdentifier(encrTok.getId());
}
}
@@ -489,7 +528,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
- dkEncr.prepare();
+ dkEncr.prepare(encrTok.getSecret());
Element encrDKTokenElem = null;
encrDKTokenElem = dkEncr.getdktElement();
addDerivedKeyElement(encrDKTokenElem);
@@ -506,114 +545,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
return null;
}
- private WSSecBase doEncryption(AbstractTokenWrapper recToken,
+ private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
- boolean atEnd) {
- //Do encryption
- if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
- AbstractToken encrToken = recToken.getToken();
- assertPolicy(recToken);
- assertPolicy(encrToken);
- AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
- if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- return doEncryptionDerived(recToken, encrTok, encrToken,
- attached, encrParts, atEnd);
- }
- try {
- WSSecEncrypt encr = new WSSecEncrypt(secHeader);
- encr.setEncryptionSerializer(new StaxSerializer());
- encr.setIdAllocator(wssConfig.getIdAllocator());
- encr.setCallbackLookup(callbackLookup);
- encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
- encr.setStoreBytesInAttachment(storeBytesInAttachment);
- encr.setExpandXopInclude(isExpandXopInclude());
- encr.setWsDocInfo(wsDocInfo);
- String encrTokId = encrTok.getId();
- if (attached) {
- encrTokId = encrTok.getWsuId();
- if (encrTokId == null
- && (encrToken instanceof SecureConversationToken
- || encrToken instanceof SecurityContextToken)) {
- encr.setEncKeyIdDirectId(true);
- encrTokId = encrTok.getId();
- } else if (encrTokId == null) {
- encrTokId = encrTok.getId();
- }
- if (encrTokId.startsWith("#")) {
- encrTokId = encrTokId.substring(1);
- }
- } else {
+ boolean atEnd,
+ SecretKey symmetricKey) {
+ AbstractToken encrToken = recToken.getToken();
+ assertPolicy(recToken);
+ assertPolicy(encrToken);
+ try {
+ WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+ encr.setEncryptionSerializer(new StaxSerializer());
+ encr.setIdAllocator(wssConfig.getIdAllocator());
+ encr.setCallbackLookup(callbackLookup);
+ encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+ encr.setStoreBytesInAttachment(storeBytesInAttachment);
+ encr.setExpandXopInclude(isExpandXopInclude());
+ encr.setWsDocInfo(wsDocInfo);
+ String encrTokId = encrTok.getId();
+ if (attached) {
+ encrTokId = encrTok.getWsuId();
+ if (encrTokId == null
+ && (encrToken instanceof SecureConversationToken
+ || encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
+ encrTokId = encrTok.getId();
+ } else if (encrTokId == null) {
+ encrTokId = encrTok.getId();
}
- if (encrTok.getTokenType() != null) {
- encr.setCustomReferenceValue(encrTok.getTokenType());
- }
- encr.setEncKeyId(encrTokId);
- encr.setEphemeralKey(encrTok.getSecret());
- Crypto crypto = getEncryptionCrypto();
- if (crypto != null) {
- setEncryptionUser(encr, encrToken, false, crypto);
+ if (encrTokId.startsWith("#")) {
+ encrTokId = encrTokId.substring(1);
}
+ } else {
+ encr.setEncKeyIdDirectId(true);
+ }
+ if (encrTok.getTokenType() != null) {
+ encr.setCustomReferenceValue(encrTok.getTokenType());
+ }
+ encr.setEncKeyId(encrTokId);
+ AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
+ encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
+ Crypto crypto = getEncryptionCrypto();
+ if (crypto != null) {
+ setEncryptionUser(encr, encrToken, false, crypto);
+ }
- encr.setEncryptSymmKey(false);
- encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
- encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
- encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
-
- if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
- || encrToken instanceof SecureConversationToken) {
- //Setting the AttachedReference or the UnattachedReference according to the flag
- Element ref;
- if (attached) {
- ref = encrTok.getAttachedReference();
- } else {
- ref = encrTok.getUnattachedReference();
- }
+ encr.setEncryptSymmKey(false);
+ encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
+ encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
- String tokenType = encrTok.getTokenType();
- if (ref != null) {
- SecurityTokenReference secRef =
- new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
- encr.setSecurityTokenReference(secRef);
- } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
- || WSS4JConstants.SAML2_NS.equals(tokenType)) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- } else {
- encr.setCustomReferenceValue(tokenType);
- encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
- }
- } else if (encrToken instanceof UsernameToken) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
- } else if (encrToken instanceof KerberosToken && !isRequestor()) {
- encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
- encr.setEncKeyId(encrTok.getSHA1());
- } else if (!isRequestor() && encrTok.getSHA1() != null) {
- encr.setCustomReferenceValue(encrTok.getSHA1());
- encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
+ || encrToken instanceof SecureConversationToken) {
+ //Setting the AttachedReference or the UnattachedReference according to the flag
+ Element ref;
+ if (attached) {
+ ref = encrTok.getAttachedReference();
+ } else {
+ ref = encrTok.getUnattachedReference();
}
- encr.prepare(crypto);
-
- if (encr.getBSTTokenId() != null) {
- encr.prependBSTElementToHeader();
+ String tokenType = encrTok.getTokenType();
+ if (ref != null) {
+ SecurityTokenReference secRef =
+ new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
+ encr.setSecurityTokenReference(secRef);
+ } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+ || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+ } else {
+ encr.setCustomReferenceValue(tokenType);
+ encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
+ } else if (encrToken instanceof UsernameToken) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+ } else if (encrToken instanceof KerberosToken && !isRequestor()) {
+ encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
+ encr.setEncKeyId(encrTok.getSHA1());
+ } else if (!isRequestor() && encrTok.getSHA1() != null) {
+ encr.setCustomReferenceValue(encrTok.getSHA1());
+ encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+ }
- Element refList = encr.encryptForRef(null, encrParts);
- List<Element> attachments = encr.getAttachmentEncryptedDataElements();
- addAttachmentsForEncryption(atEnd, refList, attachments);
+ encr.prepare(crypto, symmetricKey);
- return encr;
- } catch (WSSecurityException e) {
- LOG.log(Level.FINE, e.getMessage(), e);
- unassertPolicy(recToken, e);
+ if (encr.getBSTTokenId() != null) {
+ encr.prependBSTElementToHeader();
}
+
+ Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+ List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+ addAttachmentsForEncryption(atEnd, refList, attachments);
+
+ return encr;
+ } catch (WSSecurityException e) {
+ LOG.log(Level.FINE, e.getMessage(), e);
+ unassertPolicy(recToken, e);
}
return null;
}
@@ -672,7 +704,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
if (ref != null) {
- dkSign.setExternalKey(tok.getSecret(), cloneElement(ref));
+ dkSign.setStrElem(cloneElement(ref));
} else if (!isRequestor() && policyToken.getDerivedKeys()
== DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) {
// If the Encrypted key used to create the derived key is not
@@ -694,17 +726,17 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
tokenRef.addTokenType(tokenType);
}
- dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement());
+ dkSign.setStrElem(tokenRef.getElement());
} else {
if ((!attached && !isRequestor()) || policyToken instanceof SecureConversationToken
|| policyToken instanceof SecurityContextToken) {
dkSign.setTokenIdDirectId(true);
}
- dkSign.setExternalKey(tok.getSecret(), tok.getId());
+ dkSign.setTokenIdentifier(tok.getId());
}
//Set the algo info
- dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDigestAlgorithm(algType.getDigest());
@@ -740,7 +772,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
}
- dkSign.prepare();
+ dkSign.prepare(tok.getSecret());
if (sbinding.isProtectTokens()) {
String sigTokId = tok.getId();
@@ -775,8 +807,11 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
this.mainSigId = dkSign.getSignatureId();
+ dkSign.clean();
return dkSign.getSignatureValue();
}
+
+ dkSign.clean();
return null;
}
@@ -877,7 +912,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
sig.setCustomTokenId(sigTokId);
sig.setSecretKey(tok.getSecret());
- sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
boolean includePrefixes =
MessageUtils.getContextualBoolean(
@@ -908,16 +943,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
bottomUpElement = sig.getSignatureElement();
this.mainSigId = sig.getId();
+
+ sig.clean();
return sig.getSignatureValue();
}
+
+ sig.clean();
return null;
}
private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
- WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey);
assertTokenWrapper(wrapper);
String id = encrKey.getId();
- byte[] secret = encrKey.getEphemeralKey();
+ byte[] secret = symmetricKey.getEncoded();
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
@@ -932,7 +975,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
// Set the SHA1 value of the encrypted key, this is used when the encrypted
// key is referenced via a key identifier of type EncryptedKeySHA1
- tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey()));
+ tempTok.setSHA1(encrKey.getEncryptedKeySHA1());
tokenStore.add(tempTok);
// Create another cache entry with the SHA1 Identifier as the key for easy retrieval
@@ -958,20 +1001,26 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
- boolean useMac = hasSignedPartsOrElements();
- WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
- String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ assertToken(sigToken);
+ if (isTokenRequired(sigToken.getIncludeTokenType())) {
+ boolean useMac = hasSignedPartsOrElements();
+ byte[] salt = UsernameTokenUtil.generateSalt(useMac);
+ WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, salt, useMac);
+ String id = usernameToken.getId();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
- Instant created = Instant.now();
- Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
- SecurityToken tempTok =
- new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
- tempTok.setSecret(secret);
+ Instant created = Instant.now();
+ Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+ SecurityToken tempTok =
+ new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
+ tempTok.setSecret(secret);
- tokenStore.add(tempTok);
+ tokenStore.add(tempTok);
- return id;
+ return id;
+ }
+ return null;
}
private SecurityToken getEncryptedKey() {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 3a1b7c4..f0fc873 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -21,10 +21,13 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.crypto.dsig.Reference;
import javax.xml.soap.SOAPException;
import javax.xml.soap.SOAPMessage;
@@ -51,6 +54,8 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.message.WSSecDKSign;
@@ -331,9 +336,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
addSig(doIssuedTokenSignature(token, wrapper));
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the security token
- WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, salt, true);
String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
@@ -357,7 +364,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
- WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+ AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey);
assertPolicy(wrapper);
Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -374,18 +385,17 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
- dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
dkSig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
dkSig.setStoreBytesInAttachment(storeBytesInAttachment);
dkSig.setExpandXopInclude(isExpandXopInclude());
dkSig.setWsDocInfo(wsDocInfo);
- AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
- dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId());
+ dkSig.setTokenIdentifier(encrKey.getId());
- dkSig.prepare();
+ dkSig.prepare(symmetricKey.getEncoded());
dkSig.getParts().addAll(sigParts);
List<Reference> referenceList = dkSig.addReferencesToSign(sigParts);
@@ -394,6 +404,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
dkSig.appendDKElementToHeader();
dkSig.computeSignature(referenceList, false, null);
+ dkSig.clean();
return dkSig.getSignatureValue();
}
WSSecSignature sig = getSignatureBuilder(token, false, false);
@@ -478,9 +489,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
if (ref != null) {
- dkSign.setExternalKey(secTok.getSecret(), cloneElement(ref));
+ dkSign.setStrElem(cloneElement(ref));
} else {
- dkSign.setExternalKey(secTok.getSecret(), secTok.getId());
+ dkSign.setTokenIdentifier(secTok.getId());
}
if (token instanceof UsernameToken) {
@@ -488,13 +499,13 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
// Set the algo info
- dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature());
+ dkSign.setSignatureAlgorithm(algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
if (token.getVersion() == SPConstants.SPVersion.SP11) {
dkSign.setWscVersion(ConversationConstants.VERSION_05_02);
}
- dkSign.prepare();
+ dkSign.prepare(secTok.getSecret());
addDerivedKeyElement(dkSign.getdktElement());
@@ -504,6 +515,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
//Do signature
dkSign.computeSignature(referenceList, false, null);
+ dkSign.clean();
return dkSign.getSignatureValue();
}
@@ -594,11 +606,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
}
sig.setUserInfo(uname, password);
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature());
} else {
crypto = getSignatureCrypto();
sig.setSecretKey(secTok.getSecret());
- sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature());
+ sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature());
}
sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue());
AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
index 0042681..b66bf1e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
@@ -117,8 +117,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat
) {
String signatureMethod =
(String)result.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
- if (!algorithmPolicy.getAsymmetricSignature().equals(signatureMethod)
- && !algorithmPolicy.getSymmetricSignature().equals(signatureMethod)) {
+ if (!algorithmPolicy.getAlgorithmSuiteType().getAsymmetricSignature().equals(signatureMethod)
+ && !algorithmPolicy.getAlgorithmSuiteType().getSymmetricSignature().equals(signatureMethod)) {
ai.setNotAsserted(
"The signature method does not match the requirement"
);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
index 4f4f0bb..989b3d2 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java
@@ -44,9 +44,9 @@ public class CustomPolicyAlgorithmsTest extends AbstractPolicySecurityTest {
AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
// set Signature Algorithm to RSA SHA-256
- binding.getAlgorithmSuite().setAsymmetricSignature(rsaSha2SigMethod);
+ binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(rsaSha2SigMethod);
- String sigMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
+ String sigMethod = binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature();
assertNotNull(sigMethod);
assertEquals(rsaSha2SigMethod, sigMethod);
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
index 750aa90..158e5f8 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean;
import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -59,7 +62,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
protected X509Certificate[] certs;
protected Statement statement = Statement.AUTHN;
protected CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT;
- protected byte[] ephemeralKey;
protected boolean multiValue = true;
public void setConfirmationMethod(String confMethod) {
@@ -78,10 +80,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
this.certs = certs;
}
- public byte[] getEphemeralKey() {
- return ephemeralKey;
- }
-
/**
* Note that the SubjectBean parameter should be null for SAML2.0
*/
@@ -175,8 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
encrKey.setUseThisCert(certs[0]);
- encrKey.prepare(null);
- ephemeralKey = encrKey.getEphemeralKey();
+
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+ encrKey.prepare(null, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index ba5bb13..0b4b80c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -29,6 +29,8 @@ import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
import org.apache.wss4j.common.WSS4JConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.util.DateUtil;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -375,10 +378,17 @@ public abstract class AbstractOperation {
WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
builder.setUserInfo(name);
builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- builder.setEphemeralKey(secret);
builder.setKeyEncAlgo(keyWrapAlgorithm);
- builder.prepare(stsProperties.getEncryptionCrypto());
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
return builder.getEncryptedKeyElement();
}
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index d5f2284..c080d4b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -27,6 +27,8 @@ import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.kerberos.KerberosPrincipal;
@@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
import org.apache.wss4j.common.saml.bean.SubjectBean;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.message.WSSecEncryptedKey;
/**
@@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider {
// Create an EncryptedKey
WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
- encrKey.setEphemeralKey(secret);
- encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
encrKey.setUseThisCert(certificate);
encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
- encrKey.prepare(encryptionCrypto);
+
+ SecretKey symmetricKey = null;
+ if (secret != null) {
+ symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+ } else {
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+ symmetricKey = keyGen.generateKey();
+ }
+
+ encrKey.prepare(encryptionCrypto, symmetricKey);
Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
// Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index b4cb1a7..e907da1 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -25,6 +25,8 @@ import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
import org.apache.wss4j.common.ConfigurationConstants;
import org.apache.wss4j.common.WSEncryptionPart;
import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -171,8 +174,11 @@ public final class TokenProviderUtils {
WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
encryptionPart.setElement(element);
- builder.prepare(stsProperties.getEncryptionCrypto());
- builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
+ builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
return (Element)frag.getFirstChild();
}
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 0a31958..ca8f151 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -26,6 +26,8 @@ import java.util.Collections;
import java.util.List;
import java.util.Properties;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.xml.bind.JAXBElement;
import javax.xml.namespace.QName;
@@ -70,6 +72,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.saml.builder.SAML1Constants;
import org.apache.wss4j.common.saml.builder.SAML2Constants;
import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
import org.apache.wss4j.dom.engine.WSSConfig;
@@ -839,9 +842,12 @@ public class IssueSamlUnitTest {
builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
- builder.prepare(stsProperties.getSignatureCrypto());
+ KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+ SecretKey symmetricKey = keyGen.generateKey();
+
+ builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey);
Element encryptedKeyElement = builder.getEncryptedKeyElement();
- byte[] secret = builder.getEphemeralKey();
+ byte[] secret = symmetricKey.getEncoded();
EntropyType entropyType = new EntropyType();
entropyType.getAny().add(encryptedKeyElement);
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
index e04d7b5..50ea95b 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
@@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.ws.security.SecurityConstants;
import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor;
-import org.apache.wss4j.dom.message.token.UsernameToken;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
+import org.apache.xml.security.utils.XMLUtils;
public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
@@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor {
// add roles this user is in
String roleName = "Alice".equals(name) ? "developers" : "pms";
- String expectedPassword = "Alice".equals(name) ? "ecilA"
- : UsernameToken.doPasswordDigest(nonce, created, "invalid-password");
- if (!password.equals(expectedPassword)) {
+ try {
+ String expectedPassword = "Alice".equals(name) ? "ecilA"
+ : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password");
+ if (!password.equals(expectedPassword)) {
+ throw new SecurityException("Wrong Password");
+ }
+ } catch (org.apache.wss4j.common.ext.WSSecurityException ex) {
throw new SecurityException("Wrong Password");
}
+
subject.getPrincipals().add(new SimpleGroup(roleName, name));
subject.setReadOnly();
return subject;
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
index 3c1910b..c99c9f8 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java
@@ -91,7 +91,7 @@ public class SHA512PolicyLoader implements AlgorithmSuiteLoader {
SHA512AlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) {
super(version, nestedPolicy);
- setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
+ getAlgorithmSuiteType().setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512");
}
@Override