You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2018/08/14 09:01:22 UTC
svn commit: r1838001 - in /santuario/xml-security-java/trunk/src:
main/java/org/apache/xml/security/encryption/XMLCipher.java
test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java
Author: coheigea
Date: Tue Aug 14 09:01:21 2018
New Revision: 1838001
URL: http://svn.apache.org/viewvc?rev=1838001&view=rev
Log:
SANTUARIO-490 - Use requested SecureRandom for OAEP in XMLCipher.encryptKey
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/XMLCipher.java
santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/XMLCipher.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/XMLCipher.java?rev=1838001&r1=1838000&r2=1838001&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/XMLCipher.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/XMLCipher.java Tue Aug 14 09:01:21 2018
@@ -30,6 +30,7 @@ import java.security.InvalidKeyException
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
+import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
@@ -1318,6 +1319,28 @@ public class XMLCipher {
String mgfAlgorithm,
byte[] oaepParams
) throws XMLEncryptionException {
+ return encryptKey(doc, key, mgfAlgorithm, oaepParams, null);
+ }
+
+ /**
+ * Encrypts a key to an EncryptedKey structure
+ *
+ * @param doc the Context document that will be used to general DOM
+ * @param key Key to encrypt (will use previously set KEK to
+ * perform encryption
+ * @param mgfAlgorithm The xenc11 MGF Algorithm to use
+ * @param oaepParams The OAEPParams to use
+ * @param random The SecureRandom instance to use when initializing the Cipher
+ * @return the <code>EncryptedKey</code>
+ * @throws XMLEncryptionException
+ */
+ public EncryptedKey encryptKey(
+ Document doc,
+ Key key,
+ String mgfAlgorithm,
+ byte[] oaepParams,
+ SecureRandom random
+ ) throws XMLEncryptionException {
LOG.debug("Encrypting key ...");
if (null == key) {
@@ -1350,10 +1373,18 @@ public class XMLCipher {
constructOAEPParameters(
algorithm, digestAlg, mgfAlgorithm, oaepParams
);
- if (oaepParameters == null) {
- c.init(Cipher.WRAP_MODE, this.key);
+ if (random != null) {
+ if (oaepParameters == null) {
+ c.init(Cipher.WRAP_MODE, this.key, random);
+ } else {
+ c.init(Cipher.WRAP_MODE, this.key, oaepParameters, random);
+ }
} else {
- c.init(Cipher.WRAP_MODE, this.key, oaepParameters);
+ if (oaepParameters == null) {
+ c.init(Cipher.WRAP_MODE, this.key);
+ } else {
+ c.init(Cipher.WRAP_MODE, this.key, oaepParameters);
+ }
}
encryptedBytes = c.wrap(key);
} catch (InvalidKeyException ike) {
Modified: santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java?rev=1838001&r1=1838000&r2=1838001&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java (original)
+++ santuario/xml-security-java/trunk/src/test/java/org/apache/xml/security/test/dom/encryption/XMLEncryption11Test.java Tue Aug 14 09:01:21 2018
@@ -23,6 +23,7 @@ import java.security.Key;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
+import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashMap;
@@ -222,6 +223,72 @@ public class XMLEncryption11Test {
* rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
*/
@org.junit.Test
+ public void testKeyWrappingRSA2048EncryptDecryptWithSecureRandom() throws Exception {
+ if (haveISOPadding) {
+ String keystore =
+ "src/test/resources/org/w3c/www/interop/xmlenc-core-11/RSA-2048_SHA256WithRSA.jks";
+ String basedir = System.getProperty("basedir");
+ if (basedir != null && !"".equals(basedir)) {
+ keystore = basedir + "/" + keystore;
+ }
+
+ KeyStore keyStore = KeyStore.getInstance("jks");
+ keyStore.load(new java.io.FileInputStream(keystore), "passwd".toCharArray());
+
+ Certificate cert = keyStore.getCertificate("importkey");
+
+ KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
+ keyStore.getEntry("importkey", new KeyStore.PasswordProtection("passwd".toCharArray()));
+ PrivateKey rsaKey = pkEntry.getPrivateKey();
+
+ // Perform encryption
+ String filename = "src/test/resources/org/w3c/www/interop/xmlenc-core-11/plaintext.xml";
+ if (basedir != null && !"".equals(basedir)) {
+ filename = basedir + "/" + filename;
+ }
+ File f = new File(filename);
+
+ DocumentBuilder db = XMLUtils.createDocumentBuilder(false);
+ Document doc = db.parse(new java.io.FileInputStream(f));
+
+ Key sessionKey = getSessionKey("http://www.w3.org/2009/xmlenc11#aes128-gcm");
+ EncryptedKey encryptedKey =
+ createEncryptedKey(
+ doc,
+ (X509Certificate)cert,
+ sessionKey,
+ "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+ "http://www.w3.org/2000/09/xmldsig#sha1",
+ null,
+ null,
+ new SecureRandom()
+ );
+
+ doc =
+ encryptDocument(
+ doc,
+ encryptedKey,
+ sessionKey,
+ "http://www.w3.org/2009/xmlenc11#aes128-gcm"
+ );
+ // XMLUtils.outputDOM(doc.getFirstChild(), System.out);
+
+ // Perform decryption
+ Document dd = decryptElement(doc, rsaKey, (X509Certificate)cert);
+ // XMLUtils.outputDOM(dd.getFirstChild(), System.out);
+ checkDecryptedDoc(dd, true);
+ } else {
+ LOG.warn(
+ "Skipping testRSA2048 as necessary "
+ + "crypto algorithms are not available"
+ );
+ }
+ }
+
+ /**
+ * rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
+ */
+ @org.junit.Test
public void testKeyWrappingRSA3072() throws Exception {
if (haveISOPadding) {
String keystore =
@@ -601,11 +668,25 @@ public class XMLEncryption11Test {
String mgfAlgorithm,
byte[] oaepParams
) throws Exception {
+ return createEncryptedKey(doc, rsaCert, sessionKey, encryptionMethod,
+ digestMethod, mgfAlgorithm, oaepParams, null);
+ }
+
+ private EncryptedKey createEncryptedKey(
+ Document doc,
+ X509Certificate rsaCert,
+ Key sessionKey,
+ String encryptionMethod,
+ String digestMethod,
+ String mgfAlgorithm,
+ byte[] oaepParams,
+ SecureRandom random
+ ) throws Exception {
// Create the XMLCipher element
XMLCipher cipher = XMLCipher.getInstance(encryptionMethod, null, digestMethod);
cipher.init(XMLCipher.WRAP_MODE, rsaCert.getPublicKey());
- EncryptedKey encryptedKey = cipher.encryptKey(doc, sessionKey, mgfAlgorithm, oaepParams);
+ EncryptedKey encryptedKey = cipher.encryptKey(doc, sessionKey, mgfAlgorithm, oaepParams, random);
KeyInfo builderKeyInfo = encryptedKey.getKeyInfo();
if (builderKeyInfo == null) {