You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2011/08/15 14:42:46 UTC
svn commit: r1157825 - in /webservices/wss4j/trunk/src:
main/java/org/apache/ws/security/message/
main/java/org/apache/ws/security/util/
test/java/org/apache/ws/security/message/
Author: coheigea
Date: Mon Aug 15 12:42:46 2011
New Revision: 1157825
URL: http://svn.apache.org/viewvc?rev=1157825&view=rev
Log:
[WSS-304,WSS-306] - Using KeyGenerator to generate ephemeral keys and using WRAP_MODE
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncrypt.java Mon Aug 15 12:42:46 2011
@@ -29,7 +29,6 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
-import org.apache.xml.security.algorithms.JCEMapper;
import org.apache.xml.security.encryption.EncryptedData;
import org.apache.xml.security.encryption.XMLCipher;
import org.apache.xml.security.encryption.XMLEncryptionException;
@@ -43,7 +42,6 @@ import org.w3c.dom.Node;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
-import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
@@ -59,18 +57,11 @@ public class WSSecEncrypt extends WSSecE
private static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(WSSecEncrypt.class);
- protected String symEncAlgo = WSConstants.AES_128;
-
protected byte[] embeddedKey = null;
protected String embeddedKeyName = null;
/**
- * Symmetric key used in the EncrytpedKey.
- */
- protected SecretKey symmetricKey = null;
-
- /**
* SecurityTokenReference to be inserted into EncryptedData/keyInfo element.
*/
protected SecurityTokenReference securityTokenReference = null;
@@ -96,6 +87,7 @@ public class WSSecEncrypt extends WSSecE
public WSSecEncrypt() {
super();
}
+
public WSSecEncrypt(WSSConfig config) {
super(config);
}
@@ -134,40 +126,6 @@ public class WSSecEncrypt extends WSSecE
/**
- * Set the name of the symmetric encryption algorithm to use.
- *
- * This encryption algorithm is used to encrypt the data. If the algorithm
- * is not set then AES128 is used. Refer to WSConstants which algorithms are
- * supported.
- *
- * @param algo Is the name of the encryption algorithm
- * @see WSConstants#TRIPLE_DES
- * @see WSConstants#AES_128
- * @see WSConstants#AES_192
- * @see WSConstants#AES_256
- */
- public void setSymmetricEncAlgorithm(String algo) {
- symEncAlgo = algo;
- }
-
-
- /**
- * Get the name of symmetric encryption algorithm to use.
- *
- * The name of the encryption algorithm to encrypt the data, i.e. the SOAP
- * Body. Refer to WSConstants which algorithms are supported.
- *
- * @return the name of the currently selected symmetric encryption algorithm
- * @see WSConstants#TRIPLE_DES
- * @see WSConstants#AES_128
- * @see WSConstants#AES_192
- * @see WSConstants#AES_256
- */
- public String getSymmetricEncAlgorithm() {
- return symEncAlgo;
- }
-
- /**
* Initialize a WSSec Encrypt.
*
* The method prepares and initializes a WSSec Encrypt structure after the
@@ -220,7 +178,7 @@ public class WSSecEncrypt extends WSSecE
}
remoteCert = certs[0];
}
- prepareInternal(ephemeralKey, remoteCert, crypto);
+ prepareInternal(symmetricKey, remoteCert, crypto);
} else {
encryptedEphemeralKey = ephemeralKey;
}
@@ -598,29 +556,6 @@ public class WSSecEncrypt extends WSSecE
return keyInfo;
}
-
- private KeyGenerator getKeyGenerator() throws WSSecurityException {
- try {
- //
- // Assume AES as default, so initialize it
- //
- String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(symEncAlgo);
- KeyGenerator keyGen = KeyGenerator.getInstance(keyAlgorithm);
- if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_128)) {
- keyGen.init(128);
- } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_192)) {
- keyGen.init(192);
- } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_256)) {
- keyGen.init(256);
- }
- return keyGen;
- } catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
- );
- }
- }
-
/**
* Create DOM subtree for <code>xenc:EncryptedKey</code>
*
@@ -646,22 +581,6 @@ public class WSSecEncrypt extends WSSecE
}
/**
- * @return The symmetric key
- */
- public SecretKey getSymmetricKey() {
- return symmetricKey;
- }
-
- /**
- * Set the symmetric key to be used for encryption
- *
- * @param key
- */
- public void setSymmetricKey(SecretKey key) {
- this.symmetricKey = key;
- }
-
- /**
* @return Return the SecurityTokenRefernce
*/
public SecurityTokenReference getSecurityTokenReference() {
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/WSSecEncryptedKey.java Mon Aug 15 12:42:46 2011
@@ -20,11 +20,13 @@
package org.apache.ws.security.message;
import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
-import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSSConfig;
@@ -39,6 +41,7 @@ import org.apache.ws.security.message.to
import org.apache.ws.security.message.token.X509Security;
import org.apache.ws.security.util.UUIDGenerator;
import org.apache.ws.security.util.WSSecurityUtil;
+import org.apache.xml.security.algorithms.JCEMapper;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -69,6 +72,11 @@ public class WSSecEncryptedKey extends W
* Session key used as the secret in key derivation
*/
protected byte[] ephemeralKey;
+
+ /**
+ * Symmetric key used in the EncryptedKey.
+ */
+ protected SecretKey symmetricKey = null;
/**
* Encrypted bytes of the ephemeral key
@@ -84,6 +92,11 @@ public class WSSecEncryptedKey extends W
* Algorithm used to encrypt the ephemeral key
*/
protected String keyEncAlgo = WSConstants.KEYTRANSPORT_RSA15;
+
+ /**
+ * Algorithm to be used with the ephemeral key
+ */
+ protected String symEncAlgo = WSConstants.AES_128;
/**
* xenc:EncryptedKey element
@@ -123,6 +136,7 @@ public class WSSecEncryptedKey extends W
public WSSecEncryptedKey() {
super();
}
+
public WSSecEncryptedKey(WSSConfig config) {
super(config);
}
@@ -167,7 +181,15 @@ public class WSSecEncryptedKey extends W
// Set up the ephemeral key
//
if (ephemeralKey == null) {
- ephemeralKey = generateEphemeralKey();
+ if (symmetricKey == null) {
+ KeyGenerator keyGen = getKeyGenerator();
+ symmetricKey = keyGen.generateKey();
+ }
+ ephemeralKey = symmetricKey.getEncoded();
+ }
+
+ if (symmetricKey == null) {
+ symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, ephemeralKey);
}
//
@@ -189,7 +211,7 @@ public class WSSecEncryptedKey extends W
remoteCert = certs[0];
}
- prepareInternal(ephemeralKey, remoteCert, crypto);
+ prepareInternal(symmetricKey, remoteCert, crypto);
}
/**
@@ -198,20 +220,20 @@ public class WSSecEncryptedKey extends W
* This method does the most work for to prepare the EncryptedKey element.
* It is also used by the WSSecEncrypt sub-class.
*
- * @param keyBytes The bytes that represent the symmetric key
+ * @param secretKey The symmetric key
* @param remoteCert The certificate that contains the public key to encrypt the
* symmetric key data
* @param crypto An instance of the Crypto API to handle keystore and certificates
* @throws WSSecurityException
*/
protected void prepareInternal(
- byte[] keyBytes,
+ SecretKey secretKey,
X509Certificate remoteCert,
Crypto crypto
) throws WSSecurityException {
Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
try {
- cipher.init(Cipher.ENCRYPT_MODE, remoteCert);
+ cipher.init(Cipher.WRAP_MODE, remoteCert);
} catch (InvalidKeyException e) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, e
@@ -220,20 +242,12 @@ public class WSSecEncryptedKey extends W
int blockSize = cipher.getBlockSize();
if (doDebug) {
log.debug(
- "cipher blksize: " + blockSize
- + ", symm key length: " + keyBytes.length
- );
- }
- if (blockSize > 0 && blockSize < keyBytes.length) {
- throw new WSSecurityException(
- WSSecurityException.FAILURE,
- "unsupportedKeyTransp",
- new Object[] {"public key algorithm too weak to encrypt symmetric key"}
+ "cipher blksize: " + blockSize + ", symm key: " + secretKey.toString()
);
}
try {
- encryptedEphemeralKey = cipher.doFinal(keyBytes);
+ encryptedEphemeralKey = cipher.wrap(secretKey);
} catch (IllegalStateException ex) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
@@ -242,7 +256,7 @@ public class WSSecEncryptedKey extends W
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
);
- } catch (BadPaddingException ex) {
+ } catch (InvalidKeyException ex) {
throw new WSSecurityException(
WSSecurityException.FAILED_ENCRYPTION, null, null, ex
);
@@ -375,17 +389,27 @@ public class WSSecEncryptedKey extends W
envelope = document.getDocumentElement();
}
- /**
- * Create an ephemeral key
- *
- * @return an ephemeral key
- * @throws WSSecurityException
- */
- protected byte[] generateEphemeralKey() throws WSSecurityException {
+ protected KeyGenerator getKeyGenerator() throws WSSecurityException {
try {
- return WSSecurityUtil.generateNonce(this.keySize / 8);
- } catch (Exception e) {
- throw new WSSecurityException("Error in creating the ephemeral key", e);
+ //
+ // Assume AES as default, so initialize it
+ //
+ String keyAlgorithm = JCEMapper.getJCEKeyAlgorithmFromURI(symEncAlgo);
+ KeyGenerator keyGen = KeyGenerator.getInstance(keyAlgorithm);
+ if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_128)) {
+ keyGen.init(128);
+ } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_192)) {
+ keyGen.init(192);
+ } else if (symEncAlgo.equalsIgnoreCase(WSConstants.AES_256)) {
+ keyGen.init(256);
+ } else {
+ keyGen.init(keySize);
+ }
+ return keyGen;
+ } catch (NoSuchAlgorithmException e) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
+ );
}
}
@@ -526,7 +550,7 @@ public class WSSecEncryptedKey extends W
}
return null;
}
-
+
public void setKeySize(int keySize) throws WSSecurityException {
if (keySize < 64) {
// Minimum size has to be 64 bits - E.g. A DES key
@@ -589,4 +613,56 @@ public class WSSecEncryptedKey extends W
public void setCustomEKTokenId(String customEKTokenId) {
this.customEKTokenId = customEKTokenId;
}
+
+ /**
+ * Set the name of the symmetric encryption algorithm to use.
+ *
+ * This encryption algorithm is used to encrypt the data. If the algorithm
+ * is not set then AES128 is used. Refer to WSConstants which algorithms are
+ * supported.
+ *
+ * @param algo Is the name of the encryption algorithm
+ * @see WSConstants#TRIPLE_DES
+ * @see WSConstants#AES_128
+ * @see WSConstants#AES_192
+ * @see WSConstants#AES_256
+ */
+ public void setSymmetricEncAlgorithm(String algo) {
+ symEncAlgo = algo;
+ }
+
+
+ /**
+ * Get the name of symmetric encryption algorithm to use.
+ *
+ * The name of the encryption algorithm to encrypt the data, i.e. the SOAP
+ * Body. Refer to WSConstants which algorithms are supported.
+ *
+ * @return the name of the currently selected symmetric encryption algorithm
+ * @see WSConstants#TRIPLE_DES
+ * @see WSConstants#AES_128
+ * @see WSConstants#AES_192
+ * @see WSConstants#AES_256
+ */
+ public String getSymmetricEncAlgorithm() {
+ return symEncAlgo;
+ }
+
+ /**
+ * @return The symmetric key
+ */
+ public SecretKey getSymmetricKey() {
+ return symmetricKey;
+ }
+
+ /**
+ * Set the symmetric key to be used for encryption
+ *
+ * @param key
+ */
+ public void setSymmetricKey(SecretKey key) {
+ this.symmetricKey = key;
+ }
+
+
}
Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/util/WSSecurityUtil.java Mon Aug 15 12:42:46 2011
@@ -1004,7 +1004,7 @@ public class WSSecurityUtil {
try {
if (random == null) {
random = SecureRandom.getInstance("SHA1PRNG");
- random.setSeed(System.currentTimeMillis());
+ random.setSeed(System.nanoTime());
}
byte[] temp = new byte[length];
random.nextBytes(temp);
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SignatureEncryptionTest.java Mon Aug 15 12:42:46 2011
@@ -383,7 +383,7 @@ public class SignatureEncryptionTest ext
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
- encrKey.setKeySize(192);
+ encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
encrKey.prepare(doc, crypto);
WSSecEncrypt encrypt = new WSSecEncrypt();
Modified: webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java?rev=1157825&r1=1157824&r2=1157825&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java (original)
+++ webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/SymmetricSignatureTest.java Mon Aug 15 12:42:46 2011
@@ -124,7 +124,7 @@ public class SymmetricSignatureTest exte
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
- encrKey.setKeySize(192);
+ encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
encrKey.prepare(doc, crypto);
WSSecSignature sign = new WSSecSignature();
@@ -165,7 +165,7 @@ public class SymmetricSignatureTest exte
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
- encrKey.setKeySize(192);
+ encrKey.setSymmetricEncAlgorithm(WSConstants.AES_192);
encrKey.prepare(doc, crypto);
WSSecEncrypt encrypt = new WSSecEncrypt();