You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/01/30 11:51:44 UTC
[cxf] branch wss4j_2.3.0 updated: Create salt instead of getting it
from WSS4J
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push:
new 18116dc Create salt instead of getting it from WSS4J
18116dc is described below
commit 18116dcec914526ed230ffa0d89e339340d2ec51
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 30 10:48:42 2019 +0000
Create salt instead of getting it from WSS4J
---
.../policyhandlers/AbstractBindingBuilder.java | 34 +++++++++++++++-------
.../policyhandlers/SymmetricBindingHandler.java | 30 ++++++++++++-------
.../policyhandlers/TransportBindingHandler.java | 8 +++--
3 files changed, 49 insertions(+), 23 deletions(-)
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index 7e5162c..faf7d00 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -103,6 +103,7 @@ import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.token.X509Security;
import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.common.util.XMLUtils;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDocInfo;
@@ -606,19 +607,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
protected void handleUsernameTokenSupportingToken(
UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret
) throws WSSecurityException {
- if (endorse) {
- WSSecUsernameToken utBuilder = addDKUsernameToken(token, true);
+ if (endorse && isTokenRequired(token.getIncludeTokenType())) {
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken utBuilder = addDKUsernameToken(token, salt, true);
if (utBuilder != null) {
- utBuilder.prepare();
+ utBuilder.prepare(salt);
addSupportingElement(utBuilder.getUsernameTokenElement());
- ret.add(new SupportingToken(token, utBuilder, null));
+ ret.add(new SupportingToken(token, utBuilder, null, salt));
if (encryptedToken) {
WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element");
part.setElement(utBuilder.getUsernameTokenElement());
encryptedTokensList.add(part);
}
}
- } else {
+ } else if (!endorse) {
WSSecUsernameToken utBuilder = addUsernameToken(token);
if (utBuilder != null) {
utBuilder.prepare();
@@ -858,7 +860,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return null;
}
- protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) {
+ protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, byte[] salt, boolean useMac) {
assertToken(token);
if (!isTokenRequired(token.getIncludeTokenType())) {
return null;
@@ -879,8 +881,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
if (!StringUtils.isEmpty(password)) {
// If the password is available then build the token
utBuilder.setUserInfo(userName, password);
- utBuilder.addDerivedKey(useMac, null, 1000);
- utBuilder.prepare();
+ utBuilder.addDerivedKey(useMac, 1000);
+ utBuilder.prepare(salt);
} else {
unassertPolicy(token, "No password available");
return null;
@@ -1979,8 +1981,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
}
try {
- byte[] secret = utBuilder.getDerivedKey();
+ byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt());
secToken.setSecret(secret);
+ Arrays.fill(supportingToken.getSalt(), (byte)0);
if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts,
@@ -2345,12 +2348,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
private final AbstractToken token;
private final Object tokenImplementation;
private final List<WSEncryptionPart> signedParts;
+ private final byte[] salt;
SupportingToken(AbstractToken token, Object tokenImplementation,
- List<WSEncryptionPart> signedParts) {
+ List<WSEncryptionPart> signedParts) {
+ this(token, tokenImplementation, signedParts, null);
+ }
+
+ SupportingToken(AbstractToken token, Object tokenImplementation,
+ List<WSEncryptionPart> signedParts, byte[] salt) {
this.token = token;
this.tokenImplementation = tokenImplementation;
this.signedParts = signedParts;
+ this.salt = salt;
}
public AbstractToken getToken() {
@@ -2365,6 +2375,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
return signedParts;
}
+ public byte[] getSalt() {
+ return salt;
+ }
+
}
protected void addSig(byte[] val) {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index e96cbfe..d824e21 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.List;
import java.util.logging.Level;
@@ -55,6 +56,7 @@ import org.apache.wss4j.common.derivedKey.ConversationConstants;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -989,20 +991,26 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
}
private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException {
- boolean useMac = hasSignedPartsOrElements();
- WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac);
- String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ assertToken(sigToken);
+ if (isTokenRequired(sigToken.getIncludeTokenType())) {
+ boolean useMac = hasSignedPartsOrElements();
+ byte[] salt = UsernameTokenUtil.generateSalt(useMac);
+ WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, salt, useMac);
+ String id = usernameToken.getId();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
- Instant created = Instant.now();
- Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
- SecurityToken tempTok =
- new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
- tempTok.setSecret(secret);
+ Instant created = Instant.now();
+ Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
+ SecurityToken tempTok =
+ new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires);
+ tempTok.setSecret(secret);
- tokenStore.add(tempTok);
+ tokenStore.add(tempTok);
- return id;
+ return id;
+ }
+ return null;
}
private SecurityToken getEncryptedKey() {
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index d25b1fd..bf70e2e 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -21,6 +21,7 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers;
import java.time.Instant;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
@@ -53,6 +54,7 @@ import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.common.token.SecurityTokenReference;
import org.apache.wss4j.common.util.KeyUtils;
+import org.apache.wss4j.common.util.UsernameTokenUtil;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.engine.WSSConfig;
import org.apache.wss4j.dom.message.WSSecDKSign;
@@ -333,9 +335,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
addSig(doIssuedTokenSignature(token, wrapper));
} else if (token instanceof UsernameToken) {
// Create a UsernameToken object for derived keys and store the security token
- WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true);
+ byte[] salt = UsernameTokenUtil.generateSalt(true);
+ WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, salt, true);
String id = usernameToken.getId();
- byte[] secret = usernameToken.getDerivedKey();
+ byte[] secret = usernameToken.getDerivedKey(salt);
+ Arrays.fill(salt, (byte)0);
Instant created = Instant.now();
Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);