You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2013/04/15 15:16:24 UTC
svn commit: r1468041 - in /webservices/wss4j/trunk:
ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/
ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/
ws-security-stax/src...
Author: coheigea
Date: Mon Apr 15 13:16:24 2013
New Revision: 1468041
URL: http://svn.apache.org/r1468041
Log:
Reject RSA v1.5 KeyTransport by default in the DOM code, and make this configurable.
- Also make it configurable in WSSSecurityProperties in the StaX layer.
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/RequestData.java Mon Apr 15 13:16:24 2013
@@ -98,6 +98,7 @@ public class RequestData {
private AlgorithmSuite algorithmSuite;
private AlgorithmSuite samlAlgorithmSuite;
private boolean disableBSPEnforcement;
+ private boolean allowRSA15KeyTransportAlgorithm;
public void clear() {
soapConstants = null;
@@ -129,6 +130,7 @@ public class RequestData {
samlAlgorithmSuite = null;
setOriginalSignatureActionPosition(0);
setDisableBSPEnforcement(false);
+ allowRSA15KeyTransportAlgorithm = false;
}
public Object getMsgContext() {
@@ -619,5 +621,13 @@ public class RequestData {
public void setDisableBSPEnforcement(boolean disableBSPEnforcement) {
this.disableBSPEnforcement = disableBSPEnforcement;
}
+
+ public boolean isAllowRSA15KeyTransportAlgorithm() {
+ return allowRSA15KeyTransportAlgorithm;
+ }
+
+ public void setAllowRSA15KeyTransportAlgorithm(boolean allowRSA15KeyTransportAlgorithm) {
+ this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandler.java Mon Apr 15 13:16:24 2013
@@ -1276,6 +1276,12 @@ public abstract class WSHandler {
if (reqData.getDecCrypto() == null) {
reqData.setDecCrypto(loadDecryptionCrypto(reqData));
}
+
+ boolean allowRsa15 =
+ decodeBooleanConfigValue(
+ reqData, WSHandlerConstants.ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM, false
+ );
+ reqData.setAllowRSA15KeyTransportAlgorithm(allowRsa15);
}
/**
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/handler/WSHandlerConstants.java Mon Apr 15 13:16:24 2013
@@ -472,6 +472,12 @@ public final class WSHandlerConstants {
* protection is selected.
*/
public static final String REQUIRE_SIGNED_ENCRYPTED_DATA_ELEMENTS = "requireSignedEncryptedDataElements";
+
+ /**
+ * Whether to allow the RSA v1.5 Key Transport Algorithm or not. Use of this algorithm
+ * is discouraged, and so the default is "false".
+ */
+ public static final String ALLOW_RSA15_KEY_TRANSPORT_ALGORITHM = "allowRSA15KeyTransportAlgorithm";
//
// (Non-boolean) Configuration parameters for the actions/processors
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Mon Apr 15 13:16:24 2013
@@ -91,6 +91,14 @@ public class EncryptedKeyProcessor imple
WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "noEncAlgo"
);
}
+ if (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
+ && !data.isAllowRSA15KeyTransportAlgorithm()
+ && !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) {
+ log.debug(
+ "The Key transport method does not match the requirement"
+ );
+ throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
+ }
// Check BSP Compliance
checkBSPCompliance(elem, encryptedKeyTransportMethod, data.getBSPEnforcer());
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/InboundWSSec.java Mon Apr 15 13:16:24 2013
@@ -128,6 +128,7 @@ public class InboundWSSec {
securityContextImpl.addSecurityEventListener(securityEventListener);
securityContextImpl.ignoredBSPRules(this.securityProperties.getIgnoredBSPRules());
securityContextImpl.setDisableBSPEnforcement(this.securityProperties.isDisableBSPEnforcement());
+ securityContextImpl.setAllowRSA15KeyTransportAlgorithm(this.securityProperties.isAllowRSA15KeyTransportAlgorithm());
if (!requestSecurityEvents.isEmpty()) {
try {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/ext/WSSSecurityProperties.java Mon Apr 15 13:16:24 2013
@@ -73,6 +73,7 @@ public class WSSSecurityProperties exten
*/
private boolean handleCustomPasswordTypes = false;
private boolean allowUsernameTokenNoPassword = false;
+ private boolean allowRSA15KeyTransportAlgorithm = false;
private WSSConstants.UsernameTokenPasswordType usernameTokenPasswordType;
private String tokenUser;
@@ -132,6 +133,7 @@ public class WSSSecurityProperties exten
this.enableRevocation = wssSecurityProperties.enableRevocation;
this.timestampReplayCache = wssSecurityProperties.timestampReplayCache;
this.nonceReplayCache = wssSecurityProperties.nonceReplayCache;
+ this.allowRSA15KeyTransportAlgorithm = wssSecurityProperties.allowRSA15KeyTransportAlgorithm;
}
/**
@@ -691,5 +693,13 @@ public class WSSSecurityProperties exten
public void setDisableBSPEnforcement(boolean disableBSPEnforcement) {
this.disableBSPEnforcement = disableBSPEnforcement;
}
+
+ public boolean isAllowRSA15KeyTransportAlgorithm() {
+ return allowRSA15KeyTransportAlgorithm;
+ }
+
+ public void setAllowRSA15KeyTransportAlgorithm(boolean allowRSA15KeyTransportAlgorithm) {
+ this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/InboundWSSecurityContextImpl.java Mon Apr 15 13:16:24 2013
@@ -18,24 +18,35 @@
*/
package org.apache.wss4j.stax.impl;
+import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Deque;
+import java.util.Iterator;
+import java.util.List;
+
+import javax.xml.namespace.QName;
+
import org.apache.wss4j.common.bsp.BSPRule;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.stax.ext.WSInboundSecurityContext;
import org.apache.wss4j.stax.ext.WSSConstants;
import org.apache.wss4j.stax.ext.WSSUtils;
-import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent;
import org.apache.wss4j.stax.securityEvent.WSSecurityEventConstants;
+import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
import org.apache.xml.security.exceptions.XMLSecurityException;
-import org.apache.xml.security.stax.config.ConfigurationProperties;
import org.apache.xml.security.stax.impl.InboundSecurityContextImpl;
-import org.apache.xml.security.stax.securityEvent.*;
+import org.apache.xml.security.stax.securityEvent.AlgorithmSuiteSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEvent;
+import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
+import org.apache.xml.security.stax.securityEvent.TokenSecurityEvent;
import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
import org.apache.xml.security.stax.securityToken.SecurityToken;
-import javax.xml.namespace.QName;
-import java.util.*;
-
/**
* Concrete security context implementation
*/
@@ -43,12 +54,11 @@ public class InboundWSSecurityContextImp
private static final transient org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(InboundWSSecurityContextImpl.class);
- private static final Boolean allowRSA15KeyTransportAlgorithm =
- Boolean.valueOf(ConfigurationProperties.getProperty("AllowRSA15KeyTransportAlgorithm"));
private final Deque<SecurityEvent> securityEventQueue = new ArrayDeque<SecurityEvent>();
private boolean operationSecurityEventOccured = false;
private boolean messageEncryptionTokenOccured = false;
+ private boolean allowRSA15KeyTransportAlgorithm = false;
private boolean disableBSPEnforcement;
private List<BSPRule> ignoredBSPRules = Collections.emptyList();
@@ -559,4 +569,12 @@ public class InboundWSSecurityContextImp
public void setDisableBSPEnforcement(boolean disableBSPEnforcement) {
this.disableBSPEnforcement = disableBSPEnforcement;
}
+
+ public boolean isAllowRSA15KeyTransportAlgorithm() {
+ return allowRSA15KeyTransportAlgorithm;
+ }
+
+ public void setAllowRSA15KeyTransportAlgorithm(boolean allowRSA15KeyTransportAlgorithm) {
+ this.allowRSA15KeyTransportAlgorithm = allowRSA15KeyTransportAlgorithm;
+ }
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml?rev=1468041&r1=1468040&r2=1468041&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/resources/wss/wss-config.xml Mon Apr 15 13:16:24 2013
@@ -4,7 +4,6 @@
<Properties>
<Property NAME="securityTokenFactory" VAL="org.apache.wss4j.stax.impl.securityToken.SecurityTokenFactoryImpl"/>
<Property NAME="MaximumAllowedDecompressedBytes" VAL="104857600"/>
- <Property NAME="AllowRSA15KeyTransportAlgorithm" VAL="false"/>
<xi:include href="security-config.xml" xpointer="xmlns(c=http://www.xmlsecurity.org/NS/configuration)xpointer(/c:Configuration/c:Properties/c:Property[@NAME!='securityTokenFactory'])"/>
</Properties>
<SecurityHeaderHandlers>