You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2013/06/16 12:08:52 UTC
svn commit: r1493489 - in /webservices/wss4j/trunk:
integration/src/test/java/org/apache/wss4j/integration/test/stax/
ws-security-dom/src/main/java/org/apache/wss4j/dom/message/
ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/
Author: giger
Date: Sun Jun 16 10:08:51 2013
New Revision: 1493489
URL: http://svn.apache.org/r1493489
Log:
fix kerberos token key length issues
Modified:
webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
Modified: webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java (original)
+++ webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java Sun Jun 16 10:08:51 2013
@@ -376,6 +376,7 @@ public class KerberosTest extends Abstra
WSSSecurityProperties securityProperties = new WSSSecurityProperties();
WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN};
securityProperties.setOutAction(actions);
+ securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES128);
securityProperties.setCallbackHandler(new CallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
@@ -472,7 +473,7 @@ public class KerberosTest extends Abstra
bst.setID("Id-" + bst.hashCode());
WSSecEncrypt builder = new WSSecEncrypt();
- builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+ builder.setSymmetricEncAlgorithm(WSConstants.AES_256);
SecretKey secretKey = bst.getSecretKey();
builder.setSymmetricKey(secretKey);
builder.setEncryptSymmKey(false);
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java Sun Jun 16 10:08:51 2013
@@ -156,6 +156,8 @@ public class WSSecEncrypt extends WSSecE
if (symmetricKey == null) {
symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, ephemeralKey);
+ } else {
+ symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, symmetricKey.getEncoded());
}
//
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java Sun Jun 16 10:08:51 2013
@@ -138,8 +138,21 @@ public class KerberosClientSecurityToken
if (this.secretKey == null) {
getTGT();
}
+
+ byte[] sk = this.secretKey.getEncoded();
+
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
- key = new SecretKeySpec(this.secretKey.getEncoded(), algoFamily);
+ int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) / 8;
+ if (sk.length < keyLength) {
+ //normally we should throw an exception here because we don't have
+ //enough key material for the requested algorithm
+ //but I haven't found any documentation about how this case should be handled
+ //and the second thing is that we would need a kerberos key with minimum 160 bits
+ //to be able to sign with a more or less secure algo like hmacsha1
+ keyLength = sk.length;
+ }
+
+ key = new SecretKeySpec(sk, 0, keyLength, algoFamily);
setSecretKey(algorithmURI, key);
return key;
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java Sun Jun 16 10:08:51 2013
@@ -139,9 +139,20 @@ public class KerberosServiceSecurityToke
this.kerberosTokenDecoder = getTGT();
}
- byte[] secretToken = this.kerberosTokenDecoder.getSessionKey();
+ byte[] sk = this.kerberosTokenDecoder.getSessionKey();
+
String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
- key = new SecretKeySpec(secretToken, algoFamily);
+ int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) / 8;
+ if (sk.length < keyLength) {
+ //normally we should throw an exception here because we don't have
+ //enough key material for the requested algorithm
+ //but I haven't found any documentation about how this case should be handled
+ //and the second thing is that we would need a kerberos key with minimum 160 bits
+ //to be able to sign with a more or less secure algo like hmacsha1
+ keyLength = sk.length;
+ }
+
+ key = new SecretKeySpec(sk, 0, keyLength, algoFamily);
setSecretKey(algorithmURI, key);
return key;
}