You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2013/06/16 12:08:52 UTC

svn commit: r1493489 - in /webservices/wss4j/trunk: integration/src/test/java/org/apache/wss4j/integration/test/stax/ ws-security-dom/src/main/java/org/apache/wss4j/dom/message/ ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/

Author: giger
Date: Sun Jun 16 10:08:51 2013
New Revision: 1493489

URL: http://svn.apache.org/r1493489
Log:
fix kerberos token key length issues

Modified:
    webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
    webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java
    webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java

Modified: webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java (original)
+++ webservices/wss4j/trunk/integration/src/test/java/org/apache/wss4j/integration/test/stax/KerberosTest.java Sun Jun 16 10:08:51 2013
@@ -376,6 +376,7 @@ public class KerberosTest extends Abstra
             WSSSecurityProperties securityProperties = new WSSSecurityProperties();
             WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT_WITH_KERBEROS_TOKEN};
             securityProperties.setOutAction(actions);
+            securityProperties.setEncryptionSymAlgorithm(WSSConstants.NS_XENC_AES128);
             securityProperties.setCallbackHandler(new CallbackHandler() {
                 @Override
                 public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
@@ -472,7 +473,7 @@ public class KerberosTest extends Abstra
             bst.setID("Id-" + bst.hashCode());
 
             WSSecEncrypt builder = new WSSecEncrypt();
-            builder.setSymmetricEncAlgorithm(WSConstants.AES_128);
+            builder.setSymmetricEncAlgorithm(WSConstants.AES_256);
             SecretKey secretKey = bst.getSecretKey();
             builder.setSymmetricKey(secretKey);
             builder.setEncryptSymmKey(false);

Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/WSSecEncrypt.java Sun Jun 16 10:08:51 2013
@@ -156,6 +156,8 @@ public class WSSecEncrypt extends WSSecE
         
         if (symmetricKey == null) {
             symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, ephemeralKey);
+        } else {
+            symmetricKey = WSSecurityUtil.prepareSecretKey(symEncAlgo, symmetricKey.getEncoded());
         }
         
         //

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosClientSecurityToken.java Sun Jun 16 10:08:51 2013
@@ -138,8 +138,21 @@ public class KerberosClientSecurityToken
         if (this.secretKey == null) {
             getTGT();
         }
+
+        byte[] sk = this.secretKey.getEncoded();
+
         String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
-        key = new SecretKeySpec(this.secretKey.getEncoded(), algoFamily);
+        int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) / 8;
+        if (sk.length < keyLength) {
+            //normally we should throw an exception here because we don't have
+            //enough key material for the requested algorithm
+            //but I haven't found any documentation about how this case should be handled
+            //and the second thing is that we would need a kerberos key with minimum 160 bits
+            //to be able to sign with a more or less secure algo like hmacsha1
+            keyLength = sk.length;
+        }
+
+        key = new SecretKeySpec(sk, 0, keyLength, algoFamily);
         setSecretKey(algorithmURI, key);
         return key;
     }

Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java?rev=1493489&r1=1493488&r2=1493489&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/wss4j/stax/impl/securityToken/KerberosServiceSecurityTokenImpl.java Sun Jun 16 10:08:51 2013
@@ -139,9 +139,20 @@ public class KerberosServiceSecurityToke
             this.kerberosTokenDecoder = getTGT();
         }
 
-        byte[] secretToken = this.kerberosTokenDecoder.getSessionKey();
+        byte[] sk = this.kerberosTokenDecoder.getSessionKey();
+
         String algoFamily = JCEAlgorithmMapper.getJCEKeyAlgorithmFromURI(algorithmURI);
-        key = new SecretKeySpec(secretToken, algoFamily);
+        int keyLength = JCEAlgorithmMapper.getKeyLengthFromURI(algorithmURI) / 8;
+        if (sk.length < keyLength) {
+            //normally we should throw an exception here because we don't have
+            //enough key material for the requested algorithm
+            //but I haven't found any documentation about how this case should be handled
+            //and the second thing is that we would need a kerberos key with minimum 160 bits
+            //to be able to sign with a more or less secure algo like hmacsha1
+            keyLength = sk.length;
+        }
+
+        key = new SecretKeySpec(sk, 0, keyLength, algoFamily);
         setSecretKey(algorithmURI, key);
         return key;
     }