You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by gi...@apache.org on 2012/09/20 20:52:23 UTC
svn commit: r1388156 - in /webservices/wss4j/trunk:
ws-security-dom/src/main/java/org/apache/ws/security/dom/
ws-security-dom/src/main/java/org/apache/ws/security/dom/action/
ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/
ws-security...
Author: giger
Date: Thu Sep 20 18:52:22 2012
New Revision: 1388156
URL: http://svn.apache.org/viewvc?rev=1388156&view=rev
Log:
WSS-405 - Support for XML Encryption 1.1 algorithms
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/action/EncryptionAction.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/RequestData.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/util/WSSecurityUtil.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/EncryptionGCMTest.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/EncDecryptionTest.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSConstants.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/WSConstants.java Thu Sep 20 18:52:22 2012
@@ -57,6 +57,7 @@ public final class WSConstants {
public static final String SIG_NS = "http://www.w3.org/2000/09/xmldsig#";
public static final String ENC_NS = "http://www.w3.org/2001/04/xmlenc#";
+ public static final String ENC11_NS = "http://www.w3.org/2009/xmlenc11#";
public static final String XMLNS_NS = "http://www.w3.org/2000/xmlns/";
public static final String XML_NS = "http://www.w3.org/XML/1998/namespace";
@@ -100,6 +101,8 @@ public final class WSConstants {
"http://www.w3.org/2001/04/xmlenc#rsa-1_5";
public static final String KEYTRANSPORT_RSAOEP =
"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
+ public static final String KEYTRANSPORT_RSAOEP_XENC11 =
+ "http://www.w3.org/2009/xmlenc11#rsa-oaep";
public static final String TRIPLE_DES =
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
public static final String AES_128 =
@@ -124,6 +127,10 @@ public final class WSConstants {
"http://www.w3.org/2000/09/xmldsig#sha1";
public static final String SHA256 =
"http://www.w3.org/2001/04/xmlenc#sha256";
+ public static final String SHA384 =
+ "http://www.w3.org/2001/04/xmldsig-more#sha384";
+ public static final String SHA512 =
+ "http://www.w3.org/2001/04/xmlenc#sha512";
public static final String HMAC_SHA1 =
"http://www.w3.org/2000/09/xmldsig#hmac-sha1";
public static final String HMAC_SHA256 =
@@ -134,7 +141,13 @@ public final class WSConstants {
"http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";
public static final String HMAC_MD5 =
"http://www.w3.org/2001/04/xmldsig-more#hmac-md5";
-
+
+ public static final String MGF_SHA1 = "http://www.w3.org/2009/xmlenc11#mgf1sha1";
+ public static final String MGF_SHA224 = "http://www.w3.org/2009/xmlenc11#mgf1sha224";
+ public static final String MGF_SHA256 = "http://www.w3.org/2009/xmlenc11#mgf1sha256";
+ public static final String MGF_SHA384 = "http://www.w3.org/2009/xmlenc11#mgf1sha384";
+ public static final String MGF_SHA512 = "http://www.w3.org/2009/xmlenc11#mgf1sha512";
+
public static final String WST_NS = "http://schemas.xmlsoap.org/ws/2005/02/trust";
/**
* WS-Trust 1.3 namespace
@@ -208,6 +221,7 @@ public final class WSConstants {
public static final String DEFAULT_SOAP_PREFIX = "soapenv";
public static final String SIG_PREFIX = "ds";
public static final String ENC_PREFIX = "xenc";
+ public static final String ENC11_PREFIX = "xenc11";
public static final String C14N_EXCL_OMIT_COMMENTS_PREFIX = "ec";
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/action/EncryptionAction.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/action/EncryptionAction.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/action/EncryptionAction.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/action/EncryptionAction.java Thu Sep 20 18:52:22 2012
@@ -67,6 +67,10 @@ public class EncryptionAction implements
if (reqData.getEncDigestAlgorithm() != null) {
wsEncrypt.setDigestAlgorithm(reqData.getEncDigestAlgorithm());
}
+
+ if (reqData.getEncMGFAlgorithm() != null) {
+ wsEncrypt.setMGFAlgorithm(reqData.getEncMGFAlgorithm());
+ }
wsEncrypt.setUserInfo(reqData.getEncUser());
wsEncrypt.setUseThisCert(reqData.getEncCert());
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/RequestData.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/RequestData.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/RequestData.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/RequestData.java Thu Sep 20 18:52:22 2012
@@ -65,6 +65,7 @@ public class RequestData {
private String sigAlgorithm = null;
private String signatureDigestAlgorithm = null;
private String encryptionDigestAlgorithm = null;
+ private String encryptionMGFAlgorithm = null;
private List<WSEncryptionPart> signatureParts = new ArrayList<WSEncryptionPart>();
private int encKeyId = 0;
private String encSymmAlgo = null;
@@ -248,6 +249,14 @@ public class RequestData {
this.encryptionDigestAlgorithm = encDigestAlgorithm;
}
+ public String getEncMGFAlgorithm() {
+ return encryptionMGFAlgorithm;
+ }
+
+ public void setEncMGFAlgorithm(String encMGFAlgorithm) {
+ this.encryptionMGFAlgorithm = encMGFAlgorithm;
+ }
+
public List<WSEncryptionPart> getSignatureParts() {
return signatureParts;
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandler.java Thu Sep 20 18:52:22 2012
@@ -591,6 +591,9 @@ public abstract class WSHandler {
String digestAlgo = getString(WSHandlerConstants.ENC_DIGEST_ALGO, mc);
reqData.setEncDigestAlgorithm(digestAlgo);
+
+ String mgfAlgo = getString(WSHandlerConstants.ENC_MGF_ALGO, mc);
+ reqData.setEncMGFAlgorithm(mgfAlgo);
String encSymEncKey = getString(WSHandlerConstants.ENC_SYM_ENC_KEY, mc);
if (encSymEncKey != null) {
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/handler/WSHandlerConstants.java Thu Sep 20 18:52:22 2012
@@ -678,6 +678,19 @@ public final class WSHandlerConstants {
public static final String ENC_DIGEST_ALGO = "encryptionDigestAlgorithm";
/**
+ * Defines which encryption mgf algorithm to use with the RSA OAEP Key Transport
+ * algorithm for encryption. The default is mgfsha1.
+ * <p/>
+ * The application may set this parameter using the following method:
+ * <pre>
+ * call.setProperty(
+ * WSHandlerConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha256"
+ * );
+ * </pre>
+ */
+ public static final String ENC_MGF_ALGO = "encryptionMGFAlgorithm";
+
+ /**
* Time-To-Live is the time difference between creation and expiry time in
* seconds in the WSS Timestamp. After this time the SOAP request is
* invalid (at least the security data shall be treated this way).
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncryptedKey.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncryptedKey.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncryptedKey.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/message/WSSecEncryptedKey.java Thu Sep 20 18:52:22 2012
@@ -106,6 +106,12 @@ public class WSSecEncryptedKey extends W
private String digestAlgo = null;
/**
+ * MGF Algorithm to be used with RSA-OAEP. The default is MGF-SHA-1 (which is not
+ * written out unless it is explicitly configured).
+ */
+ private String mgfAlgo = null;
+
+ /**
* xenc:EncryptedKey element
*/
protected Element encryptedKeyElement = null;
@@ -235,15 +241,29 @@ public class WSSecEncryptedKey extends W
Cipher cipher = WSSecurityUtil.getCipherInstance(keyEncAlgo);
try {
OAEPParameterSpec oaepParameterSpec = null;
- if (WSConstants.KEYTRANSPORT_RSAOEP.equals(keyEncAlgo)) {
+ if (WSConstants.KEYTRANSPORT_RSAOEP.equals(keyEncAlgo)
+ || WSConstants.KEYTRANSPORT_RSAOEP_XENC11.equals(keyEncAlgo)) {
String jceDigestAlgorithm = "SHA-1";
if (digestAlgo != null) {
jceDigestAlgorithm = JCEMapper.translateURItoJCEID(digestAlgo);
}
+
+ MGF1ParameterSpec mgf1ParameterSpec = new MGF1ParameterSpec("SHA-1");
+ if (mgfAlgo != null) {
+ if (WSConstants.MGF_SHA224.equals(mgfAlgo)) {
+ mgf1ParameterSpec = new MGF1ParameterSpec("SHA-224");
+ } if (WSConstants.MGF_SHA256.equals(mgfAlgo)) {
+ mgf1ParameterSpec = new MGF1ParameterSpec("SHA-256");
+ } else if (WSConstants.MGF_SHA384.equals(mgfAlgo)) {
+ mgf1ParameterSpec = new MGF1ParameterSpec("SHA-384");
+ } else if (WSConstants.MGF_SHA512.equals(mgfAlgo)) {
+ mgf1ParameterSpec = new MGF1ParameterSpec("SHA-512");
+ }
+ }
oaepParameterSpec =
new OAEPParameterSpec(
- jceDigestAlgorithm, "MGF1", new MGF1ParameterSpec("SHA-1"), PSource.PSpecified.DEFAULT
+ jceDigestAlgorithm, "MGF1", mgf1ParameterSpec, PSource.PSpecified.DEFAULT
);
}
if (oaepParameterSpec == null) {
@@ -457,6 +477,12 @@ public class WSSecEncryptedKey extends W
digestElement.setAttributeNS(null, "Algorithm", digestAlgo);
encryptionMethod.appendChild(digestElement);
}
+ if (mgfAlgo != null) {
+ Element mgfElement =
+ doc.createElementNS(WSConstants.ENC11_NS, WSConstants.ENC11_PREFIX + ":MGF");
+ mgfElement.setAttributeNS(null, "Algorithm", mgfAlgo);
+ encryptionMethod.appendChild(mgfElement);
+ }
encryptedKey.appendChild(encryptionMethod);
return encryptedKey;
@@ -690,7 +716,25 @@ public class WSSecEncryptedKey extends W
public String getDigestAlgorithm() {
return digestAlgo;
}
-
+
+ /**
+ * Set the MGF algorithm to use with the RSA-OAEP key transport algorithm. The
+ * default is MGF-SHA-1.
+ *
+ * @param mgfAlgorithm the MGF algorithm to use with the RSA-OAEP key transport algorithm
+ */
+ public void setMGFAlgorithm(String mgfAlgorithm) {
+ this.mgfAlgo = mgfAlgorithm;
+ }
+
+ /**
+ * Get the MGF algorithm to use with the RSA-OAEP key transport algorithm. The
+ * default is MGF-SHA-1.
+ */
+ public String getMGFAlgorithm() {
+ return mgfAlgo;
+ }
+
/**
* @return The symmetric key
*/
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/processor/EncryptedKeyProcessor.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/processor/EncryptedKeyProcessor.java Thu Sep 20 18:52:22 2012
@@ -107,17 +107,38 @@ public class EncryptedKeyProcessor imple
try {
PrivateKey privateKey = data.getDecCrypto().getPrivateKey(certs[0], data.getCallbackHandler());
OAEPParameterSpec oaepParameterSpec = null;
- if (WSConstants.KEYTRANSPORT_RSAOEP.equals(encryptedKeyTransportMethod)) {
+ if (WSConstants.KEYTRANSPORT_RSAOEP.equals(encryptedKeyTransportMethod)
+ || WSConstants.KEYTRANSPORT_RSAOEP_XENC11.equals(encryptedKeyTransportMethod)) {
// Get the DigestMethod if it exists
String digestAlgorithm = getDigestAlgorithm(elem);
String jceDigestAlgorithm = "SHA-1";
if (digestAlgorithm != null && !"".equals(digestAlgorithm)) {
jceDigestAlgorithm = JCEMapper.translateURItoJCEID(digestAlgorithm);
}
+
+ String mgfAlgorithm = getMGFAlgorithm(elem);
+ MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
+ if (mgfAlgorithm != null) {
+ if (WSConstants.MGF_SHA224.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-224");
+ } else if (WSConstants.MGF_SHA256.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-256");
+ } else if (WSConstants.MGF_SHA384.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-384");
+ } else if (WSConstants.MGF_SHA512.equals(mgfAlgorithm)) {
+ mgfParameterSpec = new MGF1ParameterSpec("SHA-512");
+ }
+ }
+
+ PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
+ byte[] pSourceBytes = getPSource(elem);
+ if (pSourceBytes != null) {
+ pSource = new PSource.PSpecified(pSourceBytes);
+ }
oaepParameterSpec =
new OAEPParameterSpec(
- jceDigestAlgorithm, "MGF1", new MGF1ParameterSpec("SHA-1"), PSource.PSpecified.DEFAULT
+ jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource
);
}
if (oaepParameterSpec == null) {
@@ -233,6 +254,36 @@ public class EncryptedKeyProcessor imple
}
return null;
}
+
+ private static String getMGFAlgorithm(Node encBodyData) throws WSSecurityException {
+ Element tmpE =
+ WSSecurityUtil.getDirectChildElement(
+ encBodyData, "EncryptionMethod", WSConstants.ENC_NS
+ );
+ if (tmpE != null) {
+ Element mgfElement =
+ WSSecurityUtil.getDirectChildElement(tmpE, "MGF", WSConstants.ENC11_NS);
+ if (mgfElement != null) {
+ return mgfElement.getAttribute("Algorithm");
+ }
+ }
+ return null;
+ }
+
+ private static byte[] getPSource(Node encBodyData) throws WSSecurityException {
+ Element tmpE =
+ WSSecurityUtil.getDirectChildElement(
+ encBodyData, "EncryptionMethod", WSConstants.ENC_NS
+ );
+ if (tmpE != null) {
+ Element pSourceElement =
+ WSSecurityUtil.getDirectChildElement(tmpE, "OAEPparams", WSConstants.ENC_NS);
+ if (pSourceElement != null) {
+ return getDecodedBase64EncodedData(pSourceElement);
+ }
+ }
+ return null;
+ }
/**
* @return the Certificate(s) corresponding to the public key reference in the
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/util/WSSecurityUtil.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/util/WSSecurityUtil.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/util/WSSecurityUtil.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/ws/security/dom/util/WSSecurityUtil.java Thu Sep 20 18:52:22 2012
@@ -1002,6 +1002,12 @@ public final class WSSecurityUtil {
return 24;
} else if (algorithm.equals(WSConstants.AES_256)) {
return 32;
+ } else if (algorithm.equals(WSConstants.AES_128_GCM)) {
+ return 16;
+ } else if (algorithm.equals(WSConstants.AES_192_GCM)) {
+ return 24;
+ } else if (algorithm.equals(WSConstants.AES_256_GCM)) {
+ return 32;
} else if (WSConstants.HMAC_SHA1.equals(algorithm)) {
return 20;
} else if (WSConstants.HMAC_SHA256.equals(algorithm)) {
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/EncryptionGCMTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/EncryptionGCMTest.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/EncryptionGCMTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/ws/security/dom/message/EncryptionGCMTest.java Thu Sep 20 18:52:22 2012
@@ -21,6 +21,7 @@ package org.apache.ws.security.dom.messa
import javax.security.auth.callback.CallbackHandler;
+import org.apache.ws.security.common.bsp.BSPRule;
import org.apache.ws.security.dom.WSConstants;
import org.apache.ws.security.dom.WSDataRef;
import org.apache.ws.security.dom.WSSConfig;
@@ -32,8 +33,12 @@ import org.apache.ws.security.common.cry
import org.apache.ws.security.common.crypto.CryptoFactory;
import org.apache.ws.security.common.util.DOM2Writer;
import org.apache.ws.security.common.util.XMLUtils;
+import org.apache.ws.security.dom.handler.RequestData;
import org.w3c.dom.Document;
+import java.util.ArrayList;
+import java.util.List;
+
/**
* A set of test-cases for encrypting and decrypting SOAP requests using GCM. See:
* https://issues.apache.org/jira/browse/WSS-325
@@ -107,11 +112,38 @@ public class EncryptionGCMTest extends o
verify(encryptedDoc, keystoreCallbackHandler, SOAP_BODY);
}
+ @org.junit.Test
+ public void testAES192GCM_RSAOAEP_SHA256_MGFSHA256() throws Exception {
+ WSSecEncrypt builder = new WSSecEncrypt();
+ builder.setUserInfo("wss40");
+ builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
+ builder.setSymmetricEncAlgorithm(WSConstants.AES_192_GCM);
+ builder.setKeyEncAlgo(WSConstants.KEYTRANSPORT_RSAOEP_XENC11);
+ builder.setDigestAlgorithm(WSConstants.SHA256);
+ builder.setMGFAlgorithm(WSConstants.MGF_SHA256);
+ Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document encryptedDoc = builder.build(doc, crypto, secHeader);
+
+ String outputString =
+ XMLUtils.PrettyDocumentToString(encryptedDoc);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Encrypted message:");
+ LOG.debug(outputString);
+ }
+ assertTrue(outputString.indexOf("http://www.w3.org/2009/xmlenc11#rsa-oaep") > 0);
+ assertTrue(outputString.indexOf("http://www.w3.org/2001/04/xmlenc#sha256") > 0);
+ assertTrue(outputString.indexOf("http://www.w3.org/2009/xmlenc11#aes192-gcm") > 0);
+ assertTrue(outputString.indexOf("http://www.w3.org/2009/xmlenc11#mgf1sha256") > 0);
+ assertTrue(outputString.indexOf("counter_port_type") == -1 ? true : false);
+ verify(encryptedDoc, keystoreCallbackHandler, SOAP_BODY);
+ }
+
/**
* Verifies the soap envelope
* <p/>
*
- * @param envelope
* @throws Exception Thrown when there is a problem in verification
*/
@SuppressWarnings("unchecked")
@@ -120,8 +152,14 @@ public class EncryptionGCMTest extends o
CallbackHandler handler,
javax.xml.namespace.QName expectedEncryptedElement
) throws Exception {
- final java.util.List<WSSecurityEngineResult> results =
- secEngine.processSecurityHeader(doc, null, handler, null, crypto);
+ RequestData requestData = new RequestData();
+ List<BSPRule> bspRules = new ArrayList<BSPRule>();
+ bspRules.add(BSPRule.R5621);
+ requestData.setIgnoredBSPRules(bspRules);
+ requestData.setCallbackHandler(handler);
+ requestData.setDecCrypto(crypto);
+ final java.util.List<WSSecurityEngineResult> results =
+ secEngine.processSecurityHeader(doc, null, requestData);
String outputString =
XMLUtils.PrettyDocumentToString(doc);
if (LOG.isDebugEnabled()) {
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/ext/WSSConstants.java Thu Sep 20 18:52:22 2012
@@ -44,7 +44,20 @@ public class WSSConstants extends XMLSec
static {
try {
- setJaxbContext(JAXBContext.newInstance("org.apache.ws.security.binding.wss10:org.apache.ws.security.binding.wss11:org.apache.ws.security.binding.wsu10:org.apache.ws.security.binding.wssc13:org.apache.ws.security.binding.wssc200502:org.apache.xml.security.binding.xmlenc:org.apache.xml.security.binding.xmldsig:org.apache.xml.security.binding.xmldsig11:org.apache.xml.security.binding.excc14n"));
+ setJaxbContext(
+ JAXBContext.newInstance(
+ "org.apache.ws.security.binding.wss10:" +
+ "org.apache.ws.security.binding.wss11:" +
+ "org.apache.ws.security.binding.wsu10:" +
+ "org.apache.ws.security.binding.wssc13:" +
+ "org.apache.ws.security.binding.wssc200502:" +
+ "org.apache.xml.security.binding.xmlenc:" +
+ "org.apache.xml.security.binding.xmlenc11:" +
+ "org.apache.xml.security.binding.xmldsig:" +
+ "org.apache.xml.security.binding.xmldsig11:" +
+ "org.apache.xml.security.binding.excc14n"
+ )
+ );
SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
schemaFactory.setResourceResolver(new LSResourceResolver() {
@Override
@@ -80,6 +93,7 @@ public class WSSConstants extends XMLSec
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("bindings/schemas/exc-c14n.xsd")),
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("bindings/schemas/xmldsig-core-schema.xsd")),
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("bindings/schemas/xenc-schema.xsd")),
+ new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("bindings/schemas/xenc-schema-11.xsd")),
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("bindings/schemas/xmldsig11-schema.xsd")),
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("schemas/oasis-200401-wss-wssecurity-utility-1.0.xsd")),
new StreamSource(XMLSecurityConstants.class.getClassLoader().getResourceAsStream("schemas/oasis-200401-wss-wssecurity-secext-1.0.xsd")),
Modified: webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/EncryptedKeyOutputProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/EncryptedKeyOutputProcessor.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/EncryptedKeyOutputProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/main/java/org/apache/ws/security/stax/impl/processor/output/EncryptedKeyOutputProcessor.java Thu Sep 20 18:52:22 2012
@@ -36,12 +36,17 @@ import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.OAEPParameterSpec;
+import javax.crypto.spec.PSource;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
+import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.List;
@@ -184,15 +189,45 @@ public class EncryptedKeyOutputProcessor
&& WSSUtils.isInSecurityHeader(xmlSecStartElement, ((WSSSecurityProperties) getSecurityProperties()).getActor())) {
OutputProcessorChain subOutputProcessorChain = outputProcessorChain.createSubChain(this);
- X509Certificate x509Certificate = securityToken.getKeyWrappingToken().getX509Certificates()[0];
+ final X509Certificate x509Certificate = securityToken.getKeyWrappingToken().getX509Certificates()[0];
+ final String encryptionKeyTransportAlgorithm = getSecurityProperties().getEncryptionKeyTransportAlgorithm();
List<XMLSecAttribute> attributes = new ArrayList<XMLSecAttribute>(1);
attributes.add(createAttribute(WSSConstants.ATT_NULL_Id, securityToken.getId()));
createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptedKey, true, attributes);
attributes = new ArrayList<XMLSecAttribute>(1);
- attributes.add(createAttribute(WSSConstants.ATT_NULL_Algorithm, getSecurityProperties().getEncryptionKeyTransportAlgorithm()));
+ attributes.add(createAttribute(WSSConstants.ATT_NULL_Algorithm, encryptionKeyTransportAlgorithm));
createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod, false, attributes);
+
+ final String encryptionKeyTransportMGFAlgorithm = getSecurityProperties().getEncryptionKeyTransportMGFAlgorithm();
+
+ if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(encryptionKeyTransportAlgorithm) ||
+ XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionKeyTransportAlgorithm)) {
+
+ byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
+ if (oaepParams != null) {
+ createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams, false, null);
+ createCharactersAndOutputAsEvent(outputProcessorChain, Base64.encodeBase64String(oaepParams));
+ createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc_OAEPparams);
+ }
+
+ String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
+ if (encryptionKeyTransportDigestAlgorithm != null) {
+ attributes = new ArrayList<XMLSecAttribute>(1);
+ attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportDigestAlgorithm));
+ createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod, true, attributes);
+ createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_dsig_DigestMethod);
+ }
+
+ if (encryptionKeyTransportMGFAlgorithm != null) {
+ attributes = new ArrayList<XMLSecAttribute>(1);
+ attributes.add(createAttribute(XMLSecurityConstants.ATT_NULL_Algorithm, encryptionKeyTransportMGFAlgorithm));
+ createStartElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF, true, attributes);
+ createEndElementAndOutputAsEvent(outputProcessorChain, XMLSecurityConstants.TAG_xenc11_MGF);
+ }
+ }
+
createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_EncryptionMethod);
createStartElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_dsig_KeyInfo, true, null);
createSecurityTokenReferenceStructureForEncryptedKey(
@@ -206,9 +241,34 @@ public class EncryptedKeyOutputProcessor
try {
//encrypt the symmetric session key with the public key from the receiver:
- String jceid = JCEAlgorithmMapper.translateURItoJCEID(getSecurityProperties().getEncryptionKeyTransportAlgorithm());
+ String jceid = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportAlgorithm);
Cipher cipher = Cipher.getInstance(jceid);
- cipher.init(Cipher.WRAP_MODE, x509Certificate);
+
+ AlgorithmParameterSpec algorithmParameterSpec = null;
+ if (XMLSecurityConstants.NS_XENC11_RSAOAEP.equals(encryptionKeyTransportAlgorithm) ||
+ XMLSecurityConstants.NS_XENC_RSAOAEPMGF1P.equals(encryptionKeyTransportAlgorithm)) {
+
+ String jceDigestAlgorithm = "SHA-1";
+ String encryptionKeyTransportDigestAlgorithm = getSecurityProperties().getEncryptionKeyTransportDigestAlgorithm();
+ if (encryptionKeyTransportDigestAlgorithm != null) {
+ jceDigestAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportDigestAlgorithm);
+ }
+
+ PSource.PSpecified pSource = PSource.PSpecified.DEFAULT;
+ byte[] oaepParams = getSecurityProperties().getEncryptionKeyTransportOAEPParams();
+ if (oaepParams != null) {
+ pSource = new PSource.PSpecified(oaepParams);
+ }
+
+ MGF1ParameterSpec mgfParameterSpec = new MGF1ParameterSpec("SHA-1");
+ if (encryptionKeyTransportMGFAlgorithm != null) {
+ String jceMGFAlgorithm = JCEAlgorithmMapper.translateURItoJCEID(encryptionKeyTransportMGFAlgorithm);
+ mgfParameterSpec = new MGF1ParameterSpec(jceMGFAlgorithm);
+ }
+ algorithmParameterSpec = new OAEPParameterSpec(jceDigestAlgorithm, "MGF1", mgfParameterSpec, pSource);
+ }
+
+ cipher.init(Cipher.WRAP_MODE, x509Certificate.getPublicKey(), algorithmParameterSpec);
Key secretKey = securityToken.getSecretKey("");
@@ -232,6 +292,8 @@ public class EncryptedKeyOutputProcessor
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, e);
} catch (IllegalBlockSizeException e) {
throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, e);
+ } catch (InvalidAlgorithmParameterException e) {
+ throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_ENCRYPTION, e);
}
createEndElementAndOutputAsEvent(subOutputProcessorChain, WSSConstants.TAG_xenc_CipherValue);
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/AbstractTestBase.java Thu Sep 20 18:52:22 2012
@@ -287,6 +287,7 @@ public abstract class AbstractTestBase {
ignoredRules.add(BSPRule.R5407);
ignoredRules.add(BSPRule.R5417);
ignoredRules.add(BSPRule.R3063);
+ ignoredRules.add(BSPRule.R5621);
requestData.setIgnoredBSPRules(ignoredRules);
wss4JHandler.doReceiver(messageContext, requestData, false);
@@ -326,6 +327,8 @@ public abstract class AbstractTestBase {
return WSSConstants.NS_WSU10;
} else if (WSSConstants.PREFIX_XENC.equals(prefix)) {
return WSSConstants.NS_XMLENC;
+ } else if (WSSConstants.PREFIX_XENC11.equals(prefix)) {
+ return WSSConstants.NS_XMLENC11;
} else {
return null;
}
@@ -342,6 +345,8 @@ public abstract class AbstractTestBase {
return WSSConstants.PREFIX_WSU;
} else if (WSSConstants.NS_XMLENC.equals(namespaceURI)) {
return WSSConstants.PREFIX_XENC;
+ } else if (WSSConstants.NS_XMLENC11.equals(namespaceURI)) {
+ return WSSConstants.PREFIX_XENC11;
} else {
return null;
}
Modified: webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/EncDecryptionTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/EncDecryptionTest.java?rev=1388156&r1=1388155&r2=1388156&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/EncDecryptionTest.java (original)
+++ webservices/wss4j/trunk/ws-security-stax/src/test/java/org/apache/ws/security/stax/test/EncDecryptionTest.java Thu Sep 20 18:52:22 2012
@@ -18,6 +18,7 @@
*/
package org.apache.ws.security.stax.test;
+import org.apache.ws.security.common.bsp.BSPRule;
import org.apache.ws.security.dom.handler.WSHandlerConstants;
import org.apache.ws.security.stax.ext.WSSConstants;
import org.apache.ws.security.stax.ext.WSSSecurityProperties;
@@ -27,6 +28,7 @@ import org.apache.xml.security.stax.secu
import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEvent;
import org.apache.xml.security.stax.securityEvent.SecurityEventConstants;
+import org.apache.xml.security.utils.Base64;
import org.testng.Assert;
import org.testng.annotations.Test;
import org.w3c.dom.Document;
@@ -1069,6 +1071,7 @@ public class EncDecryptionTest extends A
Assert.assertEquals(nodeList.getLength(), 0);
}
}*/
+
@Test
public void testEncDecryptionKeyIdentifierX509KeyOutbound() throws Exception {
@@ -1511,4 +1514,464 @@ public class EncDecryptionTest extends A
operationSecurityEvents.size() + encryptedPartSecurityEvents.size());
}
}
+
+ /**
+ * rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
+ */
+ @Test
+ public void testKeyWrappingRSAOAEPMGF1AESGCM128Outbound() throws Exception {
+ ByteArrayOutputStream baos;
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT};
+ securityProperties.setOutAction(actions);
+ securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ securityProperties.setEncryptionUser("receiver");
+ securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2009/xmlenc11#aes128-gcm");
+ securityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ baos = doOutboundSecurity(securityProperties, sourceDocument);
+
+ Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
+ Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_DataReference.getNamespaceURI(), WSSConstants.TAG_xenc_DataReference.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ Assert.assertEquals(node.getParentNode().getParentNode().getLocalName(), "Body");
+ NodeList childNodes = node.getParentNode().getParentNode().getChildNodes();
+ for (int i = 0; i < childNodes.getLength(); i++) {
+ Node child = childNodes.item(i);
+ if (child.getNodeType() == Node.TEXT_NODE) {
+ Assert.assertEquals(child.getTextContent().trim(), "");
+ } else if (child.getNodeType() == Node.ELEMENT_NODE) {
+ Assert.assertEquals(child, nodeList.item(0));
+ } else {
+ Assert.fail("Unexpected Node encountered");
+ }
+ }
+ }
+
+ //done encryption; now test decryption:
+ {
+ String action = WSHandlerConstants.ENCRYPT;
+ doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+ }
+ }
+
+ @Test
+ public void testKeyWrappingRSAOAEPMGF1AESGCM128Inbound() throws Exception {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2009/xmlenc11#aes128-gcm");
+ properties.put(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
+ Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes128-gcm']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+ //test streaming decryption
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+
+ Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ //no encrypted content
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 0);
+ }
+ }
+
+ /**
+ * rsa-oaep-mgf1p, Digest:SHA256, MGF:SHA1, PSource: None
+ */
+ @Test
+ public void testKeyWrappingRSAOAEPAESGCM192SHA256Outbound() throws Exception {
+ ByteArrayOutputStream baos;
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT};
+ securityProperties.setOutAction(actions);
+ securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ securityProperties.setEncryptionUser("receiver");
+ securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ securityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+ securityProperties.setEncryptionKeyTransportDigestAlgorithm("http://www.w3.org/2001/04/xmlenc#sha256");
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ baos = doOutboundSecurity(securityProperties, sourceDocument);
+
+ Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
+ Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#sha256']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_DataReference.getNamespaceURI(), WSSConstants.TAG_xenc_DataReference.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ Assert.assertEquals(node.getParentNode().getParentNode().getLocalName(), "Body");
+ NodeList childNodes = node.getParentNode().getParentNode().getChildNodes();
+ for (int i = 0; i < childNodes.getLength(); i++) {
+ Node child = childNodes.item(i);
+ if (child.getNodeType() == Node.TEXT_NODE) {
+ Assert.assertEquals(child.getTextContent().trim(), "");
+ } else if (child.getNodeType() == Node.ELEMENT_NODE) {
+ Assert.assertEquals(child, nodeList.item(0));
+ } else {
+ Assert.fail("Unexpected Node encountered");
+ }
+ }
+ }
+ //done encryption; now test decryption:
+ {
+ String action = WSHandlerConstants.ENCRYPT;
+ doInboundSecurityWithWSS4J(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+ }
+ }
+
+ @Test
+ public void testKeyWrappingRSAOAEPAESGMC192SHA256Inbound() throws Exception {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ properties.put(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p");
+ properties.put(WSHandlerConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmlenc#sha256");
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p']");
+ Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmlenc#sha256']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+ //test streaming decryption
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.addIgnoreBSPRule(BSPRule.R5620);
+
+ Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ //no encrypted content
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 0);
+ }
+ }
+
+ /**
+ * rsa-oaep, Digest:SHA384, MGF:SHA1, PSource: None
+ */
+ @Test
+ public void testKeyWrappingRSAOAEPAES192GCMSHA384MGF1sha384Outbound() throws Exception {
+ ByteArrayOutputStream baos;
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT};
+ securityProperties.setOutAction(actions);
+ securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ securityProperties.setEncryptionUser("receiver");
+ securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ securityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2009/xmlenc11#rsa-oaep");
+ securityProperties.setEncryptionKeyTransportDigestAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha384");
+ securityProperties.setEncryptionKeyTransportMGFAlgorithm("http://www.w3.org/2009/xmlenc11#mgf1sha384");
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ baos = doOutboundSecurity(securityProperties, sourceDocument);
+
+ Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep']");
+ Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/xenc11:MGF[@Algorithm='http://www.w3.org/2009/xmlenc11#mgf1sha384']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_DataReference.getNamespaceURI(), WSSConstants.TAG_xenc_DataReference.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ Assert.assertEquals(node.getParentNode().getParentNode().getLocalName(), "Body");
+ NodeList childNodes = node.getParentNode().getParentNode().getChildNodes();
+ for (int i = 0; i < childNodes.getLength(); i++) {
+ Node child = childNodes.item(i);
+ if (child.getNodeType() == Node.TEXT_NODE) {
+ Assert.assertEquals(child.getTextContent().trim(), "");
+ } else if (child.getNodeType() == Node.ELEMENT_NODE) {
+ Assert.assertEquals(child, nodeList.item(0));
+ } else {
+ Assert.fail("Unexpected Node encountered");
+ }
+ }
+ }
+ //done encryption; now test decryption:
+ {
+ String action = WSHandlerConstants.ENCRYPT;
+ doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+ }
+ }
+
+ @Test
+ public void testKeyWrappingRSAOAEPAES192GCMSHA384MGF1sha1Inbound() throws Exception {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ properties.put(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2009/xmlenc11#rsa-oaep");
+ properties.put(WSHandlerConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmldsig-more#sha384");
+ properties.put(WSHandlerConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha1");
+
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep']");
+ Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+ //test streaming decryption
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.addIgnoreBSPRule(BSPRule.R5620);
+ securityProperties.addIgnoreBSPRule(BSPRule.R5621);
+
+ Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ //no encrypted content
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 0);
+ }
+ }
+
+ /**
+ * rsa-oaep, Digest:SHA512, MGF:SHA1, PSource: Specified 8 bytes
+ */
+
+ @Test
+ public void testKeyWrappingRSAOAEPAESGCM192SHA384MGF1SHA384PSourceOutbound() throws Exception {
+ ByteArrayOutputStream baos;
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ WSSConstants.Action[] actions = new WSSConstants.Action[]{WSSConstants.ENCRYPT};
+ securityProperties.setOutAction(actions);
+ securityProperties.loadEncryptionKeystore(this.getClass().getClassLoader().getResource("transmitter.jks"), "default".toCharArray());
+ securityProperties.setEncryptionUser("receiver");
+ securityProperties.setEncryptionSymAlgorithm("http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ securityProperties.setEncryptionKeyTransportAlgorithm("http://www.w3.org/2009/xmlenc11#rsa-oaep");
+ securityProperties.setEncryptionKeyTransportDigestAlgorithm("http://www.w3.org/2001/04/xmldsig-more#sha384");
+ securityProperties.setEncryptionKeyTransportMGFAlgorithm("http://www.w3.org/2009/xmlenc11#mgf1sha384");
+ securityProperties.setEncryptionKeyTransportOAEPParams(Base64.decode("ZHVtbXkxMjM=".getBytes("UTF-8")));
+
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ baos = doOutboundSecurity(securityProperties, sourceDocument);
+
+ Document document = documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray()));
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep']");
+ Node node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/xenc:OAEPparams");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/xenc11:MGF[@Algorithm='http://www.w3.org/2009/xmlenc11#mgf1sha384']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_DataReference.getNamespaceURI(), WSSConstants.TAG_xenc_DataReference.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(document, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ Assert.assertEquals(node.getParentNode().getParentNode().getLocalName(), "Body");
+ NodeList childNodes = node.getParentNode().getParentNode().getChildNodes();
+ for (int i = 0; i < childNodes.getLength(); i++) {
+ Node child = childNodes.item(i);
+ if (child.getNodeType() == Node.TEXT_NODE) {
+ Assert.assertEquals(child.getTextContent().trim(), "");
+ } else if (child.getNodeType() == Node.ELEMENT_NODE) {
+ Assert.assertEquals(child, nodeList.item(0));
+ } else {
+ Assert.fail("Unexpected Node encountered");
+ }
+ }
+ }
+ //done encryption; now test decryption:
+ {
+ String action = WSHandlerConstants.ENCRYPT;
+ doInboundSecurityWithWSS4J_1(documentBuilderFactory.newDocumentBuilder().parse(new ByteArrayInputStream(baos.toByteArray())), action);
+ }
+ }
+
+ @Test(enabled = false) //WSS4J does not support OAEPParams atm
+ public void testKeyWrappingRSAOAEPAESGCM192SHA384MGF1SHA384PSourceInbound() throws Exception {
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ {
+ InputStream sourceDocument = this.getClass().getClassLoader().getResourceAsStream("testdata/plain-soap-1.1.xml");
+ String action = WSHandlerConstants.ENCRYPT;
+ Properties properties = new Properties();
+ properties.put(WSHandlerConstants.ENC_SYM_ALGO, "http://www.w3.org/2009/xmlenc11#aes192-gcm");
+ properties.put(WSHandlerConstants.ENC_KEY_TRANSPORT, "http://www.w3.org/2009/xmlenc11#rsa-oaep");
+ properties.put(WSHandlerConstants.ENC_DIGEST_ALGO, "http://www.w3.org/2001/04/xmldsig-more#sha384");
+ properties.put(WSHandlerConstants.ENC_MGF_ALGO, "http://www.w3.org/2009/xmlenc11#mgf1sha384");
+ //properties.put(WSHandlerConstants.ENC_OAEP_PARAMS, Base64.decode("ZHVtbXkxMjM=".getBytes("UTF-8")));
+
+ Document securedDocument = doOutboundSecurityWithWSS4J(sourceDocument, action, properties);
+
+ //some test that we can really sure we get what we want from WSS4J
+ XPathExpression xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#rsa-oaep']");
+ Node node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/xenc:OAEPparams");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:DigestMethod[@Algorithm='http://www.w3.org/2001/04/xmldsig-more#sha384']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Header/wsse:Security/xenc:EncryptedKey/xenc:EncryptionMethod/dsig:MGF[@Algorithm='http://www.w3.org/2009/xmlenc11#mgf1sha384']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ xPathExpression = getXPath("/env:Envelope/env:Body/xenc:EncryptedData/xenc:EncryptionMethod[@Algorithm='http://www.w3.org/2009/xmlenc11#aes192-gcm']");
+ node = (Node) xPathExpression.evaluate(securedDocument, XPathConstants.NODE);
+ Assert.assertNotNull(node);
+
+ javax.xml.transform.Transformer transformer = TRANSFORMER_FACTORY.newTransformer();
+ transformer.transform(new DOMSource(securedDocument), new StreamResult(baos));
+ }
+ //test streaming decryption
+ {
+ WSSSecurityProperties securityProperties = new WSSSecurityProperties();
+ securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"), "default".toCharArray());
+ securityProperties.setCallbackHandler(new CallbackHandlerImpl());
+ securityProperties.addIgnoreBSPRule(BSPRule.R5620);
+ securityProperties.addIgnoreBSPRule(BSPRule.R5621);
+
+ Document document = doInboundSecurity(securityProperties, xmlInputFactory.createXMLStreamReader(new ByteArrayInputStream(baos.toByteArray())));
+
+ //header element must still be there
+ NodeList nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 1);
+ Assert.assertEquals(nodeList.item(0).getParentNode().getLocalName(), WSSConstants.TAG_wsse_Security.getLocalPart());
+
+ //no encrypted content
+ nodeList = document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(), WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
+ Assert.assertEquals(nodeList.getLength(), 0);
+ }
+ }
}