You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2012/05/01 12:09:25 UTC
svn commit: r1332600 - in /cxf/branches/2.5.x-fixes: ./
rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/
systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/
Author: sergeyb
Date: Tue May 1 10:09:25 2012
New Revision: 1332600
URL: http://svn.apache.org/viewvc?rev=1332600&view=rev
Log:
Merged revisions 1332598 via svnmerge from
https://svn.apache.org/repos/asf/cxf/trunk
........
r1332598 | sergeyb | 2012-05-01 11:05:58 +0100 (Tue, 01 May 2012) | 1 line
[CXF-4146] Better configuration for the out encryption and signature handlers, which also makes easy to enforce that the server uses the algorithms used by the client
........
Modified:
cxf/branches/2.5.x-fixes/ (props changed)
cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
cxf/branches/2.5.x-fixes/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Merged /cxf/trunk:r1332598
Propchange: cxf/branches/2.5.x-fixes/
------------------------------------------------------------------------------
Binary property 'svnmerge-integrated' - no diff available.
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java?rev=1332600&r1=1332599&r2=1332600&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java Tue May 1 10:09:25 2012
@@ -66,17 +66,19 @@ public class XmlEncOutInterceptor extend
private boolean encryptSymmetricKey = true;
private SecretKey symmetricKey;
- private String keyEncAlgo = XMLCipher.RSA_OAEP;
- private String symEncAlgo = XMLCipher.AES_256;
- private String keyIdentifierType = SecurityUtils.X509_CERT;
- private String digestAlgo;
+
+ private EncryptionProperties encProps = new EncryptionProperties();
public XmlEncOutInterceptor() {
addAfter(XmlSigOutInterceptor.class.getName());
}
+ public void setEncryptionProperties(EncryptionProperties props) {
+ this.encProps = props;
+ }
+
public void setKeyIdentifierType(String type) {
- keyIdentifierType = type;
+ encProps.setEncryptionKeyIdType(type);
}
public void setSymmetricEncAlgorithm(String algo) {
@@ -84,15 +86,15 @@ public class XmlEncOutInterceptor extend
|| algo.startsWith(EncryptionConstants.EncryptionSpec11NS))) {
algo = EncryptionConstants.EncryptionSpecNS + algo;
}
- symEncAlgo = algo;
+ encProps.setEncryptionSymmetricKeyAlgo(algo);
}
public void setKeyEncAlgorithm(String algo) {
- keyEncAlgo = algo;
+ encProps.setEncryptionKeyTransportAlgo(algo);
}
public void setDigestAlgorithm(String algo) {
- digestAlgo = algo;
+ encProps.setEncryptionDigestAlgo(algo);
}
protected Document processDocument(Message message, Document payloadDoc)
@@ -103,10 +105,13 @@ public class XmlEncOutInterceptor extend
protected Document encryptDocument(Message message, Document payloadDoc)
throws Exception {
- byte[] secretKey = getSymmetricKey();
+ String symEncAlgo = encProps.getEncryptionSymmetricKeyAlgo() == null
+ ? XMLCipher.AES_256 : encProps.getEncryptionSymmetricKeyAlgo();
+
+ byte[] secretKey = getSymmetricKey(symEncAlgo);
Document encryptedDataDoc = DOMUtils.createDocument();
- Element encryptedDataElement = createEncryptedDataElement(encryptedDataDoc);
+ Element encryptedDataElement = createEncryptedDataElement(encryptedDataDoc, symEncAlgo);
if (encryptSymmetricKey) {
X509Certificate receiverCert = null;
@@ -134,8 +139,14 @@ public class XmlEncOutInterceptor extend
throw new WSSecurityException("Receiver certificate is not available");
}
- byte[] encryptedSecretKey = encryptSymmetricKey(secretKey, receiverCert);
- addEncryptedKeyElement(encryptedDataElement, receiverCert, encryptedSecretKey);
+ String keyEncAlgo = encProps.getEncryptionKeyTransportAlgo() == null
+ ? XMLCipher.RSA_OAEP : encProps.getEncryptionKeyTransportAlgo();
+ String digestAlgo = encProps.getEncryptionDigestAlgo();
+
+ byte[] encryptedSecretKey = encryptSymmetricKey(secretKey, receiverCert,
+ keyEncAlgo, digestAlgo);
+ addEncryptedKeyElement(encryptedDataElement, receiverCert, encryptedSecretKey,
+ keyEncAlgo, digestAlgo);
}
// encrypt payloadDoc
@@ -156,10 +167,10 @@ public class XmlEncOutInterceptor extend
return encryptedDataDoc;
}
- private byte[] getSymmetricKey() throws Exception {
+ private byte[] getSymmetricKey(String symEncAlgo) throws Exception {
synchronized (this) {
if (symmetricKey == null) {
- KeyGenerator keyGen = getKeyGenerator();
+ KeyGenerator keyGen = getKeyGenerator(symEncAlgo);
symmetricKey = keyGen.generateKey();
}
}
@@ -171,7 +182,7 @@ public class XmlEncOutInterceptor extend
return certs[0];
}
- private KeyGenerator getKeyGenerator() throws WSSecurityException {
+ private KeyGenerator getKeyGenerator(String symEncAlgo) throws WSSecurityException {
try {
//
// Assume AES as default, so initialize it
@@ -199,7 +210,9 @@ public class XmlEncOutInterceptor extend
// Apache Security XMLCipher does not support
// Certificates for encrypting the keys
protected byte[] encryptSymmetricKey(byte[] keyBytes,
- X509Certificate remoteCert) throws WSSecurityException {
+ X509Certificate remoteCert,
+ String keyEncAlgo,
+ String digestAlgo) throws WSSecurityException {
Cipher cipher =
EncryptionUtils.initCipherWithCert(
keyEncAlgo, digestAlgo, Cipher.ENCRYPT_MODE, remoteCert
@@ -237,12 +250,14 @@ public class XmlEncOutInterceptor extend
private void addEncryptedKeyElement(Element encryptedDataElement,
X509Certificate cert,
- byte[] encryptedKey) throws Exception {
+ byte[] encryptedKey,
+ String keyEncAlgo,
+ String digestAlgo) throws Exception {
Document doc = encryptedDataElement.getOwnerDocument();
String encodedKey = Base64Utility.encode(encryptedKey);
- Element encryptedKeyElement = createEncryptedKeyElement(doc);
+ Element encryptedKeyElement = createEncryptedKeyElement(doc, keyEncAlgo, digestAlgo);
String encKeyId = "EK-" + UUIDGenerator.getUUID();
encryptedKeyElement.setAttributeNS(null, "Id", encKeyId);
@@ -285,8 +300,11 @@ public class XmlEncOutInterceptor extend
WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
);
+ String keyIdType = encProps.getEncryptionKeyIdType() == null
+ ? SecurityUtils.X509_CERT : encProps.getEncryptionKeyIdType();
+
Node keyIdentifierNode = null;
- if (keyIdentifierType.equals(SecurityUtils.X509_CERT)) {
+ if (keyIdType.equals(SecurityUtils.X509_CERT)) {
byte data[] = null;
try {
data = remoteCert.getEncoded();
@@ -304,7 +322,7 @@ public class XmlEncOutInterceptor extend
x509Data.appendChild(cert);
keyIdentifierNode = x509Data;
- } else if (keyIdentifierType.equals(SecurityUtils.X509_ISSUER_SERIAL)) {
+ } else if (keyIdType.equals(SecurityUtils.X509_ISSUER_SERIAL)) {
String issuer = remoteCert.getIssuerDN().getName();
java.math.BigInteger serialNumber = remoteCert.getSerialNumber();
DOMX509IssuerSerial domIssuerSerial =
@@ -314,7 +332,7 @@ public class XmlEncOutInterceptor extend
DOMX509Data domX509Data = new DOMX509Data(encryptedDataDoc, domIssuerSerial);
keyIdentifierNode = domX509Data.getElement();
} else {
- throw new WSSecurityException("Unsupported key identifier:" + keyIdentifierType);
+ throw new WSSecurityException("Unsupported key identifier:" + keyIdType);
}
keyInfoElement.appendChild(keyIdentifierNode);
@@ -322,7 +340,9 @@ public class XmlEncOutInterceptor extend
return keyInfoElement;
}
- protected Element createEncryptedKeyElement(Document encryptedDataDoc) {
+ protected Element createEncryptedKeyElement(Document encryptedDataDoc,
+ String keyEncAlgo,
+ String digestAlgo) {
Element encryptedKey =
encryptedDataDoc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":EncryptedKey");
@@ -341,7 +361,7 @@ public class XmlEncOutInterceptor extend
return encryptedKey;
}
- protected Element createEncryptedDataElement(Document encryptedDataDoc) {
+ protected Element createEncryptedDataElement(Document encryptedDataDoc, String symEncAlgo) {
Element encryptedData =
encryptedDataDoc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX + ":EncryptedData");
Modified: cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java?rev=1332600&r1=1332599&r2=1332600&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java (original)
+++ cxf/branches/2.5.x-fixes/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java Tue May 1 10:09:25 2012
@@ -66,12 +66,16 @@ public class XmlSigOutInterceptor extend
private QName envelopeQName = DEFAULT_ENV_QNAME;
private String sigStyle = ENVELOPED_SIG;
- private String defaultSigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
- private String digestAlgo = Constants.ALGO_ID_DIGEST_SHA1;
+
+ private SignatureProperties sigProps = new SignatureProperties();
public XmlSigOutInterceptor() {
}
+ public void setSignatureProperties(SignatureProperties props) {
+ this.sigProps = props;
+ }
+
public void setStyle(String style) {
if (!SUPPORTED_STYLES.contains(style)) {
throw new IllegalArgumentException("Unsupported XML Signature style");
@@ -80,11 +84,11 @@ public class XmlSigOutInterceptor extend
}
public void setSignatureAlgorithm(String algo) {
- defaultSigAlgo = algo;
+ sigProps.setSignatureAlgo(algo);
}
public void setDigestAlgorithm(String algo) {
- digestAlgo = algo;
+ sigProps.setSignatureDigestAlgo(algo);
}
@@ -114,7 +118,9 @@ public class XmlSigOutInterceptor extend
X509Certificate[] issuerCerts = SecurityUtils.getCertificates(crypto, user);
- String sigAlgo = defaultSigAlgo;
+ String sigAlgo = sigProps.getSignatureAlgo() == null
+ ? SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1 : sigProps.getSignatureAlgo();
+
String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
@@ -131,13 +137,16 @@ public class XmlSigOutInterceptor extend
String id = UUID.randomUUID().toString();
String referenceId = "#" + id;
+ String digestAlgo = sigProps.getSignatureDigestAlgo() == null
+ ? Constants.ALGO_ID_DIGEST_SHA1 : sigProps.getSignatureDigestAlgo();
+
XMLSignature sig = null;
if (ENVELOPING_SIG.equals(sigStyle)) {
- sig = prepareEnvelopingSignature(doc, id, referenceId, sigAlgo);
+ sig = prepareEnvelopingSignature(doc, id, referenceId, sigAlgo, digestAlgo);
} else if (DETACHED_SIG.equals(sigStyle)) {
- sig = prepareDetachedSignature(doc, id, referenceId, sigAlgo);
+ sig = prepareDetachedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
} else {
- sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo);
+ sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
}
@@ -150,7 +159,8 @@ public class XmlSigOutInterceptor extend
private XMLSignature prepareEnvelopingSignature(Document doc,
String id,
String referenceId,
- String sigAlgo) throws Exception {
+ String sigAlgo,
+ String digestAlgo) throws Exception {
Element docEl = doc.getDocumentElement();
Document newDoc = DOMUtils.createDocument();
doc.removeChild(docEl);
@@ -174,7 +184,8 @@ public class XmlSigOutInterceptor extend
private XMLSignature prepareDetachedSignature(Document doc,
String id,
String referenceId,
- String sigAlgo) throws Exception {
+ String sigAlgo,
+ String digestAlgo) throws Exception {
Element docEl = doc.getDocumentElement();
Document newDoc = DOMUtils.createDocument();
doc.removeChild(docEl);
@@ -200,7 +211,8 @@ public class XmlSigOutInterceptor extend
private XMLSignature prepareEnvelopedSignature(Document doc,
String id,
String referenceURI,
- String sigAlgo) throws Exception {
+ String sigAlgo,
+ String digestAlgo) throws Exception {
doc.getDocumentElement().setAttributeNS(null, "ID", id);
doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
Modified: cxf/branches/2.5.x-fixes/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
URL: http://svn.apache.org/viewvc/cxf/branches/2.5.x-fixes/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml?rev=1332600&r1=1332599&r2=1332600&view=diff
==============================================================================
--- cxf/branches/2.5.x-fixes/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml (original)
+++ cxf/branches/2.5.x-fixes/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml Tue May 1 10:09:25 2012
@@ -92,17 +92,24 @@ under the License.
</bean>
<bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/>
+ <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+ <property name="signatureProperties" ref="sigProps"/>
+ </bean>
+
<bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/>
<bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler">
<property name="encryptionProperties" ref="encProps"/>
</bean>
-
<bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
<property name="symmetricEncAlgorithm" value="aes128-cbc"/>
</bean>
+ <bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+ <property name="encryptionProperties" ref="encProps"/>
+ </bean>
+
<jaxrs:server
address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsig">
<jaxrs:serviceBeans>
@@ -177,8 +184,8 @@ under the License.
<ref bean="xmlSigInHandlerWithProps"/>
</jaxrs:providers>
<jaxrs:outInterceptors>
- <ref bean="xmlSigOutHandler"/>
- <ref bean="xmlEncOutHandler"/>
+ <ref bean="xmlSigOutHandlerWithProps"/>
+ <ref bean="xmlEncOutHandlerWithProps"/>
</jaxrs:outInterceptors>
<jaxrs:properties>
<entry key="ws-security.callback-handler"