You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2015/07/07 17:48:30 UTC
svn commit: r1689703 - in /webservices/wss4j/trunk/ws-security-dom/src:
main/java/org/apache/wss4j/dom/processor/
main/java/org/apache/wss4j/dom/util/ test/java/org/apache/wss4j/dom/message/
Author: coheigea
Date: Tue Jul 7 15:48:30 2015
New Revision: 1689703
URL: http://svn.apache.org/r1689703
Log:
[WSS-544] - Make sure for signature verification we are not verifying an EncryptedData with xop:Include
Modified:
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/EncryptionUtils.java
webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java?rev=1689703&r1=1689702&r2=1689703&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java Tue Jul 7 15:48:30 2015
@@ -126,15 +126,7 @@ public class EncryptedKeyProcessor imple
//
// Now lookup CipherValue.
//
- Element tmpE =
- XMLUtils.getDirectChildElement(
- elem, "CipherData", WSConstants.ENC_NS
- );
- Element xencCipherValue = null;
- if (tmpE != null) {
- xencCipherValue =
- XMLUtils.getDirectChildElement(tmpE, "CipherValue", WSConstants.ENC_NS);
- }
+ Element xencCipherValue = EncryptionUtils.getCipherValueFromEncryptedData(elem);
if (xencCipherValue == null) {
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, "noCipher");
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java?rev=1689703&r1=1689702&r2=1689703&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java Tue Jul 7 15:48:30 2015
@@ -85,9 +85,11 @@ import org.apache.wss4j.dom.transform.At
import org.apache.wss4j.dom.transform.STRTransform;
import org.apache.wss4j.dom.transform.STRTransformUtil;
import org.apache.wss4j.dom.util.EncryptionUtils;
+import org.apache.wss4j.dom.util.WSSecurityUtil;
import org.apache.wss4j.dom.util.XmlSchemaDateFormat;
import org.apache.wss4j.dom.validate.Credential;
import org.apache.wss4j.dom.validate.Validator;
+import org.apache.xml.security.utils.Base64;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
@@ -417,7 +419,7 @@ public class SignatureProcessor implemen
// Test for replay attacks
testMessageReplay(elem, xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo);
- setElementsOnContext(xmlSignature, (DOMValidateContext)context, wsDocInfo);
+ setElementsOnContext(xmlSignature, (DOMValidateContext)context, data, wsDocInfo);
boolean signatureOk = xmlSignature.validate(context);
if (signatureOk) {
return xmlSignature;
@@ -463,6 +465,7 @@ public class SignatureProcessor implemen
private void setElementsOnContext(
XMLSignature xmlSignature,
DOMValidateContext context,
+ RequestData data,
WSDocInfo wsDocInfo
) throws WSSecurityException {
java.util.Iterator<?> referenceIterator =
@@ -480,6 +483,27 @@ public class SignatureProcessor implemen
// We don't write out the xop:Include bytes into the BinarySecurityToken by default
// But if the BST is signed, then we have to, or else Signature validation fails...
handleXopInclude(element, wsDocInfo);
+ } else {
+ // Handle EncryptedData children that might store the bytes in the attachment
+ List<Element> encElements =
+ XMLUtils.findElements(element, "EncryptedData", WSConstants.ENC_NS);
+ for (Element encElement : encElements) {
+ Element xencCipherValue = EncryptionUtils.getCipherValueFromEncryptedData(encElement);
+
+ String xopURI = EncryptionUtils.getXOPURIFromCipherValue(xencCipherValue);
+ if (xopURI != null) {
+ // Store the bytes in the attachment to calculate the signature
+ byte[] attachmentBytes = WSSecurityUtil.getBytesFromAttachment(xopURI, data);
+ String encodedBytes = Base64.encode(attachmentBytes);
+
+ Element includeElement =
+ XMLUtils.getDirectChildElement(xencCipherValue, "Include", WSConstants.XOP_NS);
+
+ Node newCipherValueChild =
+ encElement.getOwnerDocument().createTextNode(encodedBytes);
+ xencCipherValue.replaceChild(newCipherValueChild, includeElement);
+ }
+ }
}
}
}
Modified: webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/EncryptionUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/EncryptionUtils.java?rev=1689703&r1=1689702&r2=1689703&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/EncryptionUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/EncryptionUtils.java Tue Jul 7 15:48:30 2015
@@ -218,11 +218,18 @@ public final class EncryptionUtils {
}
private static String getXOPURIFromEncryptedData(Element encData) {
+ Element cipherValue = getCipherValueFromEncryptedData(encData);
+ if (cipherValue != null) {
+ return getXOPURIFromCipherValue(cipherValue);
+ }
+
+ return null;
+ }
+
+ public static Element getCipherValueFromEncryptedData(Element encData) {
Element cipherData = XMLUtils.getDirectChildElement(encData, "CipherData", WSConstants.ENC_NS);
if (cipherData != null) {
- Element cipherValue =
- XMLUtils.getDirectChildElement(cipherData, "CipherValue", WSConstants.ENC_NS);
- return getXOPURIFromCipherValue(cipherValue);
+ return XMLUtils.getDirectChildElement(cipherData, "CipherValue", WSConstants.ENC_NS);
}
return null;
Modified: webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java?rev=1689703&r1=1689702&r2=1689703&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java (original)
+++ webservices/wss4j/trunk/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java Tue Jul 7 15:48:30 2015
@@ -496,28 +496,15 @@ public class XOPAttachmentTest extends o
AttachmentCallbackHandler inboundAttachmentCallback =
new AttachmentCallbackHandler(encryptedAttachments);
- //WSHandlerResult results = verify(encryptedDoc, inboundAttachmentCallback);
verify(encryptedDoc, inboundAttachmentCallback);
String processedDoc = XMLUtils.PrettyDocumentToString(encryptedDoc);
assertTrue(processedDoc.contains(SOAP_BODY));
- /*
- // Check Signature Element
- WSSecurityEngineResult actionResult =
- results.getActionResults().get(WSConstants.SIGN).get(0);
- @SuppressWarnings("unchecked")
- final List<WSDataRef> refs =
- (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
- assertNotNull(refs);
- assertTrue(refs.size() == 1);
- WSDataRef wsDataRef = refs.get(0);
- Element protectedElement = wsDataRef.getProtectedElement();
- String outputString = DOM2Writer.nodeToString(protectedElement);
- System.out.println("ONE1: " + outputString);
- */
}
+ // TODO
@org.junit.Test
+ @org.junit.Ignore
public void testEncryptedSignedSOAPBody() throws Exception {
Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
WSSecHeader secHeader = new WSSecHeader(doc);
@@ -556,25 +543,10 @@ public class XOPAttachmentTest extends o
AttachmentCallbackHandler inboundAttachmentCallback =
new AttachmentCallbackHandler(signedAttachments);
- // WSHandlerResult results = verify(signedDoc, inboundAttachmentCallback);
verify(signedDoc, inboundAttachmentCallback);
String processedDoc = XMLUtils.PrettyDocumentToString(signedDoc);
assertTrue(processedDoc.contains(SOAP_BODY));
- /*
- // Check Signature Element
- WSSecurityEngineResult actionResult =
- results.getActionResults().get(WSConstants.SIGN).get(0);
- @SuppressWarnings("unchecked")
- final List<WSDataRef> refs =
- (List<WSDataRef>) actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
- assertNotNull(refs);
- assertTrue(refs.size() == 1);
- WSDataRef wsDataRef = refs.get(0);
- Element protectedElement = wsDataRef.getProtectedElement();
- String outputString = DOM2Writer.nodeToString(protectedElement);
- System.out.println("TWO1: " + outputString);
- */
}
/**