Author: dvaleri
Date: Sat Aug 28 15:58:27 2010
New Revision: 990386
URL: http://svn.apache.org/viewvc?rev=990386&view=rev
Log:
[CXF-2963] Added workaround for WSS-242 to allow compatibility with older
versions of CXF.
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
(with props)
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java?rev=990386&r1=990385&r2=990386&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageChecker.java
Sat Aug 28 15:58:27 2010
@@ -163,6 +163,8 @@ public class CryptoCoverageChecker exten
}
}
+ CryptoCoverageUtil.reconcileEncryptedSignedRefs(signed, encrypted);
+
for (XPathExpression xPathExpression : this.xPaths) {
Collection<WSDataRef> refsToCheck = null;
Modified:
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java?rev=990386&r1=990385&r2=990386&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
(original)
+++
cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageUtil.java
Sat Aug 28 15:58:27 2010
@@ -42,6 +42,7 @@ import org.w3c.dom.NodeList;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.helpers.MapNamespaceContext;
import org.apache.cxf.ws.policy.PolicyConstants;
+import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSDataRef;
import org.apache.ws.security.WSSecurityException;
@@ -65,10 +66,10 @@ public final class CryptoCoverageUtil {
* are resolved to the decrypted element and added to {...@code
signedRefs}.
* The original reference to the encrypted content remains unaltered in the
* list to allow for matching against a requirement that xenc:EncryptedData
- * elements be signed.
+ * and xenc:EncryptedKey elements be signed.
*
* @param signedRefs references to the signed content in the message
- * @param encryptedRefs refernces to the encrypted content in the message
+ * @param encryptedRefs references to the encrypted content in the message
*/
public static void reconcileEncryptedSignedRefs(final
Collection<WSDataRef> signedRefs,
final Collection<WSDataRef> encryptedRefs) {
@@ -76,13 +77,11 @@ public final class CryptoCoverageUtil {
final List<WSDataRef> encryptedSignedRefs = new
LinkedList<WSDataRef>();
for (WSDataRef encryptedRef : encryptedRefs) {
- final String encryptedRefId = encryptedRef.getWsuId();
final Iterator<WSDataRef> signedRefsIt = signedRefs.iterator();
while (signedRefsIt.hasNext()) {
final WSDataRef signedRef = signedRefsIt.next();
- if (signedRef.getWsuId().equals(encryptedRefId)
- || signedRef.getWsuId().equals("#" + encryptedRefId)) {
+ if (isSignedEncryptionRef(encryptedRef, signedRef)) {
final WSDataRef encryptedSignedRef =
new WSDataRef(signedRef.getDataref());
@@ -105,7 +104,7 @@ public final class CryptoCoverageUtil {
signedRefs.addAll(encryptedSignedRefs);
}
-
+
/**
* Checks that the references provided refer to the
* signed/encrypted SOAP body element.
@@ -122,7 +121,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating the coverage or the body is
not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkBodyCoverage(
SOAPMessage message,
@@ -168,7 +167,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating the coverage or a header is
not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkHeaderCoverage(
SOAPMessage message,
@@ -225,7 +224,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating an XPath or an element is
not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkCoverage(
SOAPMessage message,
@@ -260,7 +259,7 @@ public final class CryptoCoverageUtil {
*
* @throws WSSecurityException
* if there is an error evaluating an XPath or an element is
not
- * covered by the signture/encryption.
+ * covered by the signature/encryption.
*/
public static void checkCoverage(
SOAPMessage message,
@@ -318,6 +317,53 @@ public final class CryptoCoverageUtil {
}
}
}
+
+ /**
+ * Determines if {...@code signedRef} points to the encrypted content
represented by
+ * {...@code encryptedRef} using the following algorithm.
+ *
+ * <ol>
+ * <li>Check that the signed content is an XML Encryption element.</li>
+ * <li>Check that the reference Ids of the signed content and encrypted
content
+ * (not the decrypted version of the encrypted content) match. Check that
the
+ * reference Id of the signed content matches the reference Id of the
encrypted
+ * content prepended with a #.
+ * <li>Check for other Id attributes on the signed element that may match
the
+ * referenced identifier for the encrypted content. This is a workaround
for
+ * WSS-242.</li>
+ * </ol>
+ *
+ * @param encryptedRef the ref representing the encrpted content
+ * @param signedRef the ref representing the signed content
+ */
+ private static boolean isSignedEncryptionRef(WSDataRef encryptedRef,
WSDataRef signedRef) {
+
+ // Don't even bother if the signed element wasn't an XML Enc element.
+ if (!WSConstants.ENC_NS.equals(signedRef.getProtectedElement()
+ .getNamespaceURI())) {
+ return false;
+ }
+
+ if (signedRef.getWsuId().equals(encryptedRef.getWsuId())
+ || signedRef.getWsuId().equals("#" + encryptedRef.getWsuId())) {
+ return true;
+ }
+
+ // There should be no other Ids on an EncryptedData or EncryptedKey
element;
+ // however, WSS4J will happily add them on the outbound side. See
WSS-242.
+ // The following code looks for the specific behavior that exists in
+ // 1.5.8 and earlier version.
+
+ String wsuId = signedRef.getProtectedElement().getAttributeNS(
+ WSConstants.WSU_NS, "Id");
+
+ if (signedRef.getWsuId().equals(wsuId)
+ || signedRef.getWsuId().equals("#" + wsuId)) {
+ return true;
+ }
+
+ return false;
+ }
private static boolean matchElement(Collection<WSDataRef> refs,
CoverageType type, CoverageScope scope, Element el) {
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java?rev=990386&r1=990385&r2=990386&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CryptoCoverageCheckerTest.java
Sat Aug 28 15:58:27 2010
@@ -155,6 +155,39 @@ public class CryptoCoverageCheckerTest e
true);
}
+ @Test
+ public void testEncryptedSignedWithIncompleteCoverage() throws Exception {
+ this.runInterceptorAndValidate(
+ "encrypted_body_content_signed_missing_signed_header.xml",
+ this.getPrefixes(),
+ Arrays.asList(new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED,
CoverageScope.ELEMENT)),
+ false);
+ }
+
+ @Test
+ public void testEncryptedSignedWithCompleteCoverage() throws Exception {
+ this.runInterceptorAndValidate(
+ "encrypted_body_content_signed.xml",
+ this.getPrefixes(),
+ Arrays.asList(
+ new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED,
CoverageScope.ELEMENT),
+ new XPathExpression(
+ "//ser:Header", CoverageType.ENCRYPTED,
CoverageScope.ELEMENT)),
+ true);
+
+ this.runInterceptorAndValidate(
+ "wss-242.xml",
+ this.getPrefixes(),
+ Arrays.asList(
+ new XPathExpression(
+ "//ser:Header", CoverageType.SIGNED,
CoverageScope.ELEMENT),
+ new XPathExpression(
+ "//ser:Header", CoverageType.ENCRYPTED,
CoverageScope.ELEMENT)),
+ true);
+ }
+
private Map<String, String> getPrefixes() {
final Map<String, String> prefixes = new HashMap<String, String>();
prefixes.put("ser", "http://www.sdj.pl";);
Modified:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java?rev=990386&r1=990385&r2=990386&view=diff
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
(original)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWss4JInOutTest.java
Sat Aug 28 15:58:27 2010
@@ -904,7 +904,7 @@ public class PolicyBasedWss4JInOutTest e
}
/**
- * Gets a SoapMessage, but with the needed SecurityConstants in the
context propreties
+ * Gets a SoapMessage, but with the needed SecurityConstants in the
context properties
* so that it can be passed to PolicyBasedWSS4JOutInterceptor.
*
* @see #getSoapMessageForDom(Document, AssertionInfoMap)
Added:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml?rev=990386&view=auto
==============================================================================
---
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
(added)
+++
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
Sat Aug 28 15:58:27 2010
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
+ <soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1";
wsu:Id="CertId-C861510A9B785DAD9E128300845684018"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>MIIBnDCCAZgwggEBAgRGbtTqMA0GCSqGSIb3DQEBBAUAMBIxEDAOBgNVBAMTB215QWxpYXMwIBcNMDcwNjEyMTcxNjI2WhgPNDc0NTA1MDkxNzE2MjZaMBIxEDAOBgNVBAMTB215QWxpYXMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXjnfBH6a5kw/uv5znt5yt3lxZT7GokZ8+fkd4AOsc+FjjjkF+5dT2uEuuU2ZlTsZHz8z/qxb2zieLJ+3LdBLTIgGLqsJw4h1ZKmCIc+VpKDwUHreie3bXDyABCPYuTJn+YLIiDE6PFMal57K4wjV+jEqyxa9srKXUf8RWCuSKpAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAf56rRReruBSSPdCUvkaIEk2BXPZp4Kb17/FibH3UfiEKL3RY86grnzgBj3LbquqJYFtQOQ0TSyEMK+7CD1IRwRWbLLoIMB
ELRf5byedTBoafqaskm6XD6N9VqaUDvreGbLu/A2TuBgdzY69TKjp7seYDxh37bo85SYd9UqZBH4w=</wsse:BinarySecurityToken><ds:Signature
Id="Signature-5" xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
+<ds:SignedInfo>
+<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+<ds:Reference URI="#id-6">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+<ds:DigestValue>dpKLrXAVkzXtLT8uMgjyRPw/7+A=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+WEdruhR6zu4nfTjfiOmy8U3aQjSrkCsdKW4Mc6ok/yYJWui6FDkUrXIh5CHwAOXgthR6wFew3mCU
+WOjH0W5aa8ssGXJKEPaQQPbUqTplOBjJzwYdNWV5MNEitxbQLuULuSp6o0mrO30TI8Jh9qOvP+Nk
+ug2YiNMlclOLqH3Zpew=
+</ds:SignatureValue>
+<ds:KeyInfo Id="KeyId-C861510A9B785DAD9E128300845684019">
+<wsse:SecurityTokenReference wsu:Id="STRId-C861510A9B785DAD9E128300845684020"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsse:Reference
URI="#CertId-C861510A9B785DAD9E128300845684018"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference>
+</ds:KeyInfo>
+</ds:Signature><xenc:EncryptedKey
Id="EncKeyId-C861510A9B785DAD9E128300845663717"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
+<wsse:SecurityTokenReference><ds:X509Data>
+<ds:X509IssuerSerial>
+<ds:X509IssuerName>CN=myAlias</ds:X509IssuerName>
+<ds:X509SerialNumber>1181668586</ds:X509SerialNumber>
+</ds:X509IssuerSerial>
+</ds:X509Data></wsse:SecurityTokenReference>
+</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>jy/4f/WWk6ZNDC2LfmRm6LKlbqBURfRPIbJuYeswcTmktfkMV5KGbfOd1TJTnDfjoQqy3ZM/kzVQw/u2RoLG2hSkXhgsU88XfnpFuZ7cbxyKV+cerG1hOowd1ETqdW/QTPtck5fpL0mdXUTkSCCRDRhZd6HlOkxICOUlvqZ251c=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#EncDataId-4"/></xenc:ReferenceList></xenc:EncryptedKey></wsse:Security>
+ <xenc:EncryptedData Id="EncDataId-4"
Type="http://www.w3.org/2001/04/xmlenc#Element"; wsu:Id="id-6"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
+<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";><wsse:Reference
URI="#EncKeyId-C861510A9B785DAD9E128300845663717"/></wsse:SecurityTokenReference>
+</ds:KeyInfo><xenc:CipherData><xenc:CipherValue>44MglCtaRqTdRWQwTc3rCTRznona1qxUF6SRS48KqNpJ26ZFW6J+CUBhQpQaQbF33xM8vFduX0Zz
+cZ5DaQX3QQdEs5o4MBS8R/q9z1UoAYdcdg/FJdPnAcqCn+mmDWLJr/xqBGeMGvuh2eLQwraj1JeD
+Y18UQZJcehm927kJGjEW8FNuC5QLWGjFw3464LjMQ///WVtnmSP8gAlqpwv5lW34dqUzVNJezvpq
+BHRhLbz3BV9O8dTN/ychY4998jAt/2vwcURPbsaYaddXgm1AlTEGOjRG/gqjmDO5jrEskVIh8qSQ
+qaYRfOnIMOwZPc5hmQQToWvytaI6PKqZs/j9oOGhk+0vtTleDfd2PTKCAdQ=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
+ </soap:Header>
+ <soap:Body>
+ <echo xmlns="http://www.sdj.pl";>
+ <in0>A</in0>
+ </echo>
+ </soap:Body>
+</soap:Envelope>
Propchange:
cxf/trunk/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/wss-242.xml
------------------------------------------------------------------------------
svn:eol-style = native
