Repository: cxf Updated Branches: refs/heads/master 58e6563da -> effcaf3f6
[CXF-6098] - Use RSA-SHA256 by default when issuing tokens in the STS Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/effcaf3f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/effcaf3f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/effcaf3f Branch: refs/heads/master Commit: effcaf3f6cfb4b3287d683285592f2693af42b29 Parents: 58e6563 Author: Colm O hEigeartaigh <[email protected]> Authored: Tue Nov 11 14:08:17 2014 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Tue Nov 11 14:08:17 2014 +0000 ---------------------------------------------------------------------- .../org/apache/cxf/sts/SignatureProperties.java | 5 ++- .../token/provider/SAMLProviderKeyTypeTest.java | 47 +++++++++++++------- 2 files changed, 35 insertions(+), 17 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/effcaf3f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java index d446e12..73cbad3 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java @@ -28,7 +28,7 @@ import org.apache.wss4j.dom.WSConstants; * or generate a symmetric key in the STS. */ public class SignatureProperties { - private String signatureAlgorithm = WSConstants.RSA_SHA1; + private String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";; private String c14nAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS; private List<String> acceptedSignatureAlgorithms = new ArrayList<String>(); private List<String> acceptedC14nAlgorithms = new ArrayList<String>(); @@ -36,10 +36,11 @@ public class SignatureProperties { private long keySize = 256; private long minimumKeySize = 128; private long maximumKeySize = 512; - private String digestAlgorithm = WSConstants.SHA1; + private String digestAlgorithm = WSConstants.SHA256; public SignatureProperties() { // Default signature algorithms + acceptedSignatureAlgorithms.add(WSConstants.RSA_SHA1); acceptedSignatureAlgorithms.add(signatureAlgorithm); // Default c14n algorithms http://git-wip-us.apache.org/repos/asf/cxf/blob/effcaf3f/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java index 38191ab..8b9cdd7 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java @@ -507,26 +507,32 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert { createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE); KeyRequirements keyRequirements = providerParameters.getKeyRequirements(); - String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";; - keyRequirements.setSignatureAlgorithm(signatureAlgorithm); - - // This will fail as the requested signature algorithm is rejected + // Default TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); Element token = providerResponse.getToken(); String tokenString = DOM2Writer.nodeToString(token); + assertTrue(tokenString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";)); + + // Try with unsupported alternative + String signatureAlgorithm = WSConstants.DSA; + keyRequirements.setSignatureAlgorithm(signatureAlgorithm); + + // This will fail as the requested signature algorithm is rejected + providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + token = providerResponse.getToken(); + tokenString = DOM2Writer.nodeToString(token); assertFalse(tokenString.contains(signatureAlgorithm)); - assertTrue(tokenString.contains(WSConstants.RSA_SHA1)); + assertTrue(tokenString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";)); - STSPropertiesMBean stsProperties = providerParameters.getStsProperties(); - SignatureProperties sigProperties = new SignatureProperties(); - List<String> acceptedSignatureAlgorithms = new ArrayList<String>(); - acceptedSignatureAlgorithms.add(signatureAlgorithm); - acceptedSignatureAlgorithms.add(WSConstants.RSA_SHA1); - sigProperties.setAcceptedSignatureAlgorithms(acceptedSignatureAlgorithms); - stsProperties.setSignatureProperties(sigProperties); + // Supported alternative + signatureAlgorithm = WSConstants.RSA_SHA1; + keyRequirements.setSignatureAlgorithm(signatureAlgorithm); // This will succeed as the requested signature algorithm is accepted providerResponse = samlTokenProvider.createToken(providerParameters); @@ -546,10 +552,8 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert { TokenProvider samlTokenProvider = new SAMLTokenProvider(); TokenProviderParameters providerParameters = createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE); - SignatureProperties signatureProperties = - providerParameters.getStsProperties().getSignatureProperties(); - signatureProperties.setDigestAlgorithm(WSConstants.SHA256); + // Default TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); assertTrue(providerResponse != null); assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); @@ -557,6 +561,19 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert { Element token = providerResponse.getToken(); String tokenString = DOM2Writer.nodeToString(token); assertTrue(tokenString.contains(WSConstants.SHA256)); + + // Supported alternative + SignatureProperties signatureProperties = + providerParameters.getStsProperties().getSignatureProperties(); + signatureProperties.setDigestAlgorithm(WSConstants.SHA1); + + providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + token = providerResponse.getToken(); + tokenString = DOM2Writer.nodeToString(token); + assertTrue(tokenString.contains(WSConstants.SHA1)); } /**
