This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch wss4j_2.3.0 in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3bf2dcafccb3d8243dea1afdedc333e307dddde0 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Fri Jan 25 11:27:40 2019 +0000 Update to Apache WSS4J 2.3.0-SNAPSHOT --- parent/pom.xml | 9 +- .../saml/sso/AbstractSAMLCallbackHandler.java | 11 +- .../ws/security/trust/STSStaxTokenValidator.java | 3 +- .../wss4j/AbstractWSS4JStaxInterceptor.java | 2 + .../security/wss4j/AlgorithmSuiteTranslater.java | 4 +- .../wss4j/PolicyBasedWSS4JInInterceptor.java | 4 +- .../wss4j/PolicyBasedWSS4JOutInterceptor.java | 4 +- .../wss4j/PolicyBasedWSS4JStaxInInterceptor.java | 9 +- .../policyhandlers/AbstractBindingBuilder.java | 58 ++-- .../policyhandlers/AbstractStaxBindingHandler.java | 4 +- .../policyhandlers/AsymmetricBindingHandler.java | 274 +++++++++-------- .../StaxAsymmetricBindingHandler.java | 6 +- .../StaxSymmetricBindingHandler.java | 6 +- .../StaxTransportBindingHandler.java | 18 +- .../policyhandlers/SymmetricBindingHandler.java | 335 ++++++++++++--------- .../policyhandlers/TransportBindingHandler.java | 38 ++- .../AlgorithmSuitePolicyValidator.java | 4 +- .../security/wss4j/CustomPolicyAlgorithmsTest.java | 4 +- .../wss4j/saml/AbstractSAMLCallbackHandler.java | 14 +- .../cxf/sts/operation/AbstractOperation.java | 14 +- .../sts/token/provider/DefaultSubjectProvider.java | 16 +- .../cxf/sts/token/provider/TokenProviderUtils.java | 10 +- .../cxf/sts/operation/IssueSamlUnitTest.java | 10 +- .../server/CustomUsernameTokenInterceptor.java | 14 +- .../cxf/systest/ws/x509/SHA512PolicyLoader.java | 2 +- 25 files changed, 516 insertions(+), 357 deletions(-) diff --git a/parent/pom.xml b/parent/pom.xml index 8938529..7f93d18 100644 --- a/parent/pom.xml +++ b/parent/pom.xml @@ -217,7 +217,7 @@ <cxf.woodstox.core.version>5.0.3</cxf.woodstox.core.version> <cxf.woodstox.stax2-api.version>3.1.4</cxf.woodstox.stax2-api.version> <cxf.wsdl4j.version>1.6.3</cxf.wsdl4j.version> - <cxf.wss4j.version>2.2.4</cxf.wss4j.version> + <cxf.wss4j.version>2.3.0-SNAPSHOT</cxf.wss4j.version> <cxf.xalan.version>2.7.2</cxf.xalan.version> <cxf.xbean.version>4.14</cxf.xbean.version> <cxf.xerces.version>2.12.0</cxf.xerces.version> @@ -263,7 +263,7 @@ <cxf.xalan.bundle.version>2.7.2_3</cxf.xalan.bundle.version> <cxf.xerces.bundle.version>2.12.0_1</cxf.xerces.bundle.version> <cxf.xmlresolver.bundle.version>1.2_5</cxf.xmlresolver.bundle.version> - <cxf.xmlsec.bundle.version>2.1.4</cxf.xmlsec.bundle.version> + <cxf.xmlsec.bundle.version>2.2.0-SNAPSHOT</cxf.xmlsec.bundle.version> <cxf.xpp3.bundle.version>1.1.4c_6</cxf.xpp3.bundle.version> </properties> <build> @@ -1344,11 +1344,6 @@ </exclusions> </dependency> <dependency> - <groupId>com.google.guava</groupId> - <artifactId>guava</artifactId> - <version>${cxf.guava.version}</version> - </dependency> - <dependency> <groupId>org.apache.hbase</groupId> <artifactId>hbase-client</artifactId> <version>2.1.4</version> diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java index f5f051c..e473bdf 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java @@ -23,6 +23,8 @@ import java.security.cert.X509Certificate; import java.util.Collections; import java.util.List; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; import org.apache.wss4j.common.saml.bean.SubjectLocalityBean; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; import org.joda.time.DateTime; @@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); encrKey.setUseThisCert(certs[0]); - encrKey.prepare(null); - ephemeralKey = encrKey.getEphemeralKey(); + + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + + encrKey.prepare(null, symmetricKey); + ephemeralKey = symmetricKey.getEncoded(); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java index ffb99e4..57429e2 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSStaxTokenValidator.java @@ -42,6 +42,7 @@ import org.apache.wss4j.common.token.BinarySecurity; import org.apache.wss4j.common.token.PKIPathSecurity; import org.apache.wss4j.common.token.X509Security; import org.apache.wss4j.common.util.AttachmentUtils; +import org.apache.wss4j.common.util.UsernameTokenUtil; import org.apache.wss4j.dom.message.token.KerberosSecurity; import org.apache.wss4j.dom.message.token.UsernameToken; import org.apache.wss4j.stax.ext.WSSConstants; @@ -329,7 +330,7 @@ public class STSStaxTokenValidator throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } - String passDigest = WSSUtils.doPasswordDigest(nonceVal, created, pwCb.getPassword()); + String passDigest = UsernameTokenUtil.doPasswordDigest(nonceVal, created, pwCb.getPassword()); if (!passwordType.getValue().equals(passDigest)) { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_AUTHENTICATION); } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java index d5cd6b6..585e908 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JStaxInterceptor.java @@ -179,6 +179,8 @@ public abstract class AbstractWSS4JStaxInterceptor implements SoapInterceptor, boolean validateSchemas = MessageUtils.getContextualBoolean(msg, "schema-validation-enabled", false); securityProperties.setDisableSchemaValidation(!validateSchemas); + + securityProperties.setSoap12(WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace())); } private Collection<Pattern> convertCertConstraints(String certConstraints, String separator) { diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java index 595d419..ef73d10 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AlgorithmSuiteTranslater.java @@ -126,8 +126,8 @@ public final class AlgorithmSuiteTranslater { algorithmSuite.addDigestAlgorithm(algorithmSuiteType.getDigest()); } - algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getAsymmetricSignature()); - algorithmSuite.addSignatureMethod(cxfAlgorithmSuite.getSymmetricSignature()); + algorithmSuite.addSignatureMethod(algorithmSuiteType.getAsymmetricSignature()); + algorithmSuite.addSignatureMethod(algorithmSuiteType.getSymmetricSignature()); algorithmSuite.addC14nAlgorithm(cxfAlgorithmSuite.getC14n().getValue()); algorithmSuite.addTransformAlgorithm(cxfAlgorithmSuite.getC14n().getValue()); diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java index 767be4c..640165e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java @@ -486,10 +486,10 @@ public class PolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor { for (AssertionInfo algorithmSuite : algorithmSuites) { AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion(); if (asymSignatureAlgorithm != null) { - algSuite.setAsymmetricSignature(asymSignatureAlgorithm); + algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } if (symSignatureAlgorithm != null) { - algSuite.setSymmetricSignature(symSignatureAlgorithm); + algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } } } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java index 1a68fe0..9cb373e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JOutInterceptor.java @@ -164,13 +164,13 @@ public class PolicyBasedWSS4JOutInterceptor extends AbstractPhaseInterceptor<Soa String asymSignatureAlgorithm = (String)message.getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM); if (asymSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) { - binding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm); + binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } String symSignatureAlgorithm = (String)message.getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); if (symSignatureAlgorithm != null && binding.getAlgorithmSuite() != null) { - binding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm); + binding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } try { diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java index a455cf8..b321e5b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JStaxInInterceptor.java @@ -55,6 +55,7 @@ import org.apache.wss4j.policy.model.AlgorithmSuite; import org.apache.wss4j.policy.stax.OperationPolicy; import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer; import org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor; +import org.apache.wss4j.stax.ext.WSSConstants; import org.apache.wss4j.stax.ext.WSSSecurityProperties; import org.apache.wss4j.stax.impl.securityToken.HttpsSecurityTokenImpl; import org.apache.wss4j.stax.securityEvent.HttpsTokenSecurityEvent; @@ -271,10 +272,10 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { for (AssertionInfo algorithmSuite : algorithmSuites) { AlgorithmSuite algSuite = (AlgorithmSuite)algorithmSuite.getAssertion(); if (asymSignatureAlgorithm != null) { - algSuite.setAsymmetricSignature(asymSignatureAlgorithm); + algSuite.getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } if (symSignatureAlgorithm != null) { - algSuite.setSymmetricSignature(symSignatureAlgorithm); + algSuite.getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } } } @@ -426,7 +427,6 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { if (soapAction == null) { soapAction = ""; } - String actor = (String)msg.getContextualProperty(SecurityConstants.ACTOR); final Collection<org.apache.cxf.message.Attachment> attachments = msg.getAttachments(); int attachmentCount = 0; @@ -435,7 +435,8 @@ public class PolicyBasedWSS4JStaxInInterceptor extends WSS4JStaxInInterceptor { } return new PolicyEnforcer(operationPolicies, soapAction, isRequestor(msg), actor, attachmentCount, - new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class))); + new WSS4JPolicyAsserter(msg.get(AssertionInfoMap.class)), + WSSConstants.NS_SOAP12.equals(msg.getVersion().getNamespace())); } } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 619d4b5..8cd7c24 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.XMLConstants; import javax.xml.crypto.dsig.Reference; @@ -102,6 +103,7 @@ import org.apache.wss4j.common.token.BinarySecurity; import org.apache.wss4j.common.token.SecurityTokenReference; import org.apache.wss4j.common.token.X509Security; import org.apache.wss4j.common.util.Loader; +import org.apache.wss4j.common.util.UsernameTokenUtil; import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDocInfo; @@ -579,7 +581,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } else { sig.setCustomTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); } - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); Crypto crypto = secToken.getCrypto(); @@ -610,19 +612,20 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle protected void handleUsernameTokenSupportingToken( UsernameToken token, boolean endorse, boolean encryptedToken, List<SupportingToken> ret ) throws WSSecurityException { - if (endorse) { - WSSecUsernameToken utBuilder = addDKUsernameToken(token, true); + if (endorse && isTokenRequired(token.getIncludeTokenType())) { + byte[] salt = UsernameTokenUtil.generateSalt(true); + WSSecUsernameToken utBuilder = addDKUsernameToken(token, salt, true); if (utBuilder != null) { - utBuilder.prepare(); + utBuilder.prepare(salt); addSupportingElement(utBuilder.getUsernameTokenElement()); - ret.add(new SupportingToken(token, utBuilder, null)); + ret.add(new SupportingToken(token, utBuilder, null, salt)); if (encryptedToken) { WSEncryptionPart part = new WSEncryptionPart(utBuilder.getId(), "Element"); part.setElement(utBuilder.getUsernameTokenElement()); encryptedTokensList.add(part); } } - } else { + } else if (!endorse) { WSSecUsernameToken utBuilder = addUsernameToken(token); if (utBuilder != null) { utBuilder.prepare(); @@ -862,7 +865,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return null; } - protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, boolean useMac) { + protected WSSecUsernameToken addDKUsernameToken(UsernameToken token, byte[] salt, boolean useMac) { assertToken(token); if (!isTokenRequired(token.getIncludeTokenType())) { return null; @@ -883,8 +886,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle if (!StringUtils.isEmpty(password)) { // If the password is available then build the token utBuilder.setUserInfo(userName, password); - utBuilder.addDerivedKey(useMac, null, 1000); - utBuilder.prepare(); + utBuilder.addDerivedKey(useMac, 1000); + utBuilder.prepare(salt); } else { unassertPolicy(token, "No password available"); return null; @@ -1502,7 +1505,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return null; } - protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException { + protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token, + SecretKey symmetricKey) throws WSSecurityException { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader); encrKey.setIdAllocator(wssConfig.getIdAllocator()); encrKey.setCallbackLookup(callbackLookup); @@ -1523,11 +1527,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle String encrUser = setEncryptionUser(encrKey, token, false, crypto); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); - encrKey.setSymmetricEncAlgorithm(algType.getEncryption()); encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); encrKey.setMGFAlgorithm(algType.getMGFAlgo()); - encrKey.prepare(crypto); + encrKey.prepare(crypto, symmetricKey); if (alsoIncludeToken) { X509Certificate encCert = getEncryptCert(crypto, encrUser); @@ -1898,7 +1901,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle password = getPassword(user, token, WSPasswordCallback.SIGNATURE); } sig.setUserInfo(user, password); - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); sig.setDigestAlgo(algType.getDigest()); sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); @@ -1990,8 +1993,9 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } try { - byte[] secret = utBuilder.getDerivedKey(); + byte[] secret = utBuilder.getDerivedKey(supportingToken.getSalt()); secToken.setSecret(secret); + Arrays.fill(supportingToken.getSalt(), (byte)0); if (supportingToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { doSymmSignatureDerived(supportingToken.getToken(), secToken, sigParts, @@ -2040,7 +2044,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle if (ref != null) { ref = cloneElement(ref); - dkSign.setExternalKey(tok.getSecret(), ref); + dkSign.setStrElem(ref); } else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { // If the Encrypted key used to create the derived key is not // attached use key identifier as defined in WSS1.1 section @@ -2051,14 +2055,14 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle tokenRef.setKeyIdentifierEncKeySHA1(tok.getSHA1()); tokenRef.addTokenType(WSS4JConstants.WSS_ENC_KEY_VALUE_TYPE); } - dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement()); + dkSign.setStrElem(tokenRef.getElement()); } else { - dkSign.setExternalKey(tok.getSecret(), tok.getId()); + dkSign.setTokenIdentifier(tok.getId()); } //Set the algo info - dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); dkSign.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); @@ -2070,7 +2074,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle dkSign.setCustomValueType(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); } - dkSign.prepare(); + dkSign.prepare(tok.getSecret()); if (isTokenProtection) { String sigTokId = XMLUtils.getIDFromReference(tok.getId()); @@ -2093,6 +2097,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle } addSig(dkSign.getSignatureValue()); + dkSign.clean(); } private void doSymmSignature(AbstractToken policyToken, SecurityToken tok, @@ -2149,7 +2154,7 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle sigTokId = XMLUtils.getIDFromReference(sigTokId); sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); sig.setDigestAlgo(algType.getDigest()); sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); @@ -2355,12 +2360,19 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle private final AbstractToken token; private final Object tokenImplementation; private final List<WSEncryptionPart> signedParts; + private final byte[] salt; SupportingToken(AbstractToken token, Object tokenImplementation, - List<WSEncryptionPart> signedParts) { + List<WSEncryptionPart> signedParts) { + this(token, tokenImplementation, signedParts, null); + } + + SupportingToken(AbstractToken token, Object tokenImplementation, + List<WSEncryptionPart> signedParts, byte[] salt) { this.token = token; this.tokenImplementation = tokenImplementation; this.signedParts = signedParts; + this.salt = salt; } public AbstractToken getToken() { @@ -2375,6 +2387,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return signedParts; } + public byte[] getSalt() { + return salt; + } + } protected void addSig(byte[] val) { diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java index c674c99..b5a2d6b 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractStaxBindingHandler.java @@ -540,10 +540,10 @@ public abstract class AbstractStaxBindingHandler extends AbstractCommonBindingHa if (binding instanceof SymmetricBinding) { userNameKey = SecurityConstants.ENCRYPT_USERNAME; properties.setSignatureAlgorithm( - binding.getAlgorithmSuite().getSymmetricSignature()); + binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } else { properties.setSignatureAlgorithm( - binding.getAlgorithmSuite().getAsymmetricSignature()); + binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); } properties.setSignatureCanonicalizationAlgorithm( binding.getAlgorithmSuite().getC14n().getValue()); diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index df31bc7..ff716f1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -28,6 +28,8 @@ import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.namespace.QName; import javax.xml.soap.SOAPException; @@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.derivedKey.ConversationConstants; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.wss4j.dom.engine.WSSecurityEngineResult; @@ -224,12 +227,24 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { encToken = abinding.getInitiatorToken(); } } - doEncryption(encToken, enc, false); + if (encToken != null) { + WSSecBase encr = null; + if (encToken.getToken() != null && !enc.isEmpty()) { + if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encr = doEncryptionDerived(encToken, enc); + } else { + String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + SecretKey symmetricKey = keyGen.generateKey(); + encr = doEncryption(encToken, enc, false, symmetricKey); + } + + encr.clean(); + } assertTokenWrapper(encToken); assertToken(encToken.getToken()); } - } catch (Exception e) { String reason = e.getMessage(); LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason); @@ -333,9 +348,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } WSSecBase encrBase = null; + SecretKey symmetricKey = null; if (encryptionToken != null && !encrParts.isEmpty()) { - encrBase = doEncryption(wrapper, encrParts, true); - handleEncryptedSignedHeaders(encrParts, sigParts); + if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encrBase = doEncryptionDerived(wrapper, encrParts); + } else { + String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + try { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + encrBase = doEncryption(wrapper, encrParts, true, symmetricKey); + } catch (WSSecurityException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + throw new Fault(ex); + } + } } if (!isRequestor()) { @@ -369,12 +396,15 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } if (encrBase != null) { - encryptTokensInSecurityHeader(encryptionToken, encrBase); + encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey); + encrBase.clean(); } } - private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) { + private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, + WSSecBase encrBase, + SecretKey symmetricKey) { List<WSEncryptionPart> secondEncrParts = new ArrayList<>(); // Check for signature protection @@ -428,7 +458,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } else { this.insertBeforeBottomUp(secondRefList); } - ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts); + ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey); } catch (WSSecurityException ex) { LOG.log(Level.FINE, ex.getMessage(), ex); @@ -439,125 +469,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, - boolean externalRef) { - //Do encryption - if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) { - AbstractToken encrToken = recToken.getToken(); - assertPolicy(recToken); - assertPolicy(encrToken); - AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); - if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite); - } - try { - WSSecEncrypt encr = new WSSecEncrypt(secHeader); - encr.setEncryptionSerializer(new StaxSerializer()); - encr.setIdAllocator(wssConfig.getIdAllocator()); - encr.setCallbackLookup(callbackLookup); - encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); - encr.setStoreBytesInAttachment(storeBytesInAttachment); - encr.setExpandXopInclude(isExpandXopInclude()); - encr.setWsDocInfo(wsDocInfo); - - Crypto crypto = getEncryptionCrypto(); - - SecurityToken securityToken = getSecurityToken(); - if (!isRequestor() && securityToken != null - && recToken.getToken() instanceof SamlToken) { - String tokenType = securityToken.getTokenType(); - if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML_NS.equals(tokenType)) { - encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - encr.setCustomEKTokenId(securityToken.getId()); - } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML2_NS.equals(tokenType)) { - encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - encr.setCustomEKTokenId(securityToken.getId()); - } else { - setKeyIdentifierType(encr, encrToken); - } + boolean externalRef, + SecretKey symmetricKey) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); + try { + WSSecEncrypt encr = new WSSecEncrypt(secHeader); + encr.setEncryptionSerializer(new StaxSerializer()); + encr.setIdAllocator(wssConfig.getIdAllocator()); + encr.setCallbackLookup(callbackLookup); + encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); + encr.setStoreBytesInAttachment(storeBytesInAttachment); + encr.setExpandXopInclude(isExpandXopInclude()); + encr.setWsDocInfo(wsDocInfo); + + Crypto crypto = getEncryptionCrypto(); + + SecurityToken securityToken = getSecurityToken(); + if (!isRequestor() && securityToken != null + && recToken.getToken() instanceof SamlToken) { + String tokenType = securityToken.getTokenType(); + if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML_NS.equals(tokenType)) { + encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + encr.setCustomEKTokenId(securityToken.getId()); + } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML2_NS.equals(tokenType)) { + encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + encr.setCustomEKTokenId(securityToken.getId()); } else { setKeyIdentifierType(encr, encrToken); } - // - // Using a stored cert is only suitable for the Issued Token case, where - // we're extracting the cert from a SAML Assertion on the provider side - // - if (!isRequestor() && securityToken != null - && securityToken.getX509Certificate() != null) { - encr.setUseThisCert(securityToken.getX509Certificate()); - } else if (!isRequestor() && securityToken != null - && securityToken.getKey() instanceof PublicKey) { - encr.setUseThisPublicKey((PublicKey)securityToken.getKey()); - encr.setKeyIdentifierType(WSConstants.KEY_VALUE); - } else { - setEncryptionUser(encr, encrToken, false, crypto); - } - if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) { - unassertPolicy(recToken, "Missing security configuration. " - + "Make sure jaxws:client element is configured " - + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value."); - } - AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); - encr.setSymmetricEncAlgorithm(algType.getEncryption()); - encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); - encr.setMGFAlgorithm(algType.getMGFAlgo()); - encr.setDigestAlgorithm(algType.getEncryptionDigest()); - encr.prepare(crypto); - - Element encryptedKeyElement = encr.getEncryptedKeyElement(); - List<Element> attachments = encr.getAttachmentEncryptedDataElements(); - //Encrypt, get hold of the ref list and add it - if (externalRef) { - Element refList = encr.encryptForRef(null, encrParts); - if (refList != null) { - insertBeforeBottomUp(refList); - } - if (attachments != null) { - for (Element attachment : attachments) { - this.insertBeforeBottomUp(attachment); - } - } - if (refList != null || (attachments != null && !attachments.isEmpty())) { - this.addEncryptedKeyElement(encryptedKeyElement); - } - } else { - Element refList = encr.encryptForRef(null, encrParts); - if (refList != null || (attachments != null && !attachments.isEmpty())) { - this.addEncryptedKeyElement(encryptedKeyElement); - } - - // Add internal refs - if (refList != null) { - encryptedKeyElement.appendChild(refList); - } - if (attachments != null) { - for (Element attachment : attachments) { - this.addEncryptedKeyElement(attachment); - } + } else { + setKeyIdentifierType(encr, encrToken); + } + // + // Using a stored cert is only suitable for the Issued Token case, where + // we're extracting the cert from a SAML Assertion on the provider side + // + if (!isRequestor() && securityToken != null + && securityToken.getX509Certificate() != null) { + encr.setUseThisCert(securityToken.getX509Certificate()); + } else if (!isRequestor() && securityToken != null + && securityToken.getKey() instanceof PublicKey) { + encr.setUseThisPublicKey((PublicKey)securityToken.getKey()); + encr.setKeyIdentifierType(WSConstants.KEY_VALUE); + } else { + setEncryptionUser(encr, encrToken, false, crypto); + } + if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) { + unassertPolicy(recToken, "Missing security configuration. " + + "Make sure jaxws:client element is configured " + + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value."); + } + AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); + AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); + encr.setSymmetricEncAlgorithm(algType.getEncryption()); + encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); + encr.setMGFAlgorithm(algType.getMGFAlgo()); + encr.setDigestAlgorithm(algType.getEncryptionDigest()); + encr.prepare(crypto, symmetricKey); + + Element encryptedKeyElement = encr.getEncryptedKeyElement(); + List<Element> attachments = encr.getAttachmentEncryptedDataElements(); + //Encrypt, get hold of the ref list and add it + if (externalRef) { + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + if (refList != null) { + insertBeforeBottomUp(refList); + } + if (attachments != null) { + for (Element attachment : attachments) { + this.insertBeforeBottomUp(attachment); } } + if (refList != null || (attachments != null && !attachments.isEmpty())) { + this.addEncryptedKeyElement(encryptedKeyElement); + } + } else { + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + if (refList != null || (attachments != null && !attachments.isEmpty())) { + this.addEncryptedKeyElement(encryptedKeyElement); + } - // Put BST before EncryptedKey element - if (encr.getBSTTokenId() != null) { - encr.prependBSTElementToHeader(); + // Add internal refs + if (refList != null) { + encryptedKeyElement.appendChild(refList); + } + if (attachments != null) { + for (Element attachment : attachments) { + this.addEncryptedKeyElement(attachment); + } } + } - return encr; - } catch (WSSecurityException e) { - LOG.log(Level.FINE, e.getMessage(), e); - unassertPolicy(recToken, e); + // Put BST before EncryptedKey element + if (encr.getBSTTokenId() != null) { + encr.prependBSTElementToHeader(); } + + return encr; + } catch (WSSecurityException e) { + LOG.log(Level.FINE, e.getMessage(), e); + unassertPolicy(recToken, e); } return null; } private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, - AbstractToken encrToken, - List<WSEncryptionPart> encrParts, - AlgorithmSuite algorithmSuite) { + List<WSEncryptionPart> encrParts) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader); dkEncr.setEncryptionSerializer(new StaxSerializer()); @@ -575,14 +601,16 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { setupEncryptedKey(encrToken); } - dkEncr.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId); + dkEncr.setTokenIdentifier(this.encryptedKeyId); dkEncr.getParts().addAll(encrParts); dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE); + + AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); dkEncr.setSymmetricEncAlgorithm(algType.getEncryption()); dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8); - dkEncr.prepare(); + dkEncr.prepare(this.encryptedKeyValue); addDerivedKeyElement(dkEncr.getdktElement()); Element refList = dkEncr.encryptForExternalRef(null, encrParts); @@ -639,6 +667,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { if (!attached && isTokenRequired(sigToken.getIncludeTokenType())) { WSSecSignature sig = getSignatureBuilder(sigToken, attached, false); sig.appendBSTElementToHeader(); + sig.clean(); } return; } @@ -657,10 +686,10 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { dkSign.setWscVersion(ConversationConstants.VERSION_05_02); } - dkSign.setExternalKey(this.encryptedKeyValue, this.encryptedKeyId); + dkSign.setTokenIdentifier(this.encryptedKeyId); // Set the algo info - dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSignatureAlgorithm(abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); dkSign.setSigCanonicalization(abinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = abinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDigestAlgorithm(algType.getDigest()); @@ -675,7 +704,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { dkSign.setAddInclusivePrefixes(includePrefixes); try { - dkSign.prepare(); + dkSign.prepare(this.encryptedKeyValue); if (abinding.isProtectTokens()) { assertPolicy( @@ -711,6 +740,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { mainSigId = dkSign.getSignatureId(); } + dkSign.clean(); } catch (Exception ex) { LOG.log(Level.FINE, ex.getMessage(), ex); throw new Fault(ex); @@ -757,6 +787,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { mainSigId = sig.getId(); } + + sig.clean(); } } @@ -797,7 +829,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { private void createEncryptedKey(AbstractToken token) throws WSSecurityException { //Set up the encrypted key to use - encrKey = this.getEncryptedKeyBuilder(token); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + encrKey = this.getEncryptedKeyBuilder(token, symmetricKey); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { // If a BST is available then use it @@ -806,7 +842,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { // Add the EncryptedKey this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement()); - encryptedKeyValue = encrKey.getEphemeralKey(); + encryptedKeyValue = symmetricKey.getEncoded(); encryptedKeyId = encrKey.getId(); } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java index bc96d32..19d8af1 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java @@ -89,12 +89,12 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler { String asymSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM); if (asymSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) { - abinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm); + abinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } String symSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); if (symSignatureAlgorithm != null && abinding.getAlgorithmSuite() != null) { - abinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm); + abinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } if (abinding.getProtectionOrder() @@ -451,7 +451,7 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler { if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureAlgorithm( - abinding.getAlgorithmSuite().getSymmetricSignature()); + abinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java index 3d0866a..ab85195 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java @@ -112,12 +112,12 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { String asymSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM); if (asymSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) { - sbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm); + sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } String symSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); if (symSignatureAlgorithm != null && sbinding.getAlgorithmSuite() != null) { - sbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm); + sbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } // Set up CallbackHandler which wraps the configured Handler @@ -593,7 +593,7 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { if (sigToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureAlgorithm( - sbinding.getAlgorithmSuite().getSymmetricSignature()); + sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java index 3f9dcf5..b64e186 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxTransportBindingHandler.java @@ -94,12 +94,12 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { String asymSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.ASYMMETRIC_SIGNATURE_ALGORITHM); if (asymSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) { - tbinding.getAlgorithmSuite().setAsymmetricSignature(asymSignatureAlgorithm); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(asymSignatureAlgorithm); } String symSignatureAlgorithm = (String)getMessage().getContextualProperty(SecurityConstants.SYMMETRIC_SIGNATURE_ALGORITHM); if (symSignatureAlgorithm != null && tbinding.getAlgorithmSuite() != null) { - tbinding.getAlgorithmSuite().setSymmetricSignature(symSignatureAlgorithm); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().setSymmetricSignature(symSignatureAlgorithm); } TransportToken token = tbinding.getTransportToken(); @@ -315,9 +315,11 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { WSSSecurityProperties properties = getProperties(); if (securityToken != null && securityToken.getSecret() != null) { - properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getSymmetricSignature()); + properties.setSignatureAlgorithm( + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } else { - properties.setSignatureAlgorithm(tbinding.getAlgorithmSuite().getAsymmetricSignature()); + properties.setSignatureAlgorithm( + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); } properties.setSignatureCanonicalizationAlgorithm(tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); @@ -344,7 +346,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { properties.setIncludeSignatureToken(true); properties.setSignatureAlgorithm( - tbinding.getAlgorithmSuite().getSymmetricSignature()); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); properties.setSignatureCanonicalizationAlgorithm( tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); @@ -357,7 +359,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { WSSSecurityProperties properties = getProperties(); properties.setSignatureAlgorithm( - tbinding.getAlgorithmSuite().getAsymmetricSignature()); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); properties.setSignatureCanonicalizationAlgorithm( tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); @@ -373,7 +375,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements()); properties.setSignatureAlgorithm( - tbinding.getAlgorithmSuite().getSymmetricSignature()); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); properties.setSignatureCanonicalizationAlgorithm( tbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = tbinding.getAlgorithmSuite().getAlgorithmSuiteType(); @@ -397,7 +399,7 @@ public class StaxTransportBindingHandler extends AbstractStaxBindingHandler { configureSignature(token, false); if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { properties.setSignatureAlgorithm( - tbinding.getAlgorithmSuite().getSymmetricSignature()); + tbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index 87a6a30..263982d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -21,9 +21,12 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers; import java.time.Instant; import java.util.ArrayList; +import java.util.Arrays; import java.util.List; import java.util.logging.Level; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.namespace.QName; import javax.xml.soap.SOAPException; @@ -53,6 +56,7 @@ import org.apache.wss4j.common.derivedKey.ConversationConstants; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.token.SecurityTokenReference; import org.apache.wss4j.common.util.KeyUtils; +import org.apache.wss4j.common.util.UsernameTokenUtil; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.wss4j.dom.engine.WSSecurityEngineResult; @@ -206,7 +210,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sigParts.addAll(this.getSignedParts(null)); List<WSEncryptionPart> encrParts = getEncryptedParts(); - WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true); + + WSSecBase encr = null; + SecretKey symmetricKey = null; + if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) { + if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true); + } else { + byte[] ephemeralKey = tok.getSecret(); + String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + if (ephemeralKey != null) { + symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + } + encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey); + } + } handleEncryptedSignedHeaders(encrParts, sigParts); if (!isRequestor()) { @@ -248,20 +269,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { secondEncrParts.addAll(encryptedTokensList); } - Element secondRefList = null; + if (!secondEncrParts.isEmpty()) { + Element secondRefList = null; - if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys - && !secondEncrParts.isEmpty()) { - secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, - secondEncrParts); - } else if (!secondEncrParts.isEmpty()) { - //Encrypt, get hold of the ref list and add it - secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts); - } - if (secondRefList != null) { - this.addDerivedKeyElement(secondRefList); + if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts); + } else { + //Encrypt, get hold of the ref list and add it + secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey); + } + if (secondRefList != null) { + this.addDerivedKeyElement(secondRefList); + } } } + + if (encr != null) { + encr.clean(); + } } } catch (RuntimeException ex) { LOG.log(Level.FINE, ex.getMessage(), ex); @@ -385,23 +410,41 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { if (isRequestor()) { enc.addAll(encryptedTokensList); } - doEncryption(encrAbstractTokenWrapper, - encrTok, - tokIncluded, - enc, - false); + + if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) { + WSSecBase encr = null; + if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encr = doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false); + } else { + byte[] ephemeralKey = encrTok.getSecret(); + SecretKey symmetricKey = null; + String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + if (ephemeralKey != null) { + symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + } + encr = doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey); + } + + encr.clean(); + } } catch (Exception e) { LOG.log(Level.FINE, e.getMessage(), e); throw new Fault(e); } } - private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, + private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken, SecurityToken encrTok, - AbstractToken encrToken, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) { + + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader); dkEncr.setEncryptionSerializer(new StaxSerializer()); @@ -416,13 +459,9 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } if (attached && encrTok.getAttachedReference() != null) { - dkEncr.setExternalKey( - encrTok.getSecret(), cloneElement(encrTok.getAttachedReference()) - ); + dkEncr.setStrElem(cloneElement(encrTok.getAttachedReference())); } else if (encrTok.getUnattachedReference() != null) { - dkEncr.setExternalKey( - encrTok.getSecret(), cloneElement(encrTok.getUnattachedReference()) - ); + dkEncr.setStrElem(cloneElement(encrTok.getUnattachedReference())); } else if (!isRequestor() && encrTok.getSHA1() != null) { // If the Encrypted key used to create the derived key is not // attached use key identifier as defined in WSS1.1 section @@ -441,7 +480,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } } tokenRef.addTokenType(tokenType); - dkEncr.setExternalKey(encrTok.getSecret(), tokenRef.getElement()); + dkEncr.setStrElem(tokenRef.getElement()); } else { if (attached) { String id = encrTok.getWsuId(); @@ -456,10 +495,10 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { if (id.startsWith("#")) { id = id.substring(1); } - dkEncr.setExternalKey(encrTok.getSecret(), id); + dkEncr.setTokenIdentifier(id); } else { dkEncr.setTokenIdDirectId(true); - dkEncr.setExternalKey(encrTok.getSecret(), encrTok.getId()); + dkEncr.setTokenIdentifier(encrTok.getId()); } } @@ -489,7 +528,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkEncr.setSymmetricEncAlgorithm(algType.getEncryption()); dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8); - dkEncr.prepare(); + dkEncr.prepare(encrTok.getSecret()); Element encrDKTokenElem = null; encrDKTokenElem = dkEncr.getdktElement(); addDerivedKeyElement(encrDKTokenElem); @@ -506,114 +545,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { return null; } - private WSSecBase doEncryption(AbstractTokenWrapper recToken, + private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, - boolean atEnd) { - //Do encryption - if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) { - AbstractToken encrToken = recToken.getToken(); - assertPolicy(recToken); - assertPolicy(encrToken); - AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); - if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - return doEncryptionDerived(recToken, encrTok, encrToken, - attached, encrParts, atEnd); - } - try { - WSSecEncrypt encr = new WSSecEncrypt(secHeader); - encr.setEncryptionSerializer(new StaxSerializer()); - encr.setIdAllocator(wssConfig.getIdAllocator()); - encr.setCallbackLookup(callbackLookup); - encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); - encr.setStoreBytesInAttachment(storeBytesInAttachment); - encr.setExpandXopInclude(isExpandXopInclude()); - encr.setWsDocInfo(wsDocInfo); - String encrTokId = encrTok.getId(); - if (attached) { - encrTokId = encrTok.getWsuId(); - if (encrTokId == null - && (encrToken instanceof SecureConversationToken - || encrToken instanceof SecurityContextToken)) { - encr.setEncKeyIdDirectId(true); - encrTokId = encrTok.getId(); - } else if (encrTokId == null) { - encrTokId = encrTok.getId(); - } - if (encrTokId.startsWith("#")) { - encrTokId = encrTokId.substring(1); - } - } else { + boolean atEnd, + SecretKey symmetricKey) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); + try { + WSSecEncrypt encr = new WSSecEncrypt(secHeader); + encr.setEncryptionSerializer(new StaxSerializer()); + encr.setIdAllocator(wssConfig.getIdAllocator()); + encr.setCallbackLookup(callbackLookup); + encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); + encr.setStoreBytesInAttachment(storeBytesInAttachment); + encr.setExpandXopInclude(isExpandXopInclude()); + encr.setWsDocInfo(wsDocInfo); + String encrTokId = encrTok.getId(); + if (attached) { + encrTokId = encrTok.getWsuId(); + if (encrTokId == null + && (encrToken instanceof SecureConversationToken + || encrToken instanceof SecurityContextToken)) { encr.setEncKeyIdDirectId(true); + encrTokId = encrTok.getId(); + } else if (encrTokId == null) { + encrTokId = encrTok.getId(); } - if (encrTok.getTokenType() != null) { - encr.setCustomReferenceValue(encrTok.getTokenType()); - } - encr.setEncKeyId(encrTokId); - encr.setEphemeralKey(encrTok.getSecret()); - Crypto crypto = getEncryptionCrypto(); - if (crypto != null) { - setEncryptionUser(encr, encrToken, false, crypto); + if (encrTokId.startsWith("#")) { + encrTokId = encrTokId.substring(1); } + } else { + encr.setEncKeyIdDirectId(true); + } + if (encrTok.getTokenType() != null) { + encr.setCustomReferenceValue(encrTok.getTokenType()); + } + encr.setEncKeyId(encrTokId); + AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); + encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); + Crypto crypto = getEncryptionCrypto(); + if (crypto != null) { + setEncryptionUser(encr, encrToken, false, crypto); + } - encr.setEncryptSymmKey(false); - encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); - encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); - encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); - - if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken - || encrToken instanceof SecureConversationToken) { - //Setting the AttachedReference or the UnattachedReference according to the flag - Element ref; - if (attached) { - ref = encrTok.getAttachedReference(); - } else { - ref = encrTok.getUnattachedReference(); - } + encr.setEncryptSymmKey(false); + encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); + encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); - String tokenType = encrTok.getTokenType(); - if (ref != null) { - SecurityTokenReference secRef = - new SecurityTokenReference(cloneElement(ref), new BSPEnforcer()); - encr.setSecurityTokenReference(secRef); - } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML_NS.equals(tokenType)) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML2_NS.equals(tokenType)) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } else { - encr.setCustomReferenceValue(tokenType); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } - } else if (encrToken instanceof UsernameToken) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); - } else if (encrToken instanceof KerberosToken && !isRequestor()) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE); - encr.setEncKeyId(encrTok.getSHA1()); - } else if (!isRequestor() && encrTok.getSHA1() != null) { - encr.setCustomReferenceValue(encrTok.getSHA1()); - encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); + if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken + || encrToken instanceof SecureConversationToken) { + //Setting the AttachedReference or the UnattachedReference according to the flag + Element ref; + if (attached) { + ref = encrTok.getAttachedReference(); + } else { + ref = encrTok.getUnattachedReference(); } - encr.prepare(crypto); - - if (encr.getBSTTokenId() != null) { - encr.prependBSTElementToHeader(); + String tokenType = encrTok.getTokenType(); + if (ref != null) { + SecurityTokenReference secRef = + new SecurityTokenReference(cloneElement(ref), new BSPEnforcer()); + encr.setSecurityTokenReference(secRef); + } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML_NS.equals(tokenType)) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML2_NS.equals(tokenType)) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + } else { + encr.setCustomReferenceValue(tokenType); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } + } else if (encrToken instanceof UsernameToken) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); + } else if (encrToken instanceof KerberosToken && !isRequestor()) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE); + encr.setEncKeyId(encrTok.getSHA1()); + } else if (!isRequestor() && encrTok.getSHA1() != null) { + encr.setCustomReferenceValue(encrTok.getSHA1()); + encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); + } - Element refList = encr.encryptForRef(null, encrParts); - List<Element> attachments = encr.getAttachmentEncryptedDataElements(); - addAttachmentsForEncryption(atEnd, refList, attachments); + encr.prepare(crypto, symmetricKey); - return encr; - } catch (WSSecurityException e) { - LOG.log(Level.FINE, e.getMessage(), e); - unassertPolicy(recToken, e); + if (encr.getBSTTokenId() != null) { + encr.prependBSTElementToHeader(); } + + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + List<Element> attachments = encr.getAttachmentEncryptedDataElements(); + addAttachmentsForEncryption(atEnd, refList, attachments); + + return encr; + } catch (WSSecurityException e) { + LOG.log(Level.FINE, e.getMessage(), e); + unassertPolicy(recToken, e); } return null; } @@ -672,7 +704,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } if (ref != null) { - dkSign.setExternalKey(tok.getSecret(), cloneElement(ref)); + dkSign.setStrElem(cloneElement(ref)); } else if (!isRequestor() && policyToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys && tok.getSHA1() != null) { // If the Encrypted key used to create the derived key is not @@ -694,17 +726,17 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } tokenRef.addTokenType(tokenType); } - dkSign.setExternalKey(tok.getSecret(), tokenRef.getElement()); + dkSign.setStrElem(tokenRef.getElement()); } else { if ((!attached && !isRequestor()) || policyToken instanceof SecureConversationToken || policyToken instanceof SecurityContextToken) { dkSign.setTokenIdDirectId(true); } - dkSign.setExternalKey(tok.getSecret(), tok.getId()); + dkSign.setTokenIdentifier(tok.getId()); } //Set the algo info - dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); + dkSign.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); dkSign.setSigCanonicalization(sbinding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = sbinding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDigestAlgorithm(algType.getDigest()); @@ -740,7 +772,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } } - dkSign.prepare(); + dkSign.prepare(tok.getSecret()); if (sbinding.isProtectTokens()) { String sigTokId = tok.getId(); @@ -775,8 +807,11 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { this.mainSigId = dkSign.getSignatureId(); + dkSign.clean(); return dkSign.getSignatureValue(); } + + dkSign.clean(); return null; } @@ -877,7 +912,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sig.setCustomTokenId(sigTokId); sig.setSecretKey(tok.getSecret()); - sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getSymmetricSignature()); + sig.setSignatureAlgorithm(sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); boolean includePrefixes = MessageUtils.getContextualBoolean( @@ -908,16 +943,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { bottomUpElement = sig.getSignatureElement(); this.mainSigId = sig.getId(); + + sig.clean(); return sig.getSignatureValue(); } + + sig.clean(); return null; } private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException { - WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey); assertTokenWrapper(wrapper); String id = encrKey.getId(); - byte[] secret = encrKey.getEphemeralKey(); + byte[] secret = symmetricKey.getEncoded(); Instant created = Instant.now(); Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L); @@ -932,7 +975,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { // Set the SHA1 value of the encrypted key, this is used when the encrypted // key is referenced via a key identifier of type EncryptedKeySHA1 - tempTok.setSHA1(getSHA1(encrKey.getEncryptedEphemeralKey())); + tempTok.setSHA1(encrKey.getEncryptedKeySHA1()); tokenStore.add(tempTok); // Create another cache entry with the SHA1 Identifier as the key for easy retrieval @@ -958,20 +1001,26 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } private String setupUTDerivedKey(UsernameToken sigToken) throws WSSecurityException { - boolean useMac = hasSignedPartsOrElements(); - WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, useMac); - String id = usernameToken.getId(); - byte[] secret = usernameToken.getDerivedKey(); + assertToken(sigToken); + if (isTokenRequired(sigToken.getIncludeTokenType())) { + boolean useMac = hasSignedPartsOrElements(); + byte[] salt = UsernameTokenUtil.generateSalt(useMac); + WSSecUsernameToken usernameToken = addDKUsernameToken(sigToken, salt, useMac); + String id = usernameToken.getId(); + byte[] secret = usernameToken.getDerivedKey(salt); + Arrays.fill(salt, (byte)0); - Instant created = Instant.now(); - Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L); - SecurityToken tempTok = - new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires); - tempTok.setSecret(secret); + Instant created = Instant.now(); + Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L); + SecurityToken tempTok = + new SecurityToken(id, usernameToken.getUsernameTokenElement(), created, expires); + tempTok.setSecret(secret); - tokenStore.add(tempTok); + tokenStore.add(tempTok); - return id; + return id; + } + return null; } private SecurityToken getEncryptedKey() { diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 3a1b7c4..f0fc873 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -21,10 +21,13 @@ package org.apache.cxf.ws.security.wss4j.policyhandlers; import java.time.Instant; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.soap.SOAPException; import javax.xml.soap.SOAPMessage; @@ -51,6 +54,8 @@ import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.token.SecurityTokenReference; +import org.apache.wss4j.common.util.KeyUtils; +import org.apache.wss4j.common.util.UsernameTokenUtil; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.wss4j.dom.message.WSSecDKSign; @@ -331,9 +336,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder { addSig(doIssuedTokenSignature(token, wrapper)); } else if (token instanceof UsernameToken) { // Create a UsernameToken object for derived keys and store the security token - WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, true); + byte[] salt = UsernameTokenUtil.generateSalt(true); + WSSecUsernameToken usernameToken = addDKUsernameToken((UsernameToken)token, salt, true); String id = usernameToken.getId(); - byte[] secret = usernameToken.getDerivedKey(); + byte[] secret = usernameToken.getDerivedKey(salt); + Arrays.fill(salt, (byte)0); Instant created = Instant.now(); Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L); @@ -357,7 +364,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder { signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements()); if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey); assertPolicy(wrapper); Element bstElem = encrKey.getBinarySecurityTokenElement(); @@ -374,18 +385,17 @@ public class TransportBindingHandler extends AbstractBindingBuilder { } dkSig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); - dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + dkSig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); dkSig.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); dkSig.setStoreBytesInAttachment(storeBytesInAttachment); dkSig.setExpandXopInclude(isExpandXopInclude()); dkSig.setWsDocInfo(wsDocInfo); - AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); - dkSig.setExternalKey(encrKey.getEphemeralKey(), encrKey.getId()); + dkSig.setTokenIdentifier(encrKey.getId()); - dkSig.prepare(); + dkSig.prepare(symmetricKey.getEncoded()); dkSig.getParts().addAll(sigParts); List<Reference> referenceList = dkSig.addReferencesToSign(sigParts); @@ -394,6 +404,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { dkSig.appendDKElementToHeader(); dkSig.computeSignature(referenceList, false, null); + dkSig.clean(); return dkSig.getSignatureValue(); } WSSecSignature sig = getSignatureBuilder(token, false, false); @@ -478,9 +489,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder { } if (ref != null) { - dkSign.setExternalKey(secTok.getSecret(), cloneElement(ref)); + dkSign.setStrElem(cloneElement(ref)); } else { - dkSign.setExternalKey(secTok.getSecret(), secTok.getId()); + dkSign.setTokenIdentifier(secTok.getId()); } if (token instanceof UsernameToken) { @@ -488,13 +499,13 @@ public class TransportBindingHandler extends AbstractBindingBuilder { } // Set the algo info - dkSign.setSignatureAlgorithm(algorithmSuite.getSymmetricSignature()); + dkSign.setSignatureAlgorithm(algorithmSuite.getAlgorithmSuiteType().getSymmetricSignature()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSign.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); if (token.getVersion() == SPConstants.SPVersion.SP11) { dkSign.setWscVersion(ConversationConstants.VERSION_05_02); } - dkSign.prepare(); + dkSign.prepare(secTok.getSecret()); addDerivedKeyElement(dkSign.getdktElement()); @@ -504,6 +515,7 @@ public class TransportBindingHandler extends AbstractBindingBuilder { //Do signature dkSign.computeSignature(referenceList, false, null); + dkSign.clean(); return dkSign.getSignatureValue(); } @@ -594,11 +606,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder { } sig.setUserInfo(uname, password); - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAsymmetricSignature()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature()); } else { crypto = getSignatureCrypto(); sig.setSecretKey(secTok.getSecret()); - sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getSymmetricSignature()); + sig.setSignatureAlgorithm(binding.getAlgorithmSuite().getAlgorithmSuiteType().getSymmetricSignature()); } sig.setSigCanonicalization(binding.getAlgorithmSuite().getC14n().getValue()); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java index 0042681..b66bf1e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java @@ -117,8 +117,8 @@ public class AlgorithmSuitePolicyValidator extends AbstractSecurityPolicyValidat ) { String signatureMethod = (String)result.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD); - if (!algorithmPolicy.getAsymmetricSignature().equals(signatureMethod) - && !algorithmPolicy.getSymmetricSignature().equals(signatureMethod)) { + if (!algorithmPolicy.getAlgorithmSuiteType().getAsymmetricSignature().equals(signatureMethod) + && !algorithmPolicy.getAlgorithmSuiteType().getSymmetricSignature().equals(signatureMethod)) { ai.setNotAsserted( "The signature method does not match the requirement" ); diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java index 4f4f0bb..989b3d2 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/CustomPolicyAlgorithmsTest.java @@ -44,9 +44,9 @@ public class CustomPolicyAlgorithmsTest extends AbstractPolicySecurityTest { AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion(); // set Signature Algorithm to RSA SHA-256 - binding.getAlgorithmSuite().setAsymmetricSignature(rsaSha2SigMethod); + binding.getAlgorithmSuite().getAlgorithmSuiteType().setAsymmetricSignature(rsaSha2SigMethod); - String sigMethod = binding.getAlgorithmSuite().getAsymmetricSignature(); + String sigMethod = binding.getAlgorithmSuite().getAlgorithmSuiteType().getAsymmetricSignature(); assertNotNull(sigMethod); assertEquals(rsaSha2SigMethod, sigMethod); diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java index 750aa90..158e5f8 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java @@ -23,6 +23,8 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; @@ -59,7 +62,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { protected X509Certificate[] certs; protected Statement statement = Statement.AUTHN; protected CERT_IDENTIFIER certIdentifier = CERT_IDENTIFIER.X509_CERT; - protected byte[] ephemeralKey; protected boolean multiValue = true; public void setConfirmationMethod(String confMethod) { @@ -78,10 +80,6 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { this.certs = certs; } - public byte[] getEphemeralKey() { - return ephemeralKey; - } - /** * Note that the SubjectBean parameter should be null for SAML2.0 */ @@ -175,8 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); encrKey.setUseThisCert(certs[0]); - encrKey.prepare(null); - ephemeralKey = encrKey.getEphemeralKey(); + + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + encrKey.prepare(null, symmetricKey); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java index ba5bb13..0b4b80c 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java @@ -29,6 +29,8 @@ import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.wss4j.common.WSS4JConstants; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.util.DateUtil; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; @@ -375,10 +378,17 @@ public abstract class AbstractOperation { WSSecEncryptedKey builder = new WSSecEncryptedKey(doc); builder.setUserInfo(name); builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); - builder.setEphemeralKey(secret); builder.setKeyEncAlgo(keyWrapAlgorithm); - builder.prepare(stsProperties.getEncryptionCrypto()); + SecretKey symmetricKey = null; + if (secret != null) { + symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm()); + symmetricKey = keyGen.generateKey(); + } + + builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey); return builder.getEncryptedKeyElement(); } diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index d5f2284..c080d4b 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -27,6 +27,8 @@ import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Pattern; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; import javax.security.auth.kerberos.KerberosPrincipal; @@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.message.WSSecEncryptedKey; /** @@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider { // Create an EncryptedKey WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); - encrKey.setEphemeralKey(secret); - encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm()); encrKey.setUseThisCert(certificate); encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm()); - encrKey.prepare(encryptionCrypto); + + SecretKey symmetricKey = null; + if (secret != null) { + symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm()); + symmetricKey = keyGen.generateKey(); + } + + encrKey.prepare(encryptionCrypto, symmetricKey); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java index b4cb1a7..e907da1 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java @@ -25,6 +25,8 @@ import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.wss4j.common.ConfigurationConstants; import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; import org.apache.wss4j.dom.message.WSSecEncrypt; @@ -171,8 +174,11 @@ public final class TokenProviderUtils { WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element"); encryptionPart.setElement(element); - builder.prepare(stsProperties.getEncryptionCrypto()); - builder.encryptForRef(null, Collections.singletonList(encryptionPart)); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm); + SecretKey symmetricKey = keyGen.generateKey(); + + builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey); + builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey); return (Element)frag.getFirstChild(); } diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java index 0a31958..ca8f151 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java @@ -26,6 +26,8 @@ import java.util.Collections; import java.util.List; import java.util.Properties; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -70,6 +72,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.DOM2Writer; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDocInfo; import org.apache.wss4j.dom.engine.WSSConfig; @@ -839,9 +842,12 @@ public class IssueSamlUnitTest { builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP); - builder.prepare(stsProperties.getSignatureCrypto()); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + + builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey); Element encryptedKeyElement = builder.getEncryptedKeyElement(); - byte[] secret = builder.getEphemeralKey(); + byte[] secret = symmetricKey.getEncoded(); EntropyType entropyType = new EntropyType(); entropyType.getAny().add(encryptedKeyElement); diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java index e04d7b5..50ea95b 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java @@ -26,7 +26,8 @@ import org.apache.cxf.common.security.SimplePrincipal; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.ws.security.SecurityConstants; import org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor; -import org.apache.wss4j.dom.message.token.UsernameToken; +import org.apache.wss4j.common.util.UsernameTokenUtil; +import org.apache.xml.security.utils.XMLUtils; public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor { @@ -44,11 +45,16 @@ public class CustomUsernameTokenInterceptor extends UsernameTokenInterceptor { // add roles this user is in String roleName = "Alice".equals(name) ? "developers" : "pms"; - String expectedPassword = "Alice".equals(name) ? "ecilA" - : UsernameToken.doPasswordDigest(nonce, created, "invalid-password"); - if (!password.equals(expectedPassword)) { + try { + String expectedPassword = "Alice".equals(name) ? "ecilA" + : UsernameTokenUtil.doPasswordDigest(XMLUtils.decode(nonce), created, "invalid-password"); + if (!password.equals(expectedPassword)) { + throw new SecurityException("Wrong Password"); + } + } catch (org.apache.wss4j.common.ext.WSSecurityException ex) { throw new SecurityException("Wrong Password"); } + subject.getPrincipals().add(new SimpleGroup(roleName, name)); subject.setReadOnly(); return subject; diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java index 3c1910b..c99c9f8 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/x509/SHA512PolicyLoader.java @@ -91,7 +91,7 @@ public class SHA512PolicyLoader implements AlgorithmSuiteLoader { SHA512AlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) { super(version, nestedPolicy); - setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"); + getAlgorithmSuiteType().setAsymmetricSignature("http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"); } @Override