Author: coheigea
Date: Thu Dec 2 14:38:07 2010
New Revision: 1041394
URL: http://svn.apache.org/viewvc?rev=1041394&view=rev
Log:
Refactored the cached SecureRandom and MessageDigest instances and how they are
used.
Removed:
webservices/wss4j/trunk/test/components/TestWSSecurityUtil.java
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
webservices/wss4j/trunk/test/components/PackageTests.java
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/components/crypto/CryptoBase.java
Thu Dec 2 14:38:07 2010
@@ -602,8 +602,7 @@ public abstract class CryptoBase impleme
}
try {
- sha = WSSecurityUtil.resolveMessageDigest();
- sha.reset();
+ sha = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "noSHA1availabe", null, e
@@ -689,19 +688,15 @@ public abstract class CryptoBase impleme
// remove 22-byte algorithm ID and header
byte[] value = new byte[encoded.length - 22];
System.arraycopy(encoded, 22, value, 0, value.length);
- MessageDigest sha;
try {
- sha = WSSecurityUtil.resolveMessageDigest();
- } catch (NoSuchAlgorithmException ex) {
+ return WSSecurityUtil.generateDigest(value);
+ } catch (WSSecurityException ex) {
throw new WSSecurityException(
WSSecurityException.UNSUPPORTED_SECURITY_TOKEN,
"noSKIHandling",
new Object[]{"Wrong certificate version (<3) and no SHA1
message digest availabe"},
ex
);
}
- sha.reset();
- sha.update(value);
- return sha.digest();
}
//
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncrypt.java
Thu Dec 2 14:38:07 2010
@@ -43,7 +43,6 @@ import org.w3c.dom.NamedNodeMap;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
-import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -526,7 +525,8 @@ public class WSSecEncrypt extends WSSecE
if (customReferenceValue != null) {
secToken.setKeyIdentifierEncKeySHA1(customReferenceValue);
} else {
-
secToken.setKeyIdentifierEncKeySHA1(getSHA1(encryptedEphemeralKey));
+ byte[] encodedBytes =
WSSecurityUtil.generateDigest(encryptedEphemeralKey);
+
secToken.setKeyIdentifierEncKeySHA1(Base64.encode(encodedBytes));
}
keyInfo.addUnknownElement(secToken.getElement());
} else if (keyIdentifierType == WSConstants.EMBEDDED_KEYNAME) {
@@ -648,21 +648,6 @@ public class WSSecEncrypt extends WSSecE
this.encryptSymmKey = encryptSymmKey;
}
- private String getSHA1(byte[] input) throws WSSecurityException {
- try {
- MessageDigest sha = WSSecurityUtil.resolveMessageDigest();
- sha.reset();
- sha.update(input);
- byte[] data = sha.digest();
-
- return Base64.encode(data);
- } catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
- );
- }
- }
-
public void setCustomReferenceValue(String customReferenceValue) {
this.customReferenceValue = customReferenceValue;
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecEncryptedKey.java
Thu Dec 2 14:38:07 2010
@@ -20,7 +20,6 @@
package org.apache.ws.security.message;
import java.security.InvalidKeyException;
-import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import javax.crypto.BadPaddingException;
@@ -330,11 +329,8 @@ public class WSSecEncryptedKey extends W
* @throws WSSecurityException
*/
protected byte[] generateEphemeralKey() throws WSSecurityException {
- try {
- final SecureRandom r = WSSecurityUtil.resolveSecureRandom();
- byte[] temp = new byte[this.keySize / 8];
- r.nextBytes(temp);
- return temp;
+ try {
+ return WSSecurityUtil.generateNonce(this.keySize / 8);
} catch (Exception e) {
throw new WSSecurityException("Error in creating the ephemeral
key", e);
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecSignature.java
Thu Dec 2 14:38:07 2010
@@ -40,8 +40,6 @@ import org.apache.ws.security.util.WSSec
import org.w3c.dom.Document;
import org.w3c.dom.Element;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
@@ -211,7 +209,8 @@ public class WSSecSignature extends WSSe
if (encrKeySha1value != null) {
secRef.setKeyIdentifierEncKeySHA1(encrKeySha1value);
} else {
- secRef.setKeyIdentifierEncKeySHA1(getSHA1(secretKey));
+ byte[] digestBytes = WSSecurityUtil.generateDigest(secretKey);
+ secRef.setKeyIdentifierEncKeySHA1(Base64.encode(digestBytes));
}
break;
@@ -681,22 +680,6 @@ public class WSSecSignature extends WSSe
return secRef;
}
- private String getSHA1(byte[] input) throws WSSecurityException {
- try {
- MessageDigest sha = WSSecurityUtil.resolveMessageDigest();
- sha.reset();
- sha.update(input);
- byte[] data = sha.digest();
-
- return Base64.encode(data);
- } catch (NoSuchAlgorithmException e) {
- throw new WSSecurityException(
- WSSecurityException.UNSUPPORTED_ALGORITHM, null, null, e
- );
- }
- }
-
-
/**
* Set up the X509 Certificate(s) for signing.
*/
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/SecurityTokenReference.java
Thu Dec 2 14:38:07 2010
@@ -39,8 +39,6 @@ import javax.xml.namespace.QName;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
@@ -360,26 +358,23 @@ public class SecurityTokenReference {
*/
public void setKeyIdentifierThumb(X509Certificate cert) throws
WSSecurityException {
Document doc = element.getOwnerDocument();
- MessageDigest sha = null;
+ byte[] encodedCert = null;
try {
- sha = WSSecurityUtil.resolveMessageDigest();
- } catch (NoSuchAlgorithmException e1) {
+ encodedCert = cert.getEncoded();
+ } catch (CertificateEncodingException e1) {
throw new WSSecurityException(
- WSSecurityException.FAILURE, "noSHA1availabe", null, e1
+ WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError",
null, e1
);
}
- sha.reset();
try {
- sha.update(cert.getEncoded());
- } catch (CertificateEncodingException e1) {
+ byte[] encodedBytes = WSSecurityUtil.generateDigest(encodedCert);
+ org.w3c.dom.Text text =
doc.createTextNode(Base64.encode(encodedBytes));
+ createKeyIdentifier(doc, THUMB_URI, text, true);
+ } catch (WSSecurityException e1) {
throw new WSSecurityException(
- WSSecurityException.SECURITY_TOKEN_UNAVAILABLE, "encodeError",
null, e1
+ WSSecurityException.FAILURE, "noSHA1availabe", null, e1
);
}
- byte[] data = sha.digest();
-
- org.w3c.dom.Text text = doc.createTextNode(Base64.encode(data));
- createKeyIdentifier(doc, THUMB_URI, text, true);
}
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
Thu Dec 2 14:38:07 2010
@@ -39,7 +39,6 @@ import javax.xml.namespace.QName;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
-import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.text.DateFormat;
@@ -63,7 +62,6 @@ public class UsernameToken {
private static final Log LOG =
LogFactory.getLog(UsernameToken.class.getName());
private static final boolean DO_DEBUG = LOG.isDebugEnabled();
- private static SecureRandom random;
protected Element element = null;
protected Element elementUsername = null;
@@ -77,16 +75,6 @@ public class UsernameToken {
private String rawPassword; // enhancement by Alberto Coletti
private boolean passwordsAreEncoded = false;
- static {
- try {
- random = WSSecurityUtil.resolveSecureRandom();
- } catch (NoSuchAlgorithmException e) {
- if (DO_DEBUG) {
- LOG.debug(e.getMessage(), e);
- }
- }
- }
-
/**
* Constructs a <code>UsernameToken</code> object and parses the
* <code>wsse:UsernameToken</code> element to initialize it.
@@ -272,8 +260,13 @@ public class UsernameToken {
if (elementNonce != null) {
return;
}
- byte[] nonceValue = new byte[16];
- random.nextBytes(nonceValue);
+ byte[] nonceValue = null;
+ try {
+ nonceValue = WSSecurityUtil.generateNonce(16);
+ } catch (WSSecurityException ex) {
+ LOG.debug(ex.getMessage(), ex);
+ return;
+ }
elementNonce = doc.createElementNS(WSConstants.WSSE_NS, "wsse:" +
WSConstants.NONCE_LN);
elementNonce.appendChild(doc.createTextNode(Base64.encode(nonceValue)));
elementNonce.setAttributeNS(null, "EncodingType", BASE64_ENCODING);
@@ -530,10 +523,8 @@ public class UsernameToken {
System.arraycopy(b3, 0, b4, offset, b3.length);
- MessageDigest sha = WSSecurityUtil.resolveMessageDigest();
- sha.reset();
- sha.update(b4);
- passwdDigest = Base64.encode(sha.digest());
+ byte[] digestBytes = WSSecurityUtil.generateDigest(b4);
+ passwdDigest = Base64.encode(digestBytes);
} catch (Exception e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
@@ -724,7 +715,7 @@ public class UsernameToken {
MessageDigest sha = null;
try {
- sha = WSSecurityUtil.resolveMessageDigest();
+ sha = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException e) {
if (DO_DEBUG) {
LOG.debug(e.getMessage(), e);
@@ -733,8 +724,6 @@ public class UsernameToken {
WSSecurityException.FAILURE, "noSHA1availabe", null, e
);
}
- sha.reset();
-
//
// Make the first hash round with start value
//
@@ -825,8 +814,13 @@ public class UsernameToken {
* @return Returns the 128 bit salt value as byte array
*/
public static byte[] generateSalt(boolean useForMac) {
- byte[] saltValue = new byte[16];
- random.nextBytes(saltValue);
+ byte[] saltValue = null;
+ try {
+ saltValue = WSSecurityUtil.generateNonce(16);
+ } catch (WSSecurityException ex) {
+ LOG.debug(ex.getMessage(), ex);
+ return null;
+ }
if (useForMac) {
saltValue[15] = 0x01;
} else {
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
(original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/util/WSSecurityUtil.java
Thu Dec 2 14:38:07 2010
@@ -66,13 +66,11 @@ public class WSSecurityUtil {
* overhead.
*/
private static SecureRandom random = null;
- private static String randomAlgorithm = null;
/**
* A cached MessageDigest object
*/
private static MessageDigest digest = null;
- private static String digestAlgorithm = null;
/**
* Returns the first WS-Security header element for a given actor. Only one
@@ -968,23 +966,44 @@ public class WSSecurityUtil {
}
/**
- * Generate a nonce of the given length
+ * Generate a nonce of the given length using the SHA1PRNG algorithm. The
SecureRandom
+ * instance that backs this method is cached for efficiency.
*
* @return a nonce of the given length
- * @throws Exception
+ * @throws WSSecurityException
*/
- public static byte[] generateNonce(int length) throws WSSecurityException {
- try {
- final SecureRandom r = resolveSecureRandom();
- if (r == null) {
- throw new WSSecurityException("Random generator is not
initialized.");
+ public static synchronized byte[] generateNonce(int length) throws
WSSecurityException {
+ try {
+ if (random == null) {
+ random = SecureRandom.getInstance("SHA1PRNG");
+ random.setSeed(System.currentTimeMillis());
}
- byte[] temp = new byte[length];
- r.nextBytes(temp);
+ byte[] temp = new byte[length];
+ random.nextBytes(temp);
return temp;
+ } catch (Exception ex) {
+ throw new WSSecurityException(
+ "Error in generating nonce of length " + length, ex
+ );
+ }
+ }
+
+ /**
+ * Generate a (SHA1) digest of the input bytes. The MessageDigest instance
that backs this
+ * method is cached for efficiency.
+ * @param inputBytes the bytes to digest
+ * @return the digest of the input bytes
+ * @throws WSSecurityException
+ */
+ public static synchronized byte[] generateDigest(byte[] inputBytes) throws
WSSecurityException {
+ try {
+ if (digest == null) {
+ digest = MessageDigest.getInstance("SHA-1");
+ }
+ return digest.digest(inputBytes);
} catch (Exception e) {
throw new WSSecurityException(
- "Error in generating nonce of length " + length, e
+ "Error in generating digest", e
);
}
}
@@ -1091,58 +1110,6 @@ public class WSSecurityUtil {
log.debug("All required elements are signed");
}
- /**
- * @return a SecureRandom instance initialized with the "SHA1PRNG"
- * algorithm identifier
- */
- public static SecureRandom
- resolveSecureRandom() throws NoSuchAlgorithmException {
- return resolveSecureRandom("SHA1PRNG");
- }
-
- /**
- * @param algorithm
- *
- * @return a SecureRandom instance initialized with the identifier
- * specified in algorithm
- */
- public synchronized static SecureRandom
- resolveSecureRandom(
- final String algorithm
- ) throws NoSuchAlgorithmException {
- if (random == null || !algorithm.equals(randomAlgorithm)) {
- random = SecureRandom.getInstance(algorithm);
- randomAlgorithm = algorithm;
- random.setSeed(System.currentTimeMillis());
- }
- return random;
- }
-
- /**
- * @return a MessageDigest instance initialized with the "SHA-1"
- * algorithm identifier
- */
- public static MessageDigest
- resolveMessageDigest() throws NoSuchAlgorithmException {
- return resolveMessageDigest("SHA-1");
- }
-
- /**
- * @param algorithm
- *
- * @return a MessageDigest instance initialized with the identifier
- * specified in algorithm
- */
- public synchronized static MessageDigest
- resolveMessageDigest(
- final String algorithm
- ) throws NoSuchAlgorithmException {
- if (digest == null || !algorithm.equals(digestAlgorithm)) {
- digest = MessageDigest.getInstance(algorithm);
- digestAlgorithm = algorithm;
- }
- return digest;
- }
/**
* @return a list of child Nodes
Modified: webservices/wss4j/trunk/test/components/PackageTests.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/components/PackageTests.java?rev=1041394&r1=1041393&r2=1041394&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/components/PackageTests.java (original)
+++ webservices/wss4j/trunk/test/components/PackageTests.java Thu Dec 2
14:38:07 2010
@@ -37,7 +37,6 @@ public class PackageTests extends TestCa
suite.addTestSuite(TestMerlin.class);
suite.addTestSuite(TestX509NameTokenizer.class);
suite.addTestSuite(TestReference.class);
- suite.addTestSuite(TestWSSecurityUtil.class);
return suite;
}
