Author: coheigea
Date: Mon Feb 21 12:43:20 2011
New Revision: 1072954
URL: http://svn.apache.org/viewvc?rev=1072954&view=rev
Log:
[WSS-256] - BSP stuff for EncryptedData/EncryptedKeys.
Removed:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedDataProcessor.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionTest.java
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java?rev=1072954&r1=1072953&r2=1072954&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/WSSConfig.java
Mon Feb 21 12:43:20 2011
@@ -156,10 +156,6 @@ public class WSSConfig {
WSSecurityEngine.BINARY_TOKEN,
org.apache.ws.security.processor.BinarySecurityTokenProcessor.class
);
- tmp.put(
- WSSecurityEngine.ENCRYPTED_DATA,
- org.apache.ws.security.processor.EncryptedDataProcessor.class
- );
} catch (final Throwable t) {
if (log.isDebugEnabled()) {
log.debug(t.getMessage(), t);
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java?rev=1072954&r1=1072953&r2=1072954&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/EncryptedKeyProcessor.java
Mon Feb 21 12:43:20 2011
@@ -82,9 +82,6 @@ public class EncryptedKeyProcessor imple
if (cb == null) {
throw new WSSecurityException(WSSecurityException.FAILURE,
"noCallback");
}
- if (config.isWsiBSPCompliant()) {
- checkBSPCompliance(elem);
- }
//
// lookup xenc:EncryptionMethod, get the Algorithm attribute to
determine
// how the key was encrypted. Then check if we support the algorithm
@@ -95,6 +92,9 @@ public class EncryptedKeyProcessor imple
WSSecurityException.UNSUPPORTED_ALGORITHM, "noEncAlgo"
);
}
+ if (config.isWsiBSPCompliant()) {
+ checkBSPCompliance(elem, encryptedKeyTransportMethod);
+ }
Cipher cipher =
WSSecurityUtil.getCipherInstance(encryptedKeyTransportMethod);
//
// Now lookup CipherValue.
@@ -152,7 +152,7 @@ public class EncryptedKeyProcessor imple
wsDocInfo.addResult(result);
return java.util.Collections.singletonList(result);
}
-
+
/**
* Method getDecodedBase64EncodedData
*
@@ -190,12 +190,30 @@ public class EncryptedKeyProcessor imple
);
String alias = null;
if (keyInfo != null) {
- Element strElement =
- WSSecurityUtil.getDirectChildElement(
- keyInfo,
- SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
- WSConstants.WSSE_NS
- );
+ Element strElement = null;
+ if (config.isWsiBSPCompliant()) {
+ int result = 0;
+ Node node = keyInfo.getFirstChild();
+ while (node != null) {
+ if (Node.ELEMENT_NODE == node.getNodeType()) {
+ result++;
+ strElement = (Element)node;
+ }
+ node = node.getNextSibling();
+ }
+ if (result != 1) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "invalidDataRef"
+ );
+ }
+ } else {
+ strElement =
+ WSSecurityUtil.getDirectChildElement(
+ keyInfo,
+ SecurityTokenReference.SECURITY_TOKEN_REFERENCE,
+ WSConstants.WSSE_NS
+ );
+ }
if (strElement == null) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY, "noSecTokRef"
@@ -216,7 +234,7 @@ public class EncryptedKeyProcessor imple
);
}
alias = crypto.getAliasForX509Cert(certs[0]);
- } else if (crypto.getDefaultX509Alias() != null) {
+ } else if (!config.isWsiBSPCompliant() && crypto.getDefaultX509Alias()
!= null) {
alias = crypto.getDefaultX509Alias();
} else {
throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyinfo");
@@ -354,7 +372,7 @@ public class EncryptedKeyProcessor imple
* A method to check that the EncryptedKey is compliant with the BSP spec.
* @throws WSSecurityException
*/
- private void checkBSPCompliance(Element elem) throws WSSecurityException {
+ private void checkBSPCompliance(Element elem, String encAlgo) throws
WSSecurityException {
String attribute = elem.getAttribute("Type");
if (attribute != null && !"".equals(attribute)) {
throw new WSSecurityException(
@@ -379,6 +397,14 @@ public class EncryptedKeyProcessor imple
WSSecurityException.FAILED_CHECK, "badAttribute", new
Object[]{attribute}
);
}
+
+ // EncryptionAlgorithm must be RSA15, or RSAOEP.
+ if (!WSConstants.KEYTRANSPORT_RSA15.equals(encAlgo)
+ && !WSConstants.KEYTRANSPORT_RSAOEP.equals(encAlgo)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "badEncAlgo", new
Object[]{encAlgo}
+ );
+ }
}
}
Modified:
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java?rev=1072954&r1=1072953&r2=1072954&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
(original)
+++
webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java
Mon Feb 21 12:43:20 2011
@@ -36,6 +36,7 @@ import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityEngineResult;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.components.crypto.Crypto;
+import org.apache.ws.security.message.token.SecurityTokenReference;
import org.apache.ws.security.str.STRParser;
import org.apache.ws.security.str.SecurityTokenRefSTRParser;
import org.apache.ws.security.util.WSSecurityUtil;
@@ -145,9 +146,14 @@ public class ReferenceListProcessor impl
(Element)WSSecurityUtil.getDirectChildElement(
encryptedDataElement, "KeyInfo", WSConstants.SIG_NS
);
+ // KeyInfo cannot be null
if (keyInfoElement == null) {
throw new
WSSecurityException(WSSecurityException.INVALID_SECURITY, "noKeyinfo");
}
+ // Check BSP compliance
+ if (config.isWsiBSPCompliant()) {
+ checkBSPCompliance(keyInfoElement, symEncAlgo);
+ }
//
// Try to get a security reference token, if none found try to get a
// shared key using a KeyName.
@@ -176,9 +182,58 @@ public class ReferenceListProcessor impl
doc, dataRefURI, encryptedDataElement, symmetricKey, symEncAlgo
);
}
-
/**
+ * Check for BSP compliance
+ * @param keyInfoElement The KeyInfo element child
+ * @param encAlgo The encryption algorithm
+ * @throws WSSecurityException
+ */
+ private static void checkBSPCompliance(
+ Element keyInfoElement,
+ String encAlgo
+ ) throws WSSecurityException {
+ // We can only have one token reference
+ int result = 0;
+ Node node = keyInfoElement.getFirstChild();
+ Element child = null;
+ while (node != null) {
+ if (Node.ELEMENT_NODE == node.getNodeType()) {
+ result++;
+ child = (Element)node;
+ }
+ node = node.getNextSibling();
+ }
+ if (result != 1) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "invalidDataRef"
+ );
+ }
+
+ if (!WSConstants.WSSE_NS.equals(child.getNamespaceURI()) ||
+
!SecurityTokenReference.SECURITY_TOKEN_REFERENCE.equals(child.getLocalName())) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "noSecTokRef"
+ );
+ }
+
+ // EncryptionAlgorithm cannot be null
+ if (encAlgo == null) {
+ throw new WSSecurityException(
+ WSSecurityException.UNSUPPORTED_ALGORITHM, "noEncAlgo"
+ );
+ }
+ // EncryptionAlgorithm must be 3DES, or AES128, or AES256
+ if (!WSConstants.TRIPLE_DES.equals(encAlgo)
+ && !WSConstants.AES_128.equals(encAlgo)
+ && !WSConstants.AES_256.equals(encAlgo)) {
+ throw new WSSecurityException(
+ WSSecurityException.INVALID_SECURITY, "badEncAlgo", new
Object[]{encAlgo}
+ );
+ }
+ }
+
+ /**
* Look up the encrypted data. First try Id="someURI". If no such Id then
try
* wsu:Id="someURI".
*
Modified:
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties?rev=1072954&r1=1072953&r2=1072954&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
(original)
+++
webservices/wss4j/trunk/src/main/resources/org/apache/ws/security/errors.properties
Mon Feb 21 12:43:20 2011
@@ -64,6 +64,7 @@ noCallback=WSSecurityEngine: No password
noCredential=WSSecurityEngine: No Credential was supplied to the Validator
noPassword=WSSecurityEngine: Callback supplied no password for: {0}
noKey=WSSecurityEngine: Callback supplied no key for: {0}
+badEncAlgo=xenc:EncryptionMethod/@Algorithm is not supported: {0}
noEncAlgo=WSSecurityEngine: xenc:EncryptedKey does not contain
xenc:EncryptionMethod/@Algorithm
unsupportedKeyTransp=unsupported key transport encryption algorithm: {0}
noCipher=WSSecurityEngine: EncryptedKey does not contain
xenc:CipherData/xenc:CipherValue
Modified:
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionTest.java?rev=1072954&r1=1072953&r2=1072954&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionTest.java
(original)
+++
webservices/wss4j/trunk/src/test/java/org/apache/ws/security/message/EncryptionTest.java
Mon Feb 21 12:43:20 2011
@@ -80,6 +80,9 @@ public class EncryptionTest extends org.
keyGen.init(128);
key = keyGen.generateKey();
keyData = key.getEncoded();
+ WSSConfig wssConfig = WSSConfig.getNewInstance();
+ wssConfig.setWsiBSPCompliant(true);
+ secEngine.setWssConfig(wssConfig);
}
/**
