Author: giger
Date: Sun Mar 11 16:26:42 2012
New Revision: 1299388
URL: http://svn.apache.org/viewvc?rev=1299388&view=rev
Log:
Fixed a bug with DocumentContext-Path assembling during decryption. The
OperationSecurityEvent was never emitted because the path was wrong.
This commit also introduces SecurityEvent regression tests to some
EncDecryptionTests for WSS-378
Modified:
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/resources/messages/errors.properties
Modified:
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java?rev=1299388&r1=1299387&r2=1299388&view=diff
==============================================================================
---
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java
(original)
+++
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/AbstractTestBase.java
Sun Mar 11 16:26:42 2012
@@ -554,6 +554,10 @@ public abstract class AbstractTestBase {
this.expectedEvents = expectedEvents;
}
+ public List<SecurityEvent> getReceivedSecurityEvents() {
+ return receivedSecurityEvents;
+ }
+
@Override
public void registerSecurityEvent(SecurityEvent securityEvent) throws
WSSecurityException {
receivedSecurityEvents.add(securityEvent);
Modified:
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java?rev=1299388&r1=1299387&r2=1299388&view=diff
==============================================================================
---
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
(original)
+++
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/EncDecryptionTest.java
Sun Mar 11 16:26:42 2012
@@ -21,6 +21,7 @@ package org.swssf.wss.test;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.swssf.wss.ext.WSSConstants;
import org.swssf.wss.ext.WSSSecurityProperties;
+import org.swssf.wss.securityEvent.*;
import org.swssf.xmlsec.ext.SecurePart;
import org.testng.Assert;
import org.testng.annotations.Test;
@@ -28,6 +29,7 @@ import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import javax.xml.namespace.QName;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
@@ -40,6 +42,7 @@ import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
+import java.util.List;
import java.util.Properties;
/**
@@ -124,7 +127,17 @@ public class EncDecryptionTest extends A
WSSSecurityProperties securityProperties = new
WSSSecurityProperties();
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+ SecurityEvent.Event[] expectedSecurityEvents = new
SecurityEvent.Event[]{
+ SecurityEvent.Event.Operation,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.EncryptedPart,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.AlgorithmSuite,
+ };
+ final TestSecurityEventListener securityEventListener = new
TestSecurityEventListener(expectedSecurityEvents);
+
+ Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), securityEventListener);
//header element must still be there
NodeList nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
@@ -134,6 +147,26 @@ public class EncDecryptionTest extends A
//no encrypted content
nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
+
+ securityEventListener.compare();
+
+ List<SecurityEvent> receivedSecurityEvents =
securityEventListener.getReceivedSecurityEvents();
+ for (int i = 0; i < receivedSecurityEvents.size(); i++) {
+ SecurityEvent securityEvent = receivedSecurityEvents.get(i);
+ if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.Operation) {
+ OperationSecurityEvent operationSecurityEvent =
(OperationSecurityEvent) securityEvent;
+ Assert.assertEquals(operationSecurityEvent.getOperation(),
new QName("http://schemas.xmlsoap.org/wsdl/";, "definitions"));
+ } else if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.EncryptedPart) {
+ EncryptedPartSecurityEvent encryptedPartSecurityEvent =
(EncryptedPartSecurityEvent) securityEvent;
+
Assert.assertNotNull(encryptedPartSecurityEvent.getXmlEvent());
+
Assert.assertNotNull(encryptedPartSecurityEvent.getSecurityToken());
+
Assert.assertNotNull(encryptedPartSecurityEvent.getElementPath());
+ final QName expectedElementName = new
QName("http://schemas.xmlsoap.org/soap/envelope/";, "Body");
+
Assert.assertEquals(encryptedPartSecurityEvent.getXmlEvent().asStartElement().getName(),
expectedElementName);
+
Assert.assertEquals(encryptedPartSecurityEvent.getElementPath().size(), 2);
+
Assert.assertEquals(encryptedPartSecurityEvent.getElementPath().get(encryptedPartSecurityEvent.getElementPath().size()
- 1), expectedElementName);
+ }
+ }
}
}
@@ -210,7 +243,67 @@ public class EncDecryptionTest extends A
WSSSecurityProperties securityProperties = new
WSSSecurityProperties();
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
securityProperties.setCallbackHandler(new CallbackHandlerImpl());
- Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+ SecurityEvent.Event[] expectedSecurityEvents = new
SecurityEvent.Event[]{
+ SecurityEvent.Event.Operation,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.ContentEncrypted,
+ SecurityEvent.Event.AlgorithmSuite,
+ };
+ final TestSecurityEventListener securityEventListener = new
TestSecurityEventListener(expectedSecurityEvents);
+
+ Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), securityEventListener);
//header element must still be there
NodeList nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
@@ -220,6 +313,26 @@ public class EncDecryptionTest extends A
//no encrypted content
nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
+
+ securityEventListener.compare();
+
+ List<SecurityEvent> receivedSecurityEvents =
securityEventListener.getReceivedSecurityEvents();
+ for (int i = 0; i < receivedSecurityEvents.size(); i++) {
+ SecurityEvent securityEvent = receivedSecurityEvents.get(i);
+ if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.Operation) {
+ OperationSecurityEvent operationSecurityEvent =
(OperationSecurityEvent) securityEvent;
+ Assert.assertEquals(operationSecurityEvent.getOperation(),
new QName("http://schemas.xmlsoap.org/wsdl/";, "definitions"));
+ } else if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.ContentEncrypted) {
+ ContentEncryptedElementSecurityEvent
contentEncryptedElementSecurityEvent = (ContentEncryptedElementSecurityEvent)
securityEvent;
+
Assert.assertNotNull(contentEncryptedElementSecurityEvent.getXmlEvent());
+
Assert.assertNotNull(contentEncryptedElementSecurityEvent.getSecurityToken());
+
Assert.assertNotNull(contentEncryptedElementSecurityEvent.getElementPath());
+ final QName expectedElementName = new
QName("http://www.w3.org/1999/XMLSchema";, "simpleType");
+
Assert.assertEquals(contentEncryptedElementSecurityEvent.getXmlEvent().asStartElement().getName(),
expectedElementName);
+
Assert.assertEquals(contentEncryptedElementSecurityEvent.getElementPath().size(),
6);
+
Assert.assertEquals(contentEncryptedElementSecurityEvent.getElementPath().get(contentEncryptedElementSecurityEvent.getElementPath().size()
- 1), expectedElementName);
+ }
+ }
}
}
@@ -323,7 +436,67 @@ public class EncDecryptionTest extends A
WSSSecurityProperties securityProperties = new
WSSSecurityProperties();
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
securityProperties.setCallbackHandler(new
org.swssf.wss.test.CallbackHandlerImpl());
- Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+ SecurityEvent.Event[] expectedSecurityEvents = new
SecurityEvent.Event[]{
+ SecurityEvent.Event.Operation,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ SecurityEvent.Event.EncryptedKeyToken,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedElement,
+ };
+ final TestSecurityEventListener securityEventListener = new
TestSecurityEventListener(expectedSecurityEvents);
+
+ Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), securityEventListener);
//header element must still be there
NodeList nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
@@ -333,6 +506,26 @@ public class EncDecryptionTest extends A
//no encrypted content
nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedData.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedData.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 0);
+
+ securityEventListener.compare();
+
+ List<SecurityEvent> receivedSecurityEvents =
securityEventListener.getReceivedSecurityEvents();
+ for (int i = 0; i < receivedSecurityEvents.size(); i++) {
+ SecurityEvent securityEvent = receivedSecurityEvents.get(i);
+ if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.Operation) {
+ OperationSecurityEvent operationSecurityEvent =
(OperationSecurityEvent) securityEvent;
+ Assert.assertEquals(operationSecurityEvent.getOperation(),
new QName("http://schemas.xmlsoap.org/wsdl/";, "definitions"));
+ } else if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.EncryptedElement) {
+ EncryptedElementSecurityEvent
encryptedElementSecurityEvent = (EncryptedElementSecurityEvent) securityEvent;
+
Assert.assertNotNull(encryptedElementSecurityEvent.getXmlEvent());
+
Assert.assertNotNull(encryptedElementSecurityEvent.getSecurityToken());
+
Assert.assertNotNull(encryptedElementSecurityEvent.getElementPath());
+ final QName expectedElementName = new
QName("http://www.w3.org/1999/XMLSchema";, "simpleType");
+
Assert.assertEquals(encryptedElementSecurityEvent.getXmlEvent().asStartElement().getName(),
expectedElementName);
+
Assert.assertEquals(encryptedElementSecurityEvent.getElementPath().size(), 6);
+
Assert.assertEquals(encryptedElementSecurityEvent.getElementPath().get(encryptedElementSecurityEvent.getElementPath().size()
- 1), expectedElementName);
+ }
+ }
}
}
@@ -361,7 +554,17 @@ public class EncDecryptionTest extends A
WSSSecurityProperties securityProperties = new
WSSSecurityProperties();
securityProperties.loadDecryptionKeystore(this.getClass().getClassLoader().getResource("receiver.jks"),
"default".toCharArray());
securityProperties.setCallbackHandler(new
org.swssf.wss.test.CallbackHandlerImpl());
- Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())));
+
+ SecurityEvent.Event[] expectedSecurityEvents = new
SecurityEvent.Event[]{
+ SecurityEvent.Event.Operation,
+ SecurityEvent.Event.X509Token,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.AlgorithmSuite,
+ SecurityEvent.Event.EncryptedPart,
+ };
+ final TestSecurityEventListener securityEventListener = new
TestSecurityEventListener(expectedSecurityEvents);
+
+ Document document = doInboundSecurity(securityProperties,
xmlInputFactory.createXMLStreamReader(new
ByteArrayInputStream(baos.toByteArray())), securityEventListener);
//header element must still be there
NodeList nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_xenc_EncryptedKey.getNamespaceURI(),
WSSConstants.TAG_xenc_EncryptedKey.getLocalPart());
@@ -371,6 +574,26 @@ public class EncDecryptionTest extends A
//no encrypted content
nodeList =
document.getElementsByTagNameNS(WSSConstants.TAG_wsse11_EncryptedHeader.getNamespaceURI(),
WSSConstants.TAG_wsse11_EncryptedHeader.getLocalPart());
Assert.assertEquals(nodeList.getLength(), 1);
+
+ securityEventListener.compare();
+
+ List<SecurityEvent> receivedSecurityEvents =
securityEventListener.getReceivedSecurityEvents();
+ for (int i = 0; i < receivedSecurityEvents.size(); i++) {
+ SecurityEvent securityEvent = receivedSecurityEvents.get(i);
+ if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.Operation) {
+ OperationSecurityEvent operationSecurityEvent =
(OperationSecurityEvent) securityEvent;
+ Assert.assertEquals(operationSecurityEvent.getOperation(),
new QName("http://schemas.xmlsoap.org/wsdl/";, "definitions"));
+ } else if (securityEvent.getSecurityEventType() ==
SecurityEvent.Event.EncryptedPart) {
+ EncryptedPartSecurityEvent encryptedPartSecurityEvent =
(EncryptedPartSecurityEvent) securityEvent;
+
Assert.assertNotNull(encryptedPartSecurityEvent.getXmlEvent());
+
Assert.assertNotNull(encryptedPartSecurityEvent.getSecurityToken());
+
Assert.assertNotNull(encryptedPartSecurityEvent.getElementPath());
+ final QName expectedElementName = new
QName("http://www.example.com";, "testEncryptedHeader");
+
Assert.assertEquals(encryptedPartSecurityEvent.getXmlEvent().asStartElement().getName(),
expectedElementName);
+
Assert.assertEquals(encryptedPartSecurityEvent.getElementPath().size(), 3);
+
Assert.assertEquals(encryptedPartSecurityEvent.getElementPath().get(encryptedPartSecurityEvent.getElementPath().size()
- 1), expectedElementName);
+ }
+ }
}
}
Modified:
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java?rev=1299388&r1=1299387&r2=1299388&view=diff
==============================================================================
---
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java
(original)
+++
webservices/wss4j/branches/swssf/streaming-ws-security/src/test/java/org/swssf/wss/test/VulnerabliltyVectorsTest.java
Sun Mar 11 16:26:42 2012
@@ -158,7 +158,6 @@ public class VulnerabliltyVectorsTest ex
/**
* Since we don't support (yet) external URI refs this shouldn't be a
problem.
* <p/>
- * todo this test modifies signed content. test with encryption uri's or so
*
* @throws Exception
*/
@@ -194,7 +193,7 @@ public class VulnerabliltyVectorsTest ex
Assert.assertNotNull(throwable);
//todo exception should be a WSSecurityException
Assert.assertTrue(throwable instanceof XMLSecurityException);
- Assert.assertTrue(throwable.getMessage().startsWith("The signature
or decryption was invalid (Digest verification failed"));
+ Assert.assertEquals(throwable.getMessage(), "The signature or
decryption was invalid (Some encryption references were not processed...
Probably security header ordering problem?)");
}
}
Modified:
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java?rev=1299388&r1=1299387&r2=1299388&view=diff
==============================================================================
---
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java
(original)
+++
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/java/org/swssf/xmlsec/impl/processor/input/AbstractDecryptInputProcessor.java
Sun Mar 11 16:26:42 2012
@@ -153,170 +153,165 @@ public abstract class AbstractDecryptInp
//check if the current start-element has the name EncryptedData
and an Id attribute
if
(startElement.getName().equals(XMLSecurityConstants.TAG_xenc_EncryptedData)) {
ReferenceType referenceType = matchesReferenceId(startElement);
- if (referenceType != null) {
- //duplicate id's are forbidden
- if (processedReferences.contains(referenceType)) {
- throw new
XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK,
"duplicateId");
+ if (referenceType == null) {
+ //if the events were not for us (no matching reference-id
the we have to replay the EncryptedHeader elements)
+ if (!tmpXmlEventList.isEmpty()) {
+ return tmpXmlEventList.pollLast();
}
+ }
+ //duplicate id's are forbidden
+ if (processedReferences.contains(referenceType)) {
+ throw new
XMLSecurityException(XMLSecurityException.ErrorCode.FAILED_CHECK,
"duplicateId");
+ }
- XMLEventNS xmlEventNS = (XMLEventNS) xmlEvent;
- List<ComparableNamespace>[] comparableNamespaceList;
- List<ComparableAttribute>[] comparableAttributeList;
+ XMLEventNS xmlEventNS = (XMLEventNS) xmlEvent;
+ List<ComparableNamespace>[] comparableNamespaceList;
+ List<ComparableAttribute>[] comparableAttributeList;
+
+ if (encryptedHeader) {
+ tmpXmlEventList.clear();
+
//inputProcessorChain.getDocumentContext().removePathElement();
- if (encryptedHeader) {
- tmpXmlEventList.clear();
-
inputProcessorChain.getDocumentContext().removePathElement();
+ comparableNamespaceList =
Arrays.copyOfRange(xmlEventNS.getNamespaceList(), 2,
xmlEventNS.getNamespaceList().length);
+ comparableAttributeList =
Arrays.copyOfRange(xmlEventNS.getAttributeList(), 2,
xmlEventNS.getNamespaceList().length);
+ } else {
+ comparableNamespaceList =
Arrays.copyOfRange(xmlEventNS.getNamespaceList(), 1,
xmlEventNS.getNamespaceList().length);
+ comparableAttributeList =
Arrays.copyOfRange(xmlEventNS.getAttributeList(), 1,
xmlEventNS.getNamespaceList().length);
+ }
+
+ processedReferences.add(referenceType);
- comparableNamespaceList =
Arrays.copyOfRange(xmlEventNS.getNamespaceList(), 2,
xmlEventNS.getNamespaceList().length);
- comparableAttributeList =
Arrays.copyOfRange(xmlEventNS.getAttributeList(), 2,
xmlEventNS.getNamespaceList().length);
+ //the following logic reads the encryptedData structure and
doesn't pass them further
+ //through the chain
+ InputProcessorChain subInputProcessorChain =
inputProcessorChain.createSubChain(this);
+
+ Deque<XMLEvent> xmlEvents = new LinkedList<XMLEvent>();
+ xmlEvents.push(xmlEvent);
+ XMLEvent encryptedDataXMLEvent;
+ int count = 0;
+ do {
+ subInputProcessorChain.reset();
+ if (isSecurityHeaderEvent) {
+ encryptedDataXMLEvent =
subInputProcessorChain.processHeaderEvent();
} else {
- comparableNamespaceList =
Arrays.copyOfRange(xmlEventNS.getNamespaceList(), 1,
xmlEventNS.getNamespaceList().length);
- comparableAttributeList =
Arrays.copyOfRange(xmlEventNS.getAttributeList(), 1,
xmlEventNS.getNamespaceList().length);
+ encryptedDataXMLEvent =
subInputProcessorChain.processEvent();
}
- processedReferences.add(referenceType);
-
- //the following logic reads the encryptedData structure
and doesn't pass them further
- //through the chain
- InputProcessorChain subInputProcessorChain =
inputProcessorChain.createSubChain(this);
-
- Deque<XMLEvent> xmlEvents = new LinkedList<XMLEvent>();
- xmlEvents.push(xmlEvent);
- XMLEvent encryptedDataXMLEvent;
- int count = 0;
- do {
- subInputProcessorChain.reset();
- if (isSecurityHeaderEvent) {
- encryptedDataXMLEvent =
subInputProcessorChain.processHeaderEvent();
- } else {
- encryptedDataXMLEvent =
subInputProcessorChain.processEvent();
- }
-
- xmlEvents.push(encryptedDataXMLEvent);
- if (++count >= 50) {
- throw new
XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY);
- }
+ xmlEvents.push(encryptedDataXMLEvent);
+ if (++count >= 50) {
+ throw new
XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY);
}
- while (!(encryptedDataXMLEvent.isStartElement()
- &&
encryptedDataXMLEvent.asStartElement().getName().equals(XMLSecurityConstants.TAG_xenc_CipherValue)));
-
-
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_CipherValue,
null));
-
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_CipherData,
null));
-
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_EncryptedData,
null));
-
- EncryptedDataType encryptedDataType;
-
- try {
- Unmarshaller unmarshaller =
XMLSecurityConstants.getJaxbContext().createUnmarshaller();
- JAXBElement<EncryptedDataType>
encryptedDataTypeJAXBElement =
- (JAXBElement<EncryptedDataType>)
unmarshaller.unmarshal(new XMLSecurityEventReader(xmlEvents, 0));
- encryptedDataType =
encryptedDataTypeJAXBElement.getValue();
+ }
+ while (!(encryptedDataXMLEvent.isStartElement()
+ &&
encryptedDataXMLEvent.asStartElement().getName().equals(XMLSecurityConstants.TAG_xenc_CipherValue)));
- } catch (JAXBException e) {
- throw new
XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY, e);
- }
+
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_CipherValue,
null));
+
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_CipherData,
null));
+
xmlEvents.push(XMLSecurityConstants.XMLEVENTFACTORY.createEndElement(XMLSecurityConstants.TAG_xenc_EncryptedData,
null));
+
+ EncryptedDataType encryptedDataType;
+
+ try {
+ Unmarshaller unmarshaller =
XMLSecurityConstants.getJaxbContext().createUnmarshaller();
+ JAXBElement<EncryptedDataType>
encryptedDataTypeJAXBElement =
+ (JAXBElement<EncryptedDataType>)
unmarshaller.unmarshal(new XMLSecurityEventReader(xmlEvents, 0));
+ encryptedDataType =
encryptedDataTypeJAXBElement.getValue();
- KeyInfoType keyInfoType;
- if (this.keyInfoType != null) {
- keyInfoType = this.keyInfoType;
- } else {
- keyInfoType = encryptedDataType.getKeyInfo();
- }
+ } catch (JAXBException e) {
+ throw new
XMLSecurityException(XMLSecurityException.ErrorCode.INVALID_SECURITY, e);
+ }
- final String algorithmURI =
encryptedDataType.getEncryptionMethod().getAlgorithm();
+ KeyInfoType keyInfoType;
+ if (this.keyInfoType != null) {
+ keyInfoType = this.keyInfoType;
+ } else {
+ keyInfoType = encryptedDataType.getKeyInfo();
+ }
- //retrieve the securityToken which must be used for
decryption
- SecurityToken securityToken =
SecurityTokenFactory.newInstance().getSecurityToken(
- keyInfoType,
getSecurityProperties().getDecryptionCrypto(),
- getSecurityProperties().getCallbackHandler(),
inputProcessorChain.getSecurityContext());
-
- handleSecurityToken(securityToken,
inputProcessorChain.getSecurityContext(), encryptedDataType);
- //only fire here ContentEncryptedElementEvents
- //the other ones will be fired later, because we don't
know the encrypted element name yet
- if
(SecurePart.Modifier.Content.getModifier().equals(encryptedDataType.getType()))
{
- handleEncryptedContent(inputProcessorChain,
parentStartXMLEvent, xmlEvent, securityToken);
- }
+ final String algorithmURI =
encryptedDataType.getEncryptionMethod().getAlgorithm();
- Cipher symCipher = null;
- try {
- AlgorithmType symEncAlgo =
JCEAlgorithmMapper.getAlgorithmMapping(algorithmURI);
- symCipher =
Cipher.getInstance(symEncAlgo.getJCEName(), symEncAlgo.getJCEProvider());
- //we have to defer the initialization of the cipher
until we can extract the IV...
- } catch (NoSuchAlgorithmException e) {
- throw new XMLSecurityException(
-
XMLSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
- e, "No such algorithm: " + algorithmURI
- );
- } catch (NoSuchPaddingException e) {
- throw new XMLSecurityException(
-
XMLSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
- e, "No such padding: " + algorithmURI
- );
- } catch (NoSuchProviderException e) {
- throw new
XMLSecurityException(XMLSecurityException.ErrorCode.FAILURE, "noSecProvider",
e);
- }
+ //retrieve the securityToken which must be used for decryption
+ SecurityToken securityToken =
SecurityTokenFactory.newInstance().getSecurityToken(
+ keyInfoType,
getSecurityProperties().getDecryptionCrypto(),
+ getSecurityProperties().getCallbackHandler(),
inputProcessorChain.getSecurityContext());
+
+ handleSecurityToken(securityToken,
inputProcessorChain.getSecurityContext(), encryptedDataType);
+ //only fire here ContentEncryptedElementEvents
+ //the other ones will be fired later, because we don't know
the encrypted element name yet
+ if
(SecurePart.Modifier.Content.getModifier().equals(encryptedDataType.getType()))
{
+ handleEncryptedContent(inputProcessorChain,
parentStartXMLEvent, xmlEvent, securityToken);
+ }
- //create a new Thread for streaming decryption
- DecryptionThread decryptionThread = new
DecryptionThread(subInputProcessorChain, isSecurityHeaderEvent, xmlEventNS);
-
decryptionThread.setSecretKey(securityToken.getSecretKey(algorithmURI,
XMLSecurityConstants.Enc));
- decryptionThread.setSymmetricCipher(symCipher);
+ Cipher symCipher = null;
+ try {
+ AlgorithmType symEncAlgo =
JCEAlgorithmMapper.getAlgorithmMapping(algorithmURI);
+ symCipher = Cipher.getInstance(symEncAlgo.getJCEName(),
symEncAlgo.getJCEProvider());
+ //we have to defer the initialization of the cipher until
we can extract the IV...
+ } catch (NoSuchAlgorithmException e) {
+ throw new XMLSecurityException(
+
XMLSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
+ e, "No such algorithm: " + algorithmURI
+ );
+ } catch (NoSuchPaddingException e) {
+ throw new XMLSecurityException(
+
XMLSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, "unsupportedKeyTransp",
+ e, "No such padding: " + algorithmURI
+ );
+ } catch (NoSuchProviderException e) {
+ throw new
XMLSecurityException(XMLSecurityException.ErrorCode.FAILURE, "noSecProvider",
e);
+ }
- Thread receiverThread = new Thread(decryptionThread);
- receiverThread.setName("decrypting thread");
+ //create a new Thread for streaming decryption
+ DecryptionThread decryptionThread = new
DecryptionThread(subInputProcessorChain, isSecurityHeaderEvent, xmlEventNS);
+
decryptionThread.setSecretKey(securityToken.getSecretKey(algorithmURI,
XMLSecurityConstants.Enc));
+ decryptionThread.setSymmetricCipher(symCipher);
- AbstractDecryptedEventReaderInputProcessor
decryptedEventReaderInputProcessor = newDecryptedEventReaderInputProccessor(
- encryptedHeader, comparableNamespaceList,
comparableAttributeList, encryptedDataType, securityToken
- );
+ Thread receiverThread = new Thread(decryptionThread);
+ receiverThread.setName("decrypting thread");
- //add the new created EventReader processor to the chain.
-
inputProcessorChain.addProcessor(decryptedEventReaderInputProcessor);
+ AbstractDecryptedEventReaderInputProcessor
decryptedEventReaderInputProcessor = newDecryptedEventReaderInputProccessor(
+ encryptedHeader, comparableNamespaceList,
comparableAttributeList, encryptedDataType, securityToken
+ );
-
inputProcessorChain.getDocumentContext().setIsInEncryptedContent(inputProcessorChain.getProcessors().indexOf(decryptedEventReaderInputProcessor),
decryptedEventReaderInputProcessor);
+ //add the new created EventReader processor to the chain.
+
inputProcessorChain.addProcessor(decryptedEventReaderInputProcessor);
- //when an exception in the decryption thread occurs, we
want to forward them:
-
receiverThread.setUncaughtExceptionHandler(decryptedEventReaderInputProcessor);
+
inputProcessorChain.getDocumentContext().setIsInEncryptedContent(inputProcessorChain.getProcessors().indexOf(decryptedEventReaderInputProcessor),
decryptedEventReaderInputProcessor);
- //we have to start the thread before we call
decryptionThread.getPipedInputStream().
- //Otherwise we will end in a deadlock, because the StAX
reader expects already data.
- //@See some lines below:
- logger.debug("Starting decryption thread");
- receiverThread.start();
+ //when an exception in the decryption thread occurs, we want
to forward them:
+
receiverThread.setUncaughtExceptionHandler(decryptedEventReaderInputProcessor);
-
inputProcessorChain.getDocumentContext().removePathElement();
+ //we have to start the thread before we call
decryptionThread.getPipedInputStream().
+ //Otherwise we will end in a deadlock, because the StAX reader
expects already data.
+ //@See some lines below:
+ logger.debug("Starting decryption thread");
+ receiverThread.start();
- //spec says (4.2): "The cleartext octet sequence obtained
in step 3 is interpreted as UTF-8 encoded character data."
- XMLEventReader xmlEventReader =
-
inputProcessorChain.getSecurityContext().<XMLInputFactory>get(
-
XMLSecurityConstants.XMLINPUTFACTORY).createXMLEventReader(decryptionThread.getPipedInputStream(),
- "UTF-8");
+ inputProcessorChain.getDocumentContext().removePathElement();
- //forward to wrapper element
- XMLEvent tmpXmlEvent;
- do {
- tmpXmlEvent = xmlEventReader.nextEvent();
- }
- while (!(tmpXmlEvent.isStartElement() &&
tmpXmlEvent.asStartElement().getName().equals(wrapperElementName)));
+ //spec says (4.2): "The cleartext octet sequence obtained in
step 3 is interpreted as UTF-8 encoded character data."
+ XMLEventReader xmlEventReader =
+
inputProcessorChain.getSecurityContext().<XMLInputFactory>get(
+
XMLSecurityConstants.XMLINPUTFACTORY).createXMLEventReader(decryptionThread.getPipedInputStream(),
+ "UTF-8");
+
+ //forward to wrapper element
+ XMLEvent tmpXmlEvent;
+ do {
+ tmpXmlEvent = xmlEventReader.nextEvent();
+ }
+ while (!(tmpXmlEvent.isStartElement() &&
tmpXmlEvent.asStartElement().getName().equals(wrapperElementName)));
-
decryptedEventReaderInputProcessor.setXmlEventReader(xmlEventReader);
+
decryptedEventReaderInputProcessor.setXmlEventReader(xmlEventReader);
- if (isSecurityHeaderEvent) {
- return
decryptedEventReaderInputProcessor.processNextHeaderEvent(inputProcessorChain);
- } else {
- return
decryptedEventReaderInputProcessor.processNextEvent(inputProcessorChain);
- }
+ if (isSecurityHeaderEvent) {
+ return
decryptedEventReaderInputProcessor.processNextHeaderEvent(inputProcessorChain);
+ } else {
+ return
decryptedEventReaderInputProcessor.processNextEvent(inputProcessorChain);
}
}
}
- if (!tmpXmlEventList.isEmpty()) {
- xmlEvent = tmpXmlEventList.pollLast();
- if (xmlEvent.isStartElement()) {
-
inputProcessorChain.getDocumentContext().addPathElement(xmlEvent.asStartElement().getName());
- } else if (xmlEvent.isEndElement()) {
- inputProcessorChain.getDocumentContext().removePathElement();
- }
- return xmlEvent;
- }
if (xmlEvent.isStartElement()) {
parentStartXMLEvent = xmlEvent;
}
Modified:
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/resources/messages/errors.properties
URL:
http://svn.apache.org/viewvc/webservices/wss4j/branches/swssf/streaming-xml-security/src/main/resources/messages/errors.properties?rev=1299388&r1=1299387&r2=1299388&view=diff
==============================================================================
---
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/resources/messages/errors.properties
(original)
+++
webservices/wss4j/branches/swssf/streaming-xml-security/src/main/resources/messages/errors.properties
Sun Mar 11 16:26:42 2012
@@ -114,8 +114,8 @@ aliasIsNull = alias is null
keyError = Key error: {0}
unexpectedEndOfXML = Unexpected end of XML
notAStartElement = Current element is not a start element
-unprocessedEncryptionReferences = Some encryption references where not
processed... Probably security header ordering problem?
-unprocessedSignatureReferences = Some signature references where not
processed... Probably security header ordering problem?
+unprocessedEncryptionReferences = Some encryption references were not
processed... Probably security header ordering problem?
+unprocessedSignatureReferences = Some signature references were not
processed... Probably security header ordering problem?
duplicateId = Duplicate id encountered!
unexpectedXMLEvent = "Unexpected event: {0}
notASOAPMessage = Request is not a valid SOAP Message
