jrihtarsic commented on code in PR #264: URL: https://github.com/apache/ws-wss4j/pull/264#discussion_r1465210651
########## ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java: ########## @@ -357,6 +358,102 @@ private static byte[] getAsymmetricDecryptedBytes( } } + /** + * Method decrypts encryptedEphemeralKey using Key Agreement algorithm to derive symmetric key + * for decryption of the key. + * + * @param data RequestData context + * @param agreementMethod AgreementMethod element + * @param encryptedKeyTransportMethod Algorithm used to encrypt the key + * @param encryptedEphemeralKey Encrypted ephemeral/transport key + * @param privateKey Private key of the recipient + * @return Decrypted bytes of the ephemeral/transport key + * @throws WSSecurityException if the key decryption fails + */ + private static byte[] getDiffieHellmanDecryptedBytes( + RequestData data, + AgreementMethod agreementMethod, + String encryptedKeyTransportMethod, + byte[] encryptedEphemeralKey, + PrivateKey privateKey + ) throws WSSecurityException { + + SecretKey kek; + try { + KeyAgreementParameters parameterSpec = XMLCipherUtil.constructRecipientKeyAgreementParameters( + encryptedKeyTransportMethod, agreementMethod, privateKey); + + kek = org.apache.xml.security.utils.KeyUtils.aesWrapKeyWithDHGeneratedKey(parameterSpec); + } catch (XMLSecurityException ex) { + LOG.debug("Error occurred while resolving the Diffie Hellman key: " + ex.getMessage()); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex); + } + + String cryptoProvider = data.getDecCrypto().getCryptoProvider(); + Cipher cipher = KeyUtils.getCipherInstance(encryptedKeyTransportMethod, cryptoProvider); + + try { + cipher.init(Cipher.UNWRAP_MODE, kek); + String keyAlgorithm = JCEMapper.translateURItoJCEID(encryptedKeyTransportMethod); + return cipher.unwrap(encryptedEphemeralKey, keyAlgorithm, Cipher.SECRET_KEY).getEncoded(); + } catch (InvalidKeyException | NoSuchAlgorithmException ex) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex); + } + } + + /** + * if keyInfo element contains AgreementMethod element then check if it is supported EC Diffie-Hellman key agreement algorithm + * + * @param keyInfoChildElement The KeyInfo child element + * @return true if AgreementMethod element is present and DH algorithm supported and false if AgreementMethod element is not present + * @throws WSSecurityException if AgreementMethod element is present but DH algorithm is not supported + */ + private boolean isDiffieHellmanKeyWrap(Element keyInfoChildElement) throws WSSecurityException { + if (EncryptionConstants._TAG_AGREEMENTMETHOD.equals(keyInfoChildElement.getLocalName()) + && WSConstants.ENC_NS.equals(keyInfoChildElement.getNamespaceURI())) { + String algorithmURI = keyInfoChildElement.getAttributeNS(null, "Algorithm"); + // Only ECDH_ES is supported for AgreementMethod + if (!WSConstants.AGREEMENT_METHOD_ECDH_ES.equals(algorithmURI)) { + throw new WSSecurityException( + WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM, + "unknownAlgorithm", new Object[]{algorithmURI}); + } + return true; + } + return false; + } + + /** + * Parse keyInfo content to AgreementMethod object. + * + * @param keyInfoChildElement The KeyInfo child element containing AgreementMethod data. + * @return the {@link AgreementMethod} object. + * @throws WSSecurityException if AgreementMethod element is invalid. + */ + private AgreementMethod getAgreementMethodFromElement(Element keyInfoChildElement) throws WSSecurityException { + try { + return new AgreementMethodImpl(keyInfoChildElement); + } catch (XMLSecurityException ex) { + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex); + } + } + + /** + * Get the RecipientKeyInfo child element from the AgreementMethod element. + * + * @param agreementMethod The AgreementMethod element + * @return the RecipientKeyInfo child element which contains the recipient's public key. + * @throws WSSecurityException if the RecipientKeyInfo element can not be retrieved. + */ + private Element getRecipientKeyInfoChildElement(AgreementMethod agreementMethod) throws WSSecurityException { + try { + Element receiverKeyInfoElement = agreementMethod.getRecipientKeyInfo().getElement(); Review Comment: Extra space removed. And since I was on task, I also removed several other extra spaces.. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org For additional commands, e-mail: dev-h...@ws.apache.org