jrihtarsic commented on code in PR #264:
URL: https://github.com/apache/ws-wss4j/pull/264#discussion_r1466275384
##########
ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java:
##########
@@ -357,6 +364,106 @@ private static byte[] getAsymmetricDecryptedBytes(
}
}
+ /**
+ * Method decrypts encryptedEphemeralKey using Key Agreement algorithm to
derive symmetric key
+ * for decryption of the key.
+ *
+ * @param data RequestData context
+ * @param agreementMethod AgreementMethod element
+ * @param encryptedKeyTransportMethod Algorithm used to encrypt the key
+ * @param encryptedEphemeralKey Encrypted ephemeral/transport key
+ * @param privateKey Private key of the recipient
+ * @return Decrypted bytes of the ephemeral/transport key
+ * @throws WSSecurityException if the key decryption fails
+ */
+ private static byte[] getDiffieHellmanDecryptedBytes(
+ RequestData data,
+ AgreementMethod agreementMethod,
+ String encryptedKeyTransportMethod,
+ byte[] encryptedEphemeralKey,
+ PrivateKey privateKey
+ ) throws WSSecurityException {
+
+ SecretKey kek;
+ try {
+ KeyAgreementParameters parameterSpec =
XMLCipherUtil.constructRecipientKeyAgreementParameters(
+ encryptedKeyTransportMethod, agreementMethod, privateKey);
+
+ kek =
org.apache.xml.security.utils.KeyUtils.aesWrapKeyWithDHGeneratedKey(parameterSpec);
+ } catch (XMLSecurityException ex) {
+ LOG.debug("Error occurred while resolving the Diffie Hellman key:
" + ex.getMessage());
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
+ }
+
+ String cryptoProvider = data.getDecCrypto().getCryptoProvider();
+ Cipher cipher =
KeyUtils.getCipherInstance(encryptedKeyTransportMethod, cryptoProvider);
+
+ try {
+ cipher.init(Cipher.UNWRAP_MODE, kek);
+ String keyAlgorithm =
JCEMapper.translateURItoJCEID(encryptedKeyTransportMethod);
+ return cipher.unwrap(encryptedEphemeralKey, keyAlgorithm,
Cipher.SECRET_KEY).getEncoded();
+ } catch (InvalidKeyException | NoSuchAlgorithmException ex) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILED_CHECK, ex);
+ }
+ }
+
+ /**
+ * if keyInfo element contains AgreementMethod element then check if it is
supported EC Diffie-Hellman key agreement algorithm
+ *
+ * @param keyInfoChildElement The KeyInfo child element
+ * @return true if AgreementMethod element is present and DH algorithm
supported and false if AgreementMethod element is not present
+ * @throws WSSecurityException if AgreementMethod element is present but
DH algorithm is not supported
+ */
+ private boolean isDiffieHellmanKeyWrap(Element keyInfoChildElement) throws
WSSecurityException {
+ if
(EncryptionConstants._TAG_AGREEMENTMETHOD.equals(keyInfoChildElement.getLocalName())
+ &&
WSConstants.ENC_NS.equals(keyInfoChildElement.getNamespaceURI())) {
+ String algorithmURI = keyInfoChildElement.getAttributeNS(null,
"Algorithm");
+ // Only ECDH_ES is supported for AgreementMethod
+ if (!WSConstants.AGREEMENT_METHOD_ECDH_ES.equals(algorithmURI)) {
+ throw new WSSecurityException(
+ WSSecurityException.ErrorCode.UNSUPPORTED_ALGORITHM,
+ "unknownAlgorithm", new Object[]{algorithmURI});
+ }
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * Parse keyInfo content to AgreementMethod object.
+ *
+ * @param keyInfoChildElement The KeyInfo child element containing
AgreementMethod data.
+ * @return the {@link AgreementMethod} object.
+ * @throws WSSecurityException if AgreementMethod element is invalid.
+ */
+ private AgreementMethod getAgreementMethodFromElement(Element
keyInfoChildElement) throws WSSecurityException {
+ try {
+ return new AgreementMethodImpl(keyInfoChildElement);
+ } catch (XMLSecurityException ex) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY, ex);
+ }
+ }
+
+ /**
+ * Get the RecipientKeyInfo child element from the AgreementMethod element.
+ *
+ * @param agreementMethod The AgreementMethod element
+ * @return the RecipientKeyInfo child element which contains the
recipient's public key.
+ * @throws WSSecurityException if the agreementMethod is null or
RecipientKeyInfo element can not be retrieved.
+ */
+ private Element getRecipientKeyInfoChildElement(AgreementMethod
agreementMethod) throws WSSecurityException {
+ try {
+ RecipientKeyInfo recipientKeyInfo =
agreementMethod.getRecipientKeyInfo();
Review Comment:
The way it is used no, because method
(line 155)
agreementMethod = getAgreementMethodFromElement(keyInfoChildElement);
always returns object or it throws an error.
Anyhow added additional validation check, in to make code more robust for
future development/code changes.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ws.apache.org
For additional commands, e-mail: dev-h...@ws.apache.org
