[jira] Created: (RAMPART-31) Using Policy configuration - a SOAP Message cannot be Encrypted only.

Thu, 05 Apr 2007 16:04:52 -0700 

Using Policy configuration - a SOAP Message cannot be Encrypted only. 
----------------------------------------------------------------------

                 Key: RAMPART-31
                 URL: https://issues.apache.org/jira/browse/RAMPART-31
             Project: Rampart
          Issue Type: Bug
          Components: rampart-core
    Affects Versions: 1.1
            Reporter: Ric Emery


Unless I am mistaken AsymmetricBindingBuilder does not support only encrypting 
a SOAP Message. AsymmetricBindingBuilder assumes that Signatures will always be 
applied. Logically I would think that leaving out the Policy sp:SignedParts 
element and/or the sp:InitiatorToken element would result in a message that is 
encrypted (assuming the Policy configures encryption), but not signed. Leaving 
out the InitiatorToken out of the profile results in a NullPointerException. 
Leaving out the sp:SignedParts does not disable signatures. I modified 
AssymetircBindingBuilder.java to allow encryption without signatures. Being new 
to the source base I am not sure that this is the correct fix.
 I modified build method adding a call to determine if signatures are disabled. 
Added a method to make the determination. And added a doEncryption method.. I 
can submit a diff in the proper format if requested.

Thanks

  public void build(RampartMessageData rmd) throws RampartException {
        log.debug("AsymmetricBindingBuilder build invoked");

        RampartPolicyData rpd = rmd.getPolicyData();
        if (rpd.isIncludeTimestamp()) {
            this.addTimestamp(rmd);
        }

                if (shouldEncryptOnly(rmd))
                    this.doEncrypt(rmd);
                else if 
(Constants.ENCRYPT_BEFORE_SIGNING.equals(rpd.getProtectionOrder())) {
            this.doEncryptBeforeSig(rmd);
        } else {
            this.doSignBeforeEncrypt(rmd);
        }

        log.debug("AsymmetricBindingBuilder build invoked : DONE");
    }

        private boolean shouldEncryptOnly(RampartMessageData rmd)
        {
                // Is there a better way to determine if signatures should be 
disabled?
                RampartPolicyData rampartPolicyData = rmd.getPolicyData();      
        
                Vector parts = rampartPolicyData.getSignedParts();
                return !rampartPolicyData.isSignBody() && (null == parts || 
parts.size() == 0);
        }

        private void doEncrypt(RampartMessageData rmd)
            throws RampartException {

        RampartPolicyData rpd = rmd.getPolicyData();
        Document doc = rmd.getDocument();
        RampartConfig config = rpd.getRampartConfig();

        /*
         * We need to hold on to these two element to use them as refence in the
         * case of encypting the signature
         */
        Element encrDKTokenElem = null;
        WSSecEncrypt encr = null;
        Element refList = null;
        WSSecDKEncrypt dkEncr = null;

        /*
         * We MUST use keys derived from the same token
         */
        Token encryptionToken = rpd.getRecipientToken();
        Vector encrParts = RampartUtil.getEncryptedParts(rmd);

        if(encryptionToken == null && encrParts.size() > 0) {
            throw new RampartException("encryptionTokenMissing");
        }

        if (encryptionToken != null && encrParts.size() > 0) {
            if (encryptionToken.isDerivedKeys()) {
                try {
                    this.setupEncryptedKey(rmd, encryptionToken);
                    // Create the DK encryption builder
                    dkEncr = new WSSecDKEncrypt();
                    dkEncr.setParts(encrParts);
                    dkEncr.setExternalKey(this.encryptedKeyValue,
                            this.encryptedKeyId);
                    dkEncr.prepare(doc);

                    // Get and add the DKT element
                    this.encrDKTElement = dkEncr.getdktElement();
                    encrDKTokenElem = RampartUtil.appendChildToSecHeader(rmd, 
this.encrDKTElement);

                    refList = dkEncr.encryptForExternalRef(null, encrParts);

                } catch (WSSecurityException e) {
                    throw new RampartException("errorCreatingEncryptedKey", e);
                } catch (ConversationException e) {
                    throw new RampartException("errorInDKEncr", e);
                }
            } else {
                try {
                    encr = new WSSecEncrypt();
                    encr.setParts(encrParts);
                    encr.setWsConfig(rmd.getConfig());
                    encr.setDocument(doc);
                    RampartUtil.setEncryptionUser(rmd, encr);
                    
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
                    
encr.setKeyEncAlgo(rpd.getAlgorithmSuite().getAsymmetricKeyWrap());
                    encr.prepare(doc, RampartUtil.getEncryptionCrypto(config, 
rmd.getCustomClassLoader()));

                    Element bstElem = encr.getBinarySecurityTokenElement();
                    if (bstElem != null) {
                        RampartUtil.appendChildToSecHeader(rmd, bstElem);
                    }

                    this.encrTokenElement = encr.getEncryptedKeyElement();
                    this.encrTokenElement = 
RampartUtil.appendChildToSecHeader(rmd,
                            encrTokenElement);

                    refList = encr.encryptForExternalRef(null, encrParts);

                } catch (WSSecurityException e) {
                    throw new RampartException("errorInEncryption", e);
                }
            }

            RampartUtil.appendChildToSecHeader(rmd, refList);

            this.setInsertionLocation(encrTokenElement);
                }
        }



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to