This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch wss4j_2.3.0 in repository https://gitbox.apache.org/repos/asf/cxf.git
commit b95933aaa1e00149c12d714d01b6d925cbc3ee4c Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Tue Jan 29 17:11:03 2019 +0000 Picking up changes to symmetricKey in WSSEcEncryptedKey --- .../saml/sso/AbstractSAMLCallbackHandler.java | 11 +- .../policyhandlers/AbstractBindingBuilder.java | 7 +- .../policyhandlers/AsymmetricBindingHandler.java | 256 +++++++++++--------- .../policyhandlers/SymmetricBindingHandler.java | 261 ++++++++++++--------- .../policyhandlers/TransportBindingHandler.java | 12 +- .../wss4j/saml/AbstractSAMLCallbackHandler.java | 8 +- .../cxf/sts/operation/AbstractOperation.java | 14 +- .../sts/token/provider/DefaultSubjectProvider.java | 16 +- .../cxf/sts/token/provider/TokenProviderUtils.java | 10 +- .../cxf/sts/operation/IssueSamlUnitTest.java | 10 +- 10 files changed, 358 insertions(+), 247 deletions(-) diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java index 35d3deb..e473bdf 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java @@ -23,6 +23,8 @@ import java.security.cert.X509Certificate; import java.util.Collections; import java.util.List; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean; import org.apache.wss4j.common.saml.bean.SubjectLocalityBean; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; import org.joda.time.DateTime; @@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); encrKey.setUseThisCert(certs[0]); - encrKey.prepare(null); - ephemeralKey = encrKey.getSymmetricKey().getEncoded(); + + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + + encrKey.prepare(null, symmetricKey); + ephemeralKey = symmetricKey.getEncoded(); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java index 945755a..5800336 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java @@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.XMLConstants; import javax.xml.crypto.dsig.Reference; @@ -1501,7 +1502,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle return null; } - protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException { + protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token, + SecretKey symmetricKey) throws WSSecurityException { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader); encrKey.setIdAllocator(wssConfig.getIdAllocator()); encrKey.setCallbackLookup(callbackLookup); @@ -1522,11 +1524,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle String encrUser = setEncryptionUser(encrKey, token, false, crypto); AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); - encrKey.setSymmetricEncAlgorithm(algType.getEncryption()); encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); encrKey.setMGFAlgorithm(algType.getMGFAlgo()); - encrKey.prepare(crypto); + encrKey.prepare(crypto, symmetricKey); if (alsoIncludeToken) { X509Certificate encCert = getEncryptCert(crypto, encrUser); diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index 40d6ee4..5806b3e 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -28,6 +28,8 @@ import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.namespace.QName; import javax.xml.soap.SOAPException; @@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.derivedKey.ConversationConstants; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.wss4j.dom.engine.WSSecurityEngineResult; @@ -224,12 +227,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { encToken = abinding.getInitiatorToken(); } } - doEncryption(encToken, enc, false); + if (encToken != null) { + if (encToken.getToken() != null && !enc.isEmpty()) { + if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + doEncryptionDerived(encToken, enc); + } else { + String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + SecretKey symmetricKey = keyGen.generateKey(); + doEncryption(encToken, enc, false, symmetricKey); + } + } assertTokenWrapper(encToken); assertToken(encToken.getToken()); } - } catch (Exception e) { String reason = e.getMessage(); LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason); @@ -333,9 +345,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } WSSecBase encrBase = null; + SecretKey symmetricKey = null; if (encryptionToken != null && !encrParts.isEmpty()) { - encrBase = doEncryption(wrapper, encrParts, true); - handleEncryptedSignedHeaders(encrParts, sigParts); + if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encrBase = doEncryptionDerived(wrapper, encrParts); + } else { + String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + try { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + encrBase = doEncryption(wrapper, encrParts, true, symmetricKey); + } catch (WSSecurityException ex) { + LOG.log(Level.FINE, ex.getMessage(), ex); + throw new Fault(ex); + } + } } if (!isRequestor()) { @@ -369,12 +393,14 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } if (encrBase != null) { - encryptTokensInSecurityHeader(encryptionToken, encrBase); + encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey); } } - private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) { + private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, + WSSecBase encrBase, + SecretKey symmetricKey) { List<WSEncryptionPart> secondEncrParts = new ArrayList<>(); // Check for signature protection @@ -428,7 +454,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { } else { this.insertBeforeBottomUp(secondRefList); } - ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts); + ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey); } catch (WSSecurityException ex) { LOG.log(Level.FINE, ex.getMessage(), ex); @@ -439,125 +465,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { private WSSecBase doEncryption(AbstractTokenWrapper recToken, List<WSEncryptionPart> encrParts, - boolean externalRef) { - //Do encryption - if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) { - AbstractToken encrToken = recToken.getToken(); - assertPolicy(recToken); - assertPolicy(encrToken); - AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); - if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite); - } - try { - WSSecEncrypt encr = new WSSecEncrypt(secHeader); - encr.setEncryptionSerializer(new StaxSerializer()); - encr.setIdAllocator(wssConfig.getIdAllocator()); - encr.setCallbackLookup(callbackLookup); - encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); - encr.setStoreBytesInAttachment(storeBytesInAttachment); - encr.setExpandXopInclude(isExpandXopInclude()); - encr.setWsDocInfo(wsDocInfo); - - Crypto crypto = getEncryptionCrypto(); - - SecurityToken securityToken = getSecurityToken(); - if (!isRequestor() && securityToken != null - && recToken.getToken() instanceof SamlToken) { - String tokenType = securityToken.getTokenType(); - if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML_NS.equals(tokenType)) { - encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - encr.setCustomEKTokenId(securityToken.getId()); - } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML2_NS.equals(tokenType)) { - encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - encr.setCustomEKTokenId(securityToken.getId()); - } else { - setKeyIdentifierType(encr, encrToken); - } + boolean externalRef, + SecretKey symmetricKey) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); + try { + WSSecEncrypt encr = new WSSecEncrypt(secHeader); + encr.setEncryptionSerializer(new StaxSerializer()); + encr.setIdAllocator(wssConfig.getIdAllocator()); + encr.setCallbackLookup(callbackLookup); + encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); + encr.setStoreBytesInAttachment(storeBytesInAttachment); + encr.setExpandXopInclude(isExpandXopInclude()); + encr.setWsDocInfo(wsDocInfo); + + Crypto crypto = getEncryptionCrypto(); + + SecurityToken securityToken = getSecurityToken(); + if (!isRequestor() && securityToken != null + && recToken.getToken() instanceof SamlToken) { + String tokenType = securityToken.getTokenType(); + if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML_NS.equals(tokenType)) { + encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + encr.setCustomEKTokenId(securityToken.getId()); + } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML2_NS.equals(tokenType)) { + encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + encr.setCustomEKTokenId(securityToken.getId()); } else { setKeyIdentifierType(encr, encrToken); } - // - // Using a stored cert is only suitable for the Issued Token case, where - // we're extracting the cert from a SAML Assertion on the provider side - // - if (!isRequestor() && securityToken != null - && securityToken.getX509Certificate() != null) { - encr.setUseThisCert(securityToken.getX509Certificate()); - } else if (!isRequestor() && securityToken != null - && securityToken.getKey() instanceof PublicKey) { - encr.setUseThisPublicKey((PublicKey)securityToken.getKey()); - encr.setKeyIdentifierType(WSConstants.KEY_VALUE); - } else { - setEncryptionUser(encr, encrToken, false, crypto); - } - if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) { - unassertPolicy(recToken, "Missing security configuration. " - + "Make sure jaxws:client element is configured " - + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value."); - } - AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); - encr.setSymmetricEncAlgorithm(algType.getEncryption()); - encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); - encr.setMGFAlgorithm(algType.getMGFAlgo()); - encr.setDigestAlgorithm(algType.getEncryptionDigest()); - encr.prepare(crypto); - - Element encryptedKeyElement = encr.getEncryptedKeyElement(); - List<Element> attachments = encr.getAttachmentEncryptedDataElements(); - //Encrypt, get hold of the ref list and add it - if (externalRef) { - Element refList = encr.encryptForRef(null, encrParts); - if (refList != null) { - insertBeforeBottomUp(refList); - } - if (attachments != null) { - for (Element attachment : attachments) { - this.insertBeforeBottomUp(attachment); - } - } - if (refList != null || (attachments != null && !attachments.isEmpty())) { - this.addEncryptedKeyElement(encryptedKeyElement); - } - } else { - Element refList = encr.encryptForRef(null, encrParts); - if (refList != null || (attachments != null && !attachments.isEmpty())) { - this.addEncryptedKeyElement(encryptedKeyElement); - } - - // Add internal refs - if (refList != null) { - encryptedKeyElement.appendChild(refList); - } - if (attachments != null) { - for (Element attachment : attachments) { - this.addEncryptedKeyElement(attachment); - } + } else { + setKeyIdentifierType(encr, encrToken); + } + // + // Using a stored cert is only suitable for the Issued Token case, where + // we're extracting the cert from a SAML Assertion on the provider side + // + if (!isRequestor() && securityToken != null + && securityToken.getX509Certificate() != null) { + encr.setUseThisCert(securityToken.getX509Certificate()); + } else if (!isRequestor() && securityToken != null + && securityToken.getKey() instanceof PublicKey) { + encr.setUseThisPublicKey((PublicKey)securityToken.getKey()); + encr.setKeyIdentifierType(WSConstants.KEY_VALUE); + } else { + setEncryptionUser(encr, encrToken, false, crypto); + } + if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) { + unassertPolicy(recToken, "Missing security configuration. " + + "Make sure jaxws:client element is configured " + + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value."); + } + AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); + AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); + encr.setSymmetricEncAlgorithm(algType.getEncryption()); + encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); + encr.setMGFAlgorithm(algType.getMGFAlgo()); + encr.setDigestAlgorithm(algType.getEncryptionDigest()); + encr.prepare(crypto, symmetricKey); + + Element encryptedKeyElement = encr.getEncryptedKeyElement(); + List<Element> attachments = encr.getAttachmentEncryptedDataElements(); + //Encrypt, get hold of the ref list and add it + if (externalRef) { + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + if (refList != null) { + insertBeforeBottomUp(refList); + } + if (attachments != null) { + for (Element attachment : attachments) { + this.insertBeforeBottomUp(attachment); } } + if (refList != null || (attachments != null && !attachments.isEmpty())) { + this.addEncryptedKeyElement(encryptedKeyElement); + } + } else { + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + if (refList != null || (attachments != null && !attachments.isEmpty())) { + this.addEncryptedKeyElement(encryptedKeyElement); + } - // Put BST before EncryptedKey element - if (encr.getBSTTokenId() != null) { - encr.prependBSTElementToHeader(); + // Add internal refs + if (refList != null) { + encryptedKeyElement.appendChild(refList); + } + if (attachments != null) { + for (Element attachment : attachments) { + this.addEncryptedKeyElement(attachment); + } } + } - return encr; - } catch (WSSecurityException e) { - LOG.log(Level.FINE, e.getMessage(), e); - unassertPolicy(recToken, e); + // Put BST before EncryptedKey element + if (encr.getBSTTokenId() != null) { + encr.prependBSTElementToHeader(); } + + return encr; + } catch (WSSecurityException e) { + LOG.log(Level.FINE, e.getMessage(), e); + unassertPolicy(recToken, e); } return null; } private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, - AbstractToken encrToken, - List<WSEncryptionPart> encrParts, - AlgorithmSuite algorithmSuite) { + List<WSEncryptionPart> encrParts) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader); dkEncr.setEncryptionSerializer(new StaxSerializer()); @@ -579,6 +601,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { dkEncr.getParts().addAll(encrParts); dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#" + WSS4JConstants.ENC_KEY_VALUE_TYPE); + + AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite(); AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType(); dkEncr.setSymmetricEncAlgorithm(algType.getEncryption()); dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8); @@ -797,7 +821,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { private void createEncryptedKey(AbstractToken token) throws WSSecurityException { //Set up the encrypted key to use - encrKey = this.getEncryptedKeyBuilder(token); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + encrKey = this.getEncryptedKeyBuilder(token, symmetricKey); Element bstElem = encrKey.getBinarySecurityTokenElement(); if (bstElem != null) { // If a BST is available then use it @@ -806,7 +834,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { // Add the EncryptedKey this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement()); - encryptedKeyValue = encrKey.getSymmetricKey().getEncoded(); + encryptedKeyValue = symmetricKey.getEncoded(); encryptedKeyId = encrKey.getId(); } diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index e56fc39..e96cbfe 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -24,6 +24,8 @@ import java.util.ArrayList; import java.util.List; import java.util.logging.Level; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.namespace.QName; import javax.xml.soap.SOAPException; @@ -206,7 +208,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { sigParts.addAll(this.getSignedParts(null)); List<WSEncryptionPart> encrParts = getEncryptedParts(); - WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true); + + WSSecBase encr = null; + SecretKey symmetricKey = null; + if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) { + if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true); + } else { + byte[] ephemeralKey = tok.getSecret(); + String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + if (ephemeralKey != null) { + symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + } + encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey); + } + } handleEncryptedSignedHeaders(encrParts, sigParts); if (!isRequestor()) { @@ -248,18 +267,18 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { secondEncrParts.addAll(encryptedTokensList); } - Element secondRefList = null; + if (!secondEncrParts.isEmpty()) { + Element secondRefList = null; - if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys - && !secondEncrParts.isEmpty()) { - secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, - secondEncrParts); - } else if (!secondEncrParts.isEmpty()) { - //Encrypt, get hold of the ref list and add it - secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts); - } - if (secondRefList != null) { - this.addDerivedKeyElement(secondRefList); + if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts); + } else { + //Encrypt, get hold of the ref list and add it + secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey); + } + if (secondRefList != null) { + this.addDerivedKeyElement(secondRefList); + } } } } @@ -385,23 +404,38 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { if (isRequestor()) { enc.addAll(encryptedTokensList); } - doEncryption(encrAbstractTokenWrapper, - encrTok, - tokIncluded, - enc, - false); + + if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) { + if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { + doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false); + } else { + byte[] ephemeralKey = encrTok.getSecret(); + SecretKey symmetricKey = null; + String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption(); + if (ephemeralKey != null) { + symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm); + symmetricKey = keyGen.generateKey(); + } + doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey); + } + } } catch (Exception e) { LOG.log(Level.FINE, e.getMessage(), e); throw new Fault(e); } } - private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken, + private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken, SecurityToken encrTok, - AbstractToken encrToken, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) { + + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); try { WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader); dkEncr.setEncryptionSerializer(new StaxSerializer()); @@ -506,114 +540,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { return null; } - private WSSecBase doEncryption(AbstractTokenWrapper recToken, + private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, - boolean atEnd) { - //Do encryption - if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) { - AbstractToken encrToken = recToken.getToken(); - assertPolicy(recToken); - assertPolicy(encrToken); - AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); - if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - return doEncryptionDerived(recToken, encrTok, encrToken, - attached, encrParts, atEnd); - } - try { - WSSecEncrypt encr = new WSSecEncrypt(secHeader); - encr.setEncryptionSerializer(new StaxSerializer()); - encr.setIdAllocator(wssConfig.getIdAllocator()); - encr.setCallbackLookup(callbackLookup); - encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); - encr.setStoreBytesInAttachment(storeBytesInAttachment); - encr.setExpandXopInclude(isExpandXopInclude()); - encr.setWsDocInfo(wsDocInfo); - String encrTokId = encrTok.getId(); - if (attached) { - encrTokId = encrTok.getWsuId(); - if (encrTokId == null - && (encrToken instanceof SecureConversationToken - || encrToken instanceof SecurityContextToken)) { - encr.setEncKeyIdDirectId(true); - encrTokId = encrTok.getId(); - } else if (encrTokId == null) { - encrTokId = encrTok.getId(); - } - if (encrTokId.startsWith("#")) { - encrTokId = encrTokId.substring(1); - } - } else { + boolean atEnd, + SecretKey symmetricKey) { + AbstractToken encrToken = recToken.getToken(); + assertPolicy(recToken); + assertPolicy(encrToken); + try { + WSSecEncrypt encr = new WSSecEncrypt(secHeader); + encr.setEncryptionSerializer(new StaxSerializer()); + encr.setIdAllocator(wssConfig.getIdAllocator()); + encr.setCallbackLookup(callbackLookup); + encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message)); + encr.setStoreBytesInAttachment(storeBytesInAttachment); + encr.setExpandXopInclude(isExpandXopInclude()); + encr.setWsDocInfo(wsDocInfo); + String encrTokId = encrTok.getId(); + if (attached) { + encrTokId = encrTok.getWsuId(); + if (encrTokId == null + && (encrToken instanceof SecureConversationToken + || encrToken instanceof SecurityContextToken)) { encr.setEncKeyIdDirectId(true); + encrTokId = encrTok.getId(); + } else if (encrTokId == null) { + encrTokId = encrTok.getId(); } - if (encrTok.getTokenType() != null) { - encr.setCustomReferenceValue(encrTok.getTokenType()); + if (encrTokId.startsWith("#")) { + encrTokId = encrTokId.substring(1); } - encr.setEncKeyId(encrTokId); - encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); - encr.setEphemeralKey(encrTok.getSecret()); - Crypto crypto = getEncryptionCrypto(); - if (crypto != null) { - setEncryptionUser(encr, encrToken, false, crypto); - } - - encr.setEncryptSymmKey(false); - encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); - encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); + } else { + encr.setEncKeyIdDirectId(true); + } + if (encrTok.getTokenType() != null) { + encr.setCustomReferenceValue(encrTok.getTokenType()); + } + encr.setEncKeyId(encrTokId); + AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); + encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); + Crypto crypto = getEncryptionCrypto(); + if (crypto != null) { + setEncryptionUser(encr, encrToken, false, crypto); + } - if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken - || encrToken instanceof SecureConversationToken) { - //Setting the AttachedReference or the UnattachedReference according to the flag - Element ref; - if (attached) { - ref = encrTok.getAttachedReference(); - } else { - ref = encrTok.getUnattachedReference(); - } + encr.setEncryptSymmKey(false); + encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); + encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); - String tokenType = encrTok.getTokenType(); - if (ref != null) { - SecurityTokenReference secRef = - new SecurityTokenReference(cloneElement(ref), new BSPEnforcer()); - encr.setSecurityTokenReference(secRef); - } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML_NS.equals(tokenType)) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) - || WSS4JConstants.SAML2_NS.equals(tokenType)) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } else { - encr.setCustomReferenceValue(tokenType); - encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); - } - } else if (encrToken instanceof UsernameToken) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); - } else if (encrToken instanceof KerberosToken && !isRequestor()) { - encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE); - encr.setEncKeyId(encrTok.getSHA1()); - } else if (!isRequestor() && encrTok.getSHA1() != null) { - encr.setCustomReferenceValue(encrTok.getSHA1()); - encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); + if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken + || encrToken instanceof SecureConversationToken) { + //Setting the AttachedReference or the UnattachedReference according to the flag + Element ref; + if (attached) { + ref = encrTok.getAttachedReference(); + } else { + ref = encrTok.getUnattachedReference(); } - encr.prepare(crypto); - - if (encr.getBSTTokenId() != null) { - encr.prependBSTElementToHeader(); + String tokenType = encrTok.getTokenType(); + if (ref != null) { + SecurityTokenReference secRef = + new SecurityTokenReference(cloneElement(ref), new BSPEnforcer()); + encr.setSecurityTokenReference(secRef); + } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML_NS.equals(tokenType)) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) + || WSS4JConstants.SAML2_NS.equals(tokenType)) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); + } else { + encr.setCustomReferenceValue(tokenType); + encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } + } else if (encrToken instanceof UsernameToken) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); + } else if (encrToken instanceof KerberosToken && !isRequestor()) { + encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE); + encr.setEncKeyId(encrTok.getSHA1()); + } else if (!isRequestor() && encrTok.getSHA1() != null) { + encr.setCustomReferenceValue(encrTok.getSHA1()); + encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); + } - Element refList = encr.encryptForRef(null, encrParts); - List<Element> attachments = encr.getAttachmentEncryptedDataElements(); - addAttachmentsForEncryption(atEnd, refList, attachments); + encr.prepare(crypto, symmetricKey); - return encr; - } catch (WSSecurityException e) { - LOG.log(Level.FINE, e.getMessage(), e); - unassertPolicy(recToken, e); + if (encr.getBSTTokenId() != null) { + encr.prependBSTElementToHeader(); } + + Element refList = encr.encryptForRef(null, encrParts, symmetricKey); + List<Element> attachments = encr.getAttachmentEncryptedDataElements(); + addAttachmentsForEncryption(atEnd, refList, attachments); + + return encr; + } catch (WSSecurityException e) { + LOG.log(Level.FINE, e.getMessage(), e); + unassertPolicy(recToken, e); } return null; } @@ -914,10 +941,14 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { } private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException { - WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey); assertTokenWrapper(wrapper); String id = encrKey.getId(); - byte[] secret = encrKey.getSymmetricKey().getEncoded(); + byte[] secret = symmetricKey.getEncoded(); Instant created = Instant.now(); Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L); diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java index 208d391..8af27ae 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java @@ -25,6 +25,8 @@ import java.util.Collection; import java.util.List; import java.util.logging.Level; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.crypto.dsig.Reference; import javax.xml.soap.SOAPException; import javax.xml.soap.SOAPMessage; @@ -51,6 +53,7 @@ import org.apache.wss4j.common.ext.WSPasswordCallback; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.token.SecurityTokenReference; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.engine.WSSConfig; import org.apache.wss4j.dom.message.WSSecDKSign; @@ -357,7 +360,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder { signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements()); if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) { - WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token); + AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption()); + SecretKey symmetricKey = keyGen.generateKey(); + + WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey); assertPolicy(wrapper); Element bstElem = encrKey.getBinarySecurityTokenElement(); @@ -380,10 +387,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder { dkSig.setExpandXopInclude(isExpandXopInclude()); dkSig.setWsDocInfo(wsDocInfo); - AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType(); dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8); - dkSig.setExternalKey(encrKey.getSymmetricKey().getEncoded(), encrKey.getId()); + dkSig.setExternalKey(symmetricKey.getEncoded(), encrKey.getId()); dkSig.prepare(); diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java index 0e54cf2..158e5f8 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java @@ -23,6 +23,8 @@ import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.Collections; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.security.auth.callback.CallbackHandler; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean; import org.apache.wss4j.common.saml.bean.KeyInfoBean; import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; @@ -170,7 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler { WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER); encrKey.setUseThisCert(certs[0]); - encrKey.prepare(null); + + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + encrKey.prepare(null, symmetricKey); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java index ba5bb13..0b4b80c 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java @@ -29,6 +29,8 @@ import java.util.Set; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore; import org.apache.wss4j.common.WSS4JConstants; import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.util.DateUtil; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.common.util.XMLUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.message.WSSecEncryptedKey; @@ -375,10 +378,17 @@ public abstract class AbstractOperation { WSSecEncryptedKey builder = new WSSecEncryptedKey(doc); builder.setUserInfo(name); builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); - builder.setEphemeralKey(secret); builder.setKeyEncAlgo(keyWrapAlgorithm); - builder.prepare(stsProperties.getEncryptionCrypto()); + SecretKey symmetricKey = null; + if (secret != null) { + symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm()); + symmetricKey = keyGen.generateKey(); + } + + builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey); return builder.getEncryptedKeyElement(); } diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java index d5f2284..c080d4b 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java @@ -27,6 +27,8 @@ import java.util.logging.Level; import java.util.logging.Logger; import java.util.regex.Pattern; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; import javax.security.auth.kerberos.KerberosPrincipal; @@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER; import org.apache.wss4j.common.saml.bean.SubjectBean; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.message.WSSecEncryptedKey; /** @@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider { // Create an EncryptedKey WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc); encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType()); - encrKey.setEphemeralKey(secret); - encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm()); encrKey.setUseThisCert(certificate); encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm()); - encrKey.prepare(encryptionCrypto); + + SecretKey symmetricKey = null; + if (secret != null) { + symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret); + } else { + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm()); + symmetricKey = keyGen.generateKey(); + } + + encrKey.prepare(encryptionCrypto, symmetricKey); Element encryptedKeyElement = encrKey.getEncryptedKeyElement(); // Append the EncryptedKey to a KeyInfo element diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java index b4cb1a7..e907da1 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java @@ -25,6 +25,8 @@ import java.util.Map; import java.util.logging.Level; import java.util.logging.Logger; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils; import org.apache.wss4j.common.ConfigurationConstants; import org.apache.wss4j.common.WSEncryptionPart; import org.apache.wss4j.common.ext.WSSecurityException; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; import org.apache.wss4j.dom.message.WSSecEncrypt; @@ -171,8 +174,11 @@ public final class TokenProviderUtils { WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element"); encryptionPart.setElement(element); - builder.prepare(stsProperties.getEncryptionCrypto()); - builder.encryptForRef(null, Collections.singletonList(encryptionPart)); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm); + SecretKey symmetricKey = keyGen.generateKey(); + + builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey); + builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey); return (Element)frag.getFirstChild(); } diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java index 4dc76c8..ca8f151 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java @@ -26,6 +26,8 @@ import java.util.Collections; import java.util.List; import java.util.Properties; +import javax.crypto.KeyGenerator; +import javax.crypto.SecretKey; import javax.xml.bind.JAXBElement; import javax.xml.namespace.QName; @@ -70,6 +72,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.saml.builder.SAML1Constants; import org.apache.wss4j.common.saml.builder.SAML2Constants; import org.apache.wss4j.common.util.DOM2Writer; +import org.apache.wss4j.common.util.KeyUtils; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDocInfo; import org.apache.wss4j.dom.engine.WSSConfig; @@ -839,9 +842,12 @@ public class IssueSamlUnitTest { builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP); - builder.prepare(stsProperties.getSignatureCrypto()); + KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128); + SecretKey symmetricKey = keyGen.generateKey(); + + builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey); Element encryptedKeyElement = builder.getEncryptedKeyElement(); - byte[] secret = builder.getSymmetricKey().getEncoded(); + byte[] secret = symmetricKey.getEncoded(); EntropyType entropyType = new EntropyType(); entropyType.getAny().add(encryptedKeyElement);