This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 2_2_x-fixes in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/2_2_x-fixes by this push: new 8aaa0f3 WSS-666 - Support processing SignatureValue bytes stored in attachments 8aaa0f3 is described below commit 8aaa0f37698001518b5b9bc771bb73d1d1cfbd47 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Tue Mar 3 15:33:36 2020 +0000 WSS-666 - Support processing SignatureValue bytes stored in attachments --- .../wss4j/dom/processor/SignatureProcessor.java | 8 ++++ .../wss4j/dom/message/XOPAttachmentTest.java | 53 ++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java index a6d3d2d..86f01e7 100644 --- a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java +++ b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java @@ -344,6 +344,13 @@ public class SignatureProcessor implements Processor { key = KeyUtils.prepareSecretKey(signatureMethod, secretKey); } + if (data.isExpandXopInclude()) { + // Look for xop:Include Nodes and expand them + List<Element> includeElements = + XMLUtils.findElements(elem.getFirstChild(), "Include", WSConstants.XOP_NS); + WSSecurityUtil.inlineAttachments(includeElements, data.getAttachmentCallbackHandler(), true); + } + XMLValidateContext context = new DOMValidateContext(key, elem); context.setProperty("javax.xml.crypto.dsig.cacheReference", Boolean.TRUE); context.setProperty("org.apache.jcp.xml.dsig.secureValidation", Boolean.TRUE); @@ -372,6 +379,7 @@ public class SignatureProcessor implements Processor { testMessageReplay(elem, xmlSignature.getSignatureValue().getValue(), key, data, wsDocInfo); setElementsOnContext(xmlSignature, (DOMValidateContext)context, data, wsDocInfo); + boolean signatureOk = xmlSignature.validate(context); if (signatureOk) { return xmlSignature; diff --git a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java index b1ba666..11f30b5 100644 --- a/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java +++ b/ws-security-dom/src/test/java/org/apache/wss4j/dom/message/XOPAttachmentTest.java @@ -25,6 +25,7 @@ import java.io.InputStream; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.util.ArrayList; +import java.util.Base64; import java.util.Collections; import java.util.List; import java.util.UUID; @@ -660,6 +661,57 @@ public class XOPAttachmentTest extends org.junit.Assert { assertTrue(processedDoc.contains(SOAP_BODY)); } + // We can't put the SignatureValue bytes into an attachment as we are using the JSR-105 API, but for now + // let's test that we can process such messages + @Test + public void testSignatureValueInAttachment() throws Exception { + Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG); + WSSecHeader secHeader = new WSSecHeader(doc); + secHeader.insertSecurityHeader(); + + WSSecSignature builder = new WSSecSignature(secHeader); + builder.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); + builder.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE); + + AttachmentCallbackHandler outboundAttachmentCallback = new AttachmentCallbackHandler(); + builder.setAttachmentCallbackHandler(outboundAttachmentCallback); + builder.setStoreBytesInAttachment(true); + + Document signedDoc = builder.build(crypto); + + List<Attachment> signedAttachments = outboundAttachmentCallback.getResponseAttachments(); + assertNotNull(signedAttachments); + assertTrue(signedAttachments.size() == 1); + + // Find the SignatureValue + replace with a xop:Include to the attachment! + Element signatureValue = XMLUtils.findElement(signedDoc.getDocumentElement(), "SignatureValue", WSConstants.SIG_NS); + assertNotNull(signatureValue); + + String attachmentId = UUID.randomUUID().toString(); + final Attachment attachment = new Attachment(); + attachment.setId(attachmentId); + byte[] decodedBytes = Base64.getMimeDecoder().decode(signatureValue.getTextContent()); + attachment.setSourceStream(new ByteArrayInputStream(decodedBytes)); + signedAttachments.add(attachment); + + XMLUtils.setNamespace(signatureValue, WSS4JConstants.XOP_NS, "xop"); + + Element signatureValueChild = signedDoc.createElementNS(WSConstants.XOP_NS, "xop:Include"); + signatureValueChild.setAttributeNS(null, "href", "cid:" + attachmentId); + signatureValue.replaceChild(signatureValueChild, signatureValue.getFirstChild()); + + if (LOG.isDebugEnabled()) { + LOG.debug("After Signing...."); + String outputString = + XMLUtils.prettyDocumentToString(signedDoc); + LOG.debug(outputString); + } + + AttachmentCallbackHandler inboundAttachmentCallback = + new AttachmentCallbackHandler(signedAttachments); + verify(signedDoc, inboundAttachmentCallback); + } + /** * Verifies the soap envelope. * This method verifies all the signature generated. @@ -672,6 +724,7 @@ public class XOPAttachmentTest extends org.junit.Assert { requestData.setSigVerCrypto(crypto); requestData.setDecCrypto(crypto); requestData.setCallbackHandler(new KeystoreCallbackHandler()); + requestData.setExpandXopInclude(true); return secEngine.processSecurityHeader(doc, requestData); } }