Support DigestMethod for EncryptionMethod
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/7f17ddd2 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/7f17ddd2 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/7f17ddd2 Branch: refs/heads/3.1.x-fixes Commit: 7f17ddd264a0085cde00e06a22400aad43c304cd Parents: 75edfe9 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Apr 5 11:36:33 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Apr 5 14:03:45 2016 +0100 ---------------------------------------------------------------------- .../AsymmetricBindingHandler.java | 1 + .../StaxAsymmetricBindingHandler.java | 4 ++ .../StaxSymmetricBindingHandler.java | 4 ++ .../policyhandlers/SymmetricBindingHandler.java | 1 + .../org/apache/cxf/systest/ws/gcm/GCMTest.java | 48 +++++++++++++++ .../ws/gcm/MGF256AlgorithmSuiteLoader.java | 18 ++++++ .../apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl | 61 ++++++++++++++++++++ .../apache/cxf/systest/ws/gcm/mgf-client.xml | 10 ++++ .../apache/cxf/systest/ws/gcm/mgf-server.xml | 9 +++ .../cxf/systest/ws/gcm/mgf-stax-server.xml | 10 ++++ 10 files changed, 166 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java index d16b521..078a10d 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java @@ -494,6 +494,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder { encr.setSymmetricEncAlgorithm(algType.getEncryption()); encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap()); encr.setMGFAlgorithm(algType.getMGFAlgo()); + encr.setDigestAlgorithm(algType.getEncryptionDigest()); encr.prepare(saaj.getSOAPPart(), crypto); Element encryptedKeyElement = encr.getEncryptedKeyElement(); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java index a826606..e6d4a09 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxAsymmetricBindingHandler.java @@ -382,6 +382,10 @@ public class StaxAsymmetricBindingHandler extends AbstractStaxBindingHandler { algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap()); properties.setEncryptionSymAlgorithm( algorithmSuite.getAlgorithmSuiteType().getEncryption()); + properties.setEncryptionKeyTransportDigestAlgorithm( + algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); + properties.setEncryptionKeyTransportMGFAlgorithm( + algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); String encUser = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java index 97e4c65..a23ad09 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/StaxSymmetricBindingHandler.java @@ -475,6 +475,10 @@ public class StaxSymmetricBindingHandler extends AbstractStaxBindingHandler { algorithmSuite.getAlgorithmSuiteType().getAsymmetricKeyWrap()); properties.setEncryptionSymAlgorithm( algorithmSuite.getAlgorithmSuiteType().getEncryption()); + properties.setEncryptionKeyTransportDigestAlgorithm( + algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); + properties.setEncryptionKeyTransportMGFAlgorithm( + algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); String encUser = (String)SecurityUtils.getSecurityPropertyValue(SecurityConstants.ENCRYPT_USERNAME, message); http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java index 93c047b..bbdbd69 100644 --- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java +++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java @@ -552,6 +552,7 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder { encr.setEncryptSymmKey(false); encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption()); encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo()); + encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest()); if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken || encrToken instanceof SecureConversationToken) { http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/GCMTest.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/GCMTest.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/GCMTest.java index 70672a8..d20179f 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/GCMTest.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/GCMTest.java @@ -272,4 +272,52 @@ public class GCMTest extends AbstractBusClientServerTestBase { bus.shutdown(true); } + // Same as above but with explicitly adding a ds:DigestMethod of SHA-256 as well + @org.junit.Test + public void testAESGCM256MGFSHA256Digest() throws Exception { + if (!unrestrictedPoliciesInstalled) { + return; + } + + // + // This test fails with the IBM JDK 7 + // IBM JDK 7 appears to require a GCMParameter class to be used, which + // only exists in JDK 7. The Sun JDK appears to be more lenient and + // allows us to use the existing IVParameterSpec class. + // + if ("IBM Corporation".equals(System.getProperty("java.vendor")) + && System.getProperty("java.version") != null + && System.getProperty("java.version").startsWith("1.7")) { + return; + } + + SpringBusFactory bf = new SpringBusFactory(); + URL busFile = GCMTest.class.getResource("mgf-client.xml"); + + Bus bus = bf.createBus(busFile.toString()); + SpringBusFactory.setDefaultBus(bus); + SpringBusFactory.setThreadDefaultBus(bus); + + URL wsdl = GCMTest.class.getResource("DoubleItGCM.wsdl"); + Service service = Service.create(wsdl, SERVICE_QNAME); + QName portQName = new QName(NAMESPACE, "DoubleItGCM256MGFSHA256DigestPort"); + DoubleItPortType gcmPort = + service.getPort(portQName, DoubleItPortType.class); + + String port = MGF_PORT; + if (STAX_PORT.equals(test.getPort())) { + port = MGF_STAX_PORT; + } + updateAddressPort(gcmPort, port); + + if (test.isStreaming()) { + SecurityTestUtil.enableStreaming(gcmPort); + } + + gcmPort.doubleIt(25); + + ((java.io.Closeable)gcmPort).close(); + bus.shutdown(true); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/MGF256AlgorithmSuiteLoader.java ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/MGF256AlgorithmSuiteLoader.java b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/MGF256AlgorithmSuiteLoader.java index 434b760..a21de25 100644 --- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/MGF256AlgorithmSuiteLoader.java +++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/gcm/MGF256AlgorithmSuiteLoader.java @@ -86,7 +86,22 @@ public class MGF256AlgorithmSuiteLoader implements AlgorithmSuiteLoader { 256, 192, 256, 256, 1024, 4096 ) ); + ALGORITHM_SUITE_TYPES.put( + "Basic256GCMMGFSHA256Digest", + new AlgorithmSuiteType( + "Basic256GCMMGFSHA256Digest", + SPConstants.SHA256, + "http://www.w3.org/2009/xmlenc11#aes256-gcm";, + SPConstants.KW_AES256, + WSConstants.KEYTRANSPORT_RSAOAEP_XENC11, + SPConstants.P_SHA1_L256, + SPConstants.P_SHA1_L192, + 256, 192, 256, 256, 1024, 4096 + ) + ); ALGORITHM_SUITE_TYPES.get("Basic256GCMMGFSHA256").setMGFAlgo(WSConstants.MGF_SHA256); + ALGORITHM_SUITE_TYPES.get("Basic256GCMMGFSHA256Digest").setMGFAlgo(WSConstants.MGF_SHA256); + ALGORITHM_SUITE_TYPES.get("Basic256GCMMGFSHA256Digest").setEncryptionDigest(SPConstants.SHA256); } GCMAlgorithmSuite(SPConstants.SPVersion version, Policy nestedPolicy) { @@ -109,6 +124,9 @@ public class MGF256AlgorithmSuiteLoader implements AlgorithmSuiteLoader { if ("Basic256GCMMGFSHA256".equals(assertionName)) { setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCMMGFSHA256")); getAlgorithmSuiteType().setNamespace(assertionNamespace); + } else if ("Basic256GCMMGFSHA256Digest".equals(assertionName)) { + setAlgorithmSuiteType(ALGORITHM_SUITE_TYPES.get("Basic256GCMMGFSHA256Digest")); + getAlgorithmSuiteType().setNamespace(assertionNamespace); } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl index 9250521..275bc1f 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl @@ -91,6 +91,24 @@ </wsdl:fault> </wsdl:operation> </wsdl:binding> + <wsdl:binding name="DoubleItGCM256MGFSHA256DigestBinding" type="tns:DoubleItPortType"> + <wsp:PolicyReference URI="#DoubleItGCM256MGFSHA256DigestPolicy"/> + <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> + <wsdl:operation name="DoubleIt"> + <soap:operation soapAction=""/> + <wsdl:input> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/> + </wsdl:input> + <wsdl:output> + <soap:body use="literal"/> + <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/> + </wsdl:output> + <wsdl:fault name="DoubleItFault"> + <soap:body use="literal" name="DoubleItFault"/> + </wsdl:fault> + </wsdl:operation> + </wsdl:binding> <wsdl:service name="DoubleItService"> <wsdl:port name="DoubleItGCM128Port" binding="tns:DoubleItGCM128Binding"> <soap:address location="http://localhost:9001/DoubleItGCM128"/> @@ -104,6 +122,9 @@ <wsdl:port name="DoubleItGCM256MGFSHA256Port" binding="tns:DoubleItGCM256MGFSHA256Binding"> <soap:address location="http://localhost:9001/DoubleItGCM256MGFSHA256"/> </wsdl:port> + <wsdl:port name="DoubleItGCM256MGFSHA256DigestPort" binding="tns:DoubleItGCM256MGFSHA256DigestBinding"> + <soap:address location="http://localhost:9001/DoubleItGCM256MGFSHA256digest"/> + </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="DoubleItGCM128Policy"> <wsp:ExactlyOne> @@ -265,6 +286,46 @@ </wsp:All> </wsp:ExactlyOne> </wsp:Policy> + <wsp:Policy wsu:Id="DoubleItGCM256MGFSHA256DigestPolicy"> + <wsp:ExactlyOne> + <wsp:All> + <sp:AsymmetricBinding> + <wsp:Policy> + <sp:InitiatorToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> + <wsp:Policy> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:InitiatorToken> + <sp:RecipientToken> + <wsp:Policy> + <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> + <wsp:Policy> + <sp:WssX509V3Token10/> + </wsp:Policy> + </sp:X509Token> + </wsp:Policy> + </sp:RecipientToken> + <sp:Layout> + <wsp:Policy> + <sp:Lax/> + </wsp:Policy> + </sp:Layout> + <sp:IncludeTimestamp/> + <sp:OnlySignEntireHeadersAndBody/> + <sp:AlgorithmSuite> + <wsp:Policy> + <sp-cxf:Basic256GCMMGFSHA256Digest xmlns:sp-cxf="http://cxf.apache.org/custom/security-policy"/> + </wsp:Policy> + </sp:AlgorithmSuite> + </wsp:Policy> + </sp:AsymmetricBinding> + </wsp:All> + </wsp:ExactlyOne> + </wsp:Policy> <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy"> <wsp:ExactlyOne> <wsp:All> http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-client.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-client.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-client.xml index e1cad12..029cdb0 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-client.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-client.xml @@ -38,4 +38,14 @@ <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> </jaxws:properties> </jaxws:client> + + <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItGCM256MGFSHA256DigestPort"; createdFromAPI="true"> + <jaxws:properties> + <entry key="security.encryption.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="bob"/> + <entry key="security.signature.properties" value="alice.properties"/> + <entry key="security.signature.username" value="alice"/> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + </jaxws:properties> + </jaxws:client> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-server.xml index bf4ed38..82127e9 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-server.xml @@ -38,4 +38,13 @@ <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/> </jaxws:properties> </jaxws:endpoint> + + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="GCM256MGFSHA256Digest" address="http://localhost:${testutil.ports.gcm.MGFServer}/DoubleItGCM256MGFSHA256digest"; serviceName="s:DoubleItService" endpointName="s:DoubleItGCM256MGFSHA256DigestPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="useReqSigCert"/> + <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/> + </jaxws:properties> + </jaxws:endpoint> </beans> http://git-wip-us.apache.org/repos/asf/cxf/blob/7f17ddd2/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-stax-server.xml ---------------------------------------------------------------------- diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-stax-server.xml b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-stax-server.xml index 1685754..a909bb4 100644 --- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-stax-server.xml +++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/gcm/mgf-stax-server.xml @@ -40,4 +40,14 @@ </jaxws:properties> </jaxws:endpoint> + <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt"; id="GCM256MGFSHA256Digest" address="http://localhost:${testutil.ports.gcm.MGFStaxServer}/DoubleItGCM256MGFSHA256digest"; serviceName="s:DoubleItService" endpointName="s:DoubleItGCM256MGFSHA256DigestPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl" wsdlLocation="org/apache/cxf/systest/ws/gcm/DoubleItGCM.wsdl"> + <jaxws:properties> + <entry key="security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/> + <entry key="security.signature.properties" value="bob.properties"/> + <entry key="security.encryption.username" value="useReqSigCert"/> + <entry key="security.subject.cert.constraints" value=".*O=apache.org.*"/> + <entry key="ws-security.enable.streaming" value="true"/> + </jaxws:properties> + </jaxws:endpoint> + </beans>
