This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3_0_x-fixes
in repository https://gitbox.apache.org/repos/asf/ws-wss4j.git
The following commit(s) were added to refs/heads/3_0_x-fixes by this push:
new 838ea275c WSS-714 RecipientKeyInfo improved (#418)
838ea275c is described below
commit 838ea275c4689d4f57330fc4121d1b308619ab1a
Author: Michael Häusler <[email protected]>
AuthorDate: Thu Jan 30 11:39:48 2025 +0100
WSS-714 RecipientKeyInfo improved (#418)
* WSS-714 RecipientKeyInfo improved
* Change findElement to getDirectChildElement
---------
Co-authored-by: Colm O hEigeartaigh <[email protected]>
---
.../org/apache/wss4j/common/WSS4JConstants.java | 1 +
.../org/apache/wss4j/common/token/DOMX509SKI.java | 73 +++++
.../wss4j/dom/processor/EncryptedKeyProcessor.java | 118 +++++---
.../wss4j/dom/processor/RecipientKeyInfoTest.java | 327 +++++++++++++++++++++
4 files changed, 472 insertions(+), 47 deletions(-)
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/WSS4JConstants.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/WSS4JConstants.java
index 33fc0dd2a..8bfafd40f 100644
---
a/ws-security-common/src/main/java/org/apache/wss4j/common/WSS4JConstants.java
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/WSS4JConstants.java
@@ -239,6 +239,7 @@ public class WSS4JConstants {
public static final String X509_ISSUER_SERIAL_LN = "X509IssuerSerial";
public static final String X509_ISSUER_NAME_LN = "X509IssuerName";
public static final String X509_SERIAL_NUMBER_LN = "X509SerialNumber";
+ public static final String X509_SKI_LN = "X509SKI";
public static final String X509_DATA_LN = "X509Data";
public static final String X509_CERT_LN = "X509Certificate";
public static final String KEYINFO_LN = "KeyInfo";
diff --git
a/ws-security-common/src/main/java/org/apache/wss4j/common/token/DOMX509SKI.java
b/ws-security-common/src/main/java/org/apache/wss4j/common/token/DOMX509SKI.java
new file mode 100644
index 000000000..cf05cf486
--- /dev/null
+++
b/ws-security-common/src/main/java/org/apache/wss4j/common/token/DOMX509SKI.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.common.token;
+
+import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.XMLUtils;
+import org.w3c.dom.Element;
+
+
+/**
+ * An X.509 SKI token.
+ */
+public final class DOMX509SKI {
+ private final Element element;
+ private final byte[] skiBytes;
+
+ /**
+ * Constructor.
+ */
+ public DOMX509SKI(Element skiElement) {
+ element = skiElement;
+
+ String text = XMLUtils.getElementText(element);
+ if (text == null) {
+ skiBytes = new byte[0];
+ } else {
+ skiBytes = org.apache.xml.security.utils.XMLUtils.decode(text);
+ }
+ }
+
+ /**
+ * return the dom element.
+ *
+ * @return the dom element.
+ */
+ public Element getElement() {
+ return element;
+ }
+
+ /**
+ * Return the SKI bytes.
+ */
+ public byte[] getSKIBytes() {
+ return skiBytes;
+ }
+
+ /**
+ * return the string representation of the token.
+ *
+ * @return the string representation of the token.
+ */
+ public String toString() {
+ return DOM2Writer.nodeToString(element);
+ }
+
+}
diff --git
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
index e7a12412b..06b1c64cf 100644
---
a/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
+++
b/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/EncryptedKeyProcessor.java
@@ -32,8 +32,9 @@ import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.OAEPParameterSpec;
-import javax.xml.crypto.dsig.XMLSignatureFactory;
+import org.apache.wss4j.common.WSS4JConstants;
+import org.apache.wss4j.common.token.DOMX509SKI;
import org.apache.xml.security.encryption.AgreementMethod;
import org.apache.xml.security.encryption.KeyDerivationMethod;
import org.apache.xml.security.encryption.XMLCipherUtil;
@@ -41,6 +42,11 @@ import
org.apache.xml.security.encryption.keys.RecipientKeyInfo;
import org.apache.xml.security.encryption.keys.content.AgreementMethodImpl;
import org.apache.xml.security.encryption.params.KeyAgreementParameters;
import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.content.keyvalues.DSAKeyValue;
+import org.apache.xml.security.keys.content.keyvalues.ECKeyValue;
+import org.apache.xml.security.keys.content.keyvalues.KeyValueContent;
+import org.apache.xml.security.keys.content.keyvalues.RSAKeyValue;
+import org.apache.xml.security.utils.Constants;
import org.apache.xml.security.utils.EncryptionConstants;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -75,14 +81,7 @@ public class EncryptedKeyProcessor implements Processor {
private static final org.slf4j.Logger LOG =
org.slf4j.LoggerFactory.getLogger(EncryptedKeyProcessor.class);
- private final Provider provider;
-
public EncryptedKeyProcessor() {
- this(null);
- }
-
- public EncryptedKeyProcessor(Provider provider) {
- this.provider = provider;
}
public List<WSSecurityEngineResult> handleToken(
@@ -276,27 +275,42 @@ public class EncryptedKeyProcessor implements Processor {
X509Certificate[] certs =
getCertificatesFromX509Data(keyValueElement, data);
builder.certificates(certs);
if (certs == null || certs.length == 0) {
- XMLSignatureFactory signatureFactory;
- if (provider == null) {
- // Try to install the Santuario Provider - fall back to
the JDK provider if this does
- // not work
- try {
- signatureFactory =
XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
- } catch (NoSuchProviderException ex) {
- signatureFactory =
XMLSignatureFactory.getInstance("DOM");
- }
- } else {
- signatureFactory = XMLSignatureFactory.getInstance("DOM",
provider);
- }
-
- PublicKey publicKey = X509Util.parseKeyValue((Element)
keyValueElement.getParentNode(),
- signatureFactory);
+ PublicKey publicKey =
getPublicKeyFromKeyValue(keyValueElement);
builder.publicKey(publicKey);
}
}
return builder.build();
}
+ private PublicKey getPublicKeyFromKeyValue(Element keyValueElement) throws
WSSecurityException {
+ PublicKey publicKey = null;
+ KeyValueContent keyValue;
+ try {
+ Element keyValueChild = getFirstElement(keyValueElement);
+ if (keyValueChild == null) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
"unsupportedKeyInfo");
+ }
+ switch (keyValueChild.getLocalName()) {
+ case "ECKeyValue":
+ keyValue = new ECKeyValue(keyValueChild,
Constants.SignatureSpec11NS);
+ break;
+ case "RSAKeyValue":
+ keyValue = new RSAKeyValue(keyValueChild,
Constants.SignatureSpecNS);
+ break;
+ case "DSAKeyValue":
+ keyValue = new DSAKeyValue(keyValueChild,
Constants.SignatureSpecNS);
+ break;
+ default:
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
"unsupportedKeyInfo");
+ }
+
+ publicKey = keyValue.getPublicKey();
+ } catch (XMLSecurityException e) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY,
"unsupportedKeyInfo");
+ }
+ return publicKey;
+ }
+
private PrivateKey getPrivateKey(
RequestData data, X509Certificate[] certs, PublicKey publicKey
) throws WSSecurityException {
@@ -594,40 +608,50 @@ public class EncryptedKeyProcessor implements Processor {
Element keyInfoChildElement,
RequestData data
) throws WSSecurityException {
+ X509Certificate[] certs = new X509Certificate[0];
if (WSConstants.SIG_NS.equals(keyInfoChildElement.getNamespaceURI())
&&
WSConstants.X509_DATA_LN.equals(keyInfoChildElement.getLocalName())) {
data.getBSPEnforcer().handleBSPRule(BSPRule.R5426);
- Element x509Child = getFirstElement(keyInfoChildElement);
-
- if (x509Child != null &&
WSConstants.SIG_NS.equals(x509Child.getNamespaceURI())) {
- if
(WSConstants.X509_ISSUER_SERIAL_LN.equals(x509Child.getLocalName())) {
- DOMX509IssuerSerial issuerSerial = new
DOMX509IssuerSerial(x509Child);
- CryptoType cryptoType = new
CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
- cryptoType.setIssuerSerial(issuerSerial.getIssuer(),
issuerSerial.getSerialNumber());
- return data.getDecCrypto().getX509Certificates(cryptoType);
- } else if
(WSConstants.X509_CERT_LN.equals(x509Child.getLocalName())) {
- byte[] token =
EncryptionUtils.getDecodedBase64EncodedData(x509Child);
- if (token == null || token.length == 0) {
- throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidCertData",
- new Object[] {"0"});
- }
- try (InputStream in = new ByteArrayInputStream(token)) {
- X509Certificate cert =
data.getDecCrypto().loadCertificate(in);
- if (cert != null) {
- return new X509Certificate[]{cert};
- }
- } catch (IOException e) {
- throw new WSSecurityException(
-
WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "parseError"
- );
+ Element issuerSerialElement =
XMLUtils.getDirectChildElement(keyInfoChildElement,
WSS4JConstants.X509_ISSUER_SERIAL_LN,
+ WSS4JConstants.SIG_NS);
+ if (issuerSerialElement != null) {
+ DOMX509IssuerSerial issuerSerial = new
DOMX509IssuerSerial(issuerSerialElement);
+ CryptoType cryptoType = new
CryptoType(CryptoType.TYPE.ISSUER_SERIAL);
+ cryptoType.setIssuerSerial(issuerSerial.getIssuer(),
issuerSerial.getSerialNumber());
+ certs = data.getDecCrypto().getX509Certificates(cryptoType);
+ }
+
+ Element skiElement =
XMLUtils.getDirectChildElement(keyInfoChildElement, WSS4JConstants.X509_SKI_LN,
WSS4JConstants.SIG_NS);
+ if (skiElement != null && certs.length == 0) {
+ DOMX509SKI x509SKI = new DOMX509SKI(skiElement);
+ CryptoType cryptoType = new
CryptoType(CryptoType.TYPE.SKI_BYTES);
+ cryptoType.setBytes(x509SKI.getSKIBytes());
+ certs = data.getDecCrypto().getX509Certificates(cryptoType);
+ }
+
+ Element x509CertElement =
XMLUtils.getDirectChildElement(keyInfoChildElement,
WSS4JConstants.X509_CERT_LN, WSS4JConstants.SIG_NS);
+ if (x509CertElement != null && certs.length == 0) {
+ byte[] token =
EncryptionUtils.getDecodedBase64EncodedData(x509CertElement);
+ if (token == null || token.length == 0) {
+ throw new
WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidCertData",
+ new Object[] {"0"});
+ }
+ try (InputStream in = new ByteArrayInputStream(token)) {
+ X509Certificate cert =
data.getDecCrypto().loadCertificate(in);
+ if (cert != null) {
+ certs = new X509Certificate[]{cert};
}
+ } catch (IOException e) {
+ throw new WSSecurityException(
+
WSSecurityException.ErrorCode.SECURITY_TOKEN_UNAVAILABLE, e, "parseError"
+ );
}
}
}
- return new X509Certificate[0];
+ return certs;
}
private Element getFirstElement(Element element) {
diff --git
a/ws-security-dom/src/test/java/org/apache/wss4j/dom/processor/RecipientKeyInfoTest.java
b/ws-security-dom/src/test/java/org/apache/wss4j/dom/processor/RecipientKeyInfoTest.java
new file mode 100644
index 000000000..62d12e2de
--- /dev/null
+++
b/ws-security-dom/src/test/java/org/apache/wss4j/dom/processor/RecipientKeyInfoTest.java
@@ -0,0 +1,327 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.wss4j.dom.processor;
+
+import org.apache.wss4j.common.bsp.BSPRule;
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoFactory;
+import org.apache.wss4j.common.util.SOAPUtil;
+import org.apache.wss4j.dom.common.KeystoreCallbackHandler;
+import org.apache.wss4j.dom.engine.WSSConfig;
+import org.apache.wss4j.dom.engine.WSSecurityEngine;
+import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
+import org.apache.wss4j.dom.handler.RequestData;
+import org.apache.wss4j.dom.handler.WSHandlerResult;
+import org.junit.jupiter.api.Test;
+import org.w3c.dom.Document;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+
+/**
+ * This class tests correct handling of different RecipientKeyInfo contents in
the AgreementMethod element.
+ */
+public class RecipientKeyInfoTest {
+ private static final String X509SKI_XML = "<S12:Envelope
xmlns:S12=\"http://www.w3.org/2003/05/soap-envelope\";
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";
xmlns:eb=\"http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/\";
xmlns:ebbp=\"http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0\";
xmlns:ns5=\"http://www.w3.org/1999/xlink\";>\n" +
+ " <S12:Header>\n" +
+ " <wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
S12:mustUnderstand=\"true\">\n" +
+ " <xenc:EncryptedKey
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"EK-70fae604-dd7d-4eca-a6fb-f86cab628ef3\">\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes128\"/>\n" +
+ " <ds:KeyInfo>\n" +
+ " <xenc:AgreementMethod
Algorithm=\"http://www.w3.org/2009/xmlenc11#ECDH-ES\";>\n" +
+ " <xenc11:KeyDerivationMethod
xmlns:xenc11=\"http://www.w3.org/2009/xmlenc11#\";
Algorithm=\"http://www.w3.org/2009/xmlenc11#ConcatKDF\";>\n" +
+ " <xenc11:ConcatKDFParams>\n" +
+ " <ds:DigestMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n" +
+ " </xenc11:ConcatKDFParams>\n" +
+ " </xenc11:KeyDerivationMethod>\n" +
+ " <xenc:OriginatorKeyInfo>\n" +
+ " <ds:KeyValue>\n" +
+ " <dsig11:ECKeyValue
xmlns:dsig11=\"http://www.w3.org/2009/xmldsig11#\";>\n" +
+ " <dsig11:NamedCurve URI=\"urn:oid:1.3.132.0.35\"/>\n" +
+ "
<dsig11:PublicKey>BACyQlDSqpHbovJmv3FBpMghZoQYGgz80Odwq8Kg+Na0jlBDnoObQAiYP75CL0QFMEFUZln/fVk0OslooRXS3oSVIQASiRs0iVoxxSJmGLddnmh1Geyn0WVVVrWrAsq+DUpgF+o4uyKRdjNqT3zdRQKvXP9EXi5gTu1pM9rRXmjD4hu4Dg==</dsig11:PublicKey>\n"
+
+ " </dsig11:ECKeyValue>\n" +
+ " </ds:KeyValue>\n" +
+ " </xenc:OriginatorKeyInfo>\n" +
+ " <xenc:RecipientKeyInfo>\n" +
+ " <ds:X509Data>\n" +
+ " <ds:X509SKI>pICAbVbWYkAOt/Whi7QgAInmstI=</ds:X509SKI>\n" +
+ " </ds:X509Data>\n" +
+ " </xenc:RecipientKeyInfo>\n" +
+ " </xenc:AgreementMethod>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>304N9yfr39kEasVxmqVzetY5BNxy65Jt</xenc:CipherValue>\n" +
+ " </xenc:CipherData>\n" +
+ " <xenc:ReferenceList>\n" +
+ " <xenc:DataReference
URI=\"#ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"/>\n" +
+ " </xenc:ReferenceList>\n" +
+ " </xenc:EncryptedKey>\n" +
+ " </wsse:Security>\n" +
+ " </S12:Header>\n" +
+ " <S12:Body
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
wsu:Id=\"id-103ba36e-7163-40bf-beba-cbb61d80f894\">\n" +
+ " <xenc:EncryptedData
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"
Type=\"http://www.w3.org/2001/04/xmlenc#Content\";>\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"/>\n" +
+ " <ds:KeyInfo
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";>\n" +
+ " <wsse:SecurityTokenReference
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\";
wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\";>\n"
+
+ " <wsse:Reference
URI=\"#EK-802eb082-00c9-43da-a578-f68fe376b976\"/>\n" +
+ " </wsse:SecurityTokenReference>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>60eDOiVgEBqqPaLsrhyx+r1hYBoskcb69/iklYF3ISQAcGSBDRr9v5qMJRxwu9h3sij2plx4ac4GW+KXGwvI6VEEHoKSAsNWg+VwJEbnaIpfV5HaG/fdCz/vSEQ/XZNfkUwxlIP3iaywc2E6fPR/SA==</xenc:CipherValue>\n"
+
+ " </xenc:CipherData>\n" +
+ " </xenc:EncryptedData>\n" +
+ " </S12:Body>\n" +
+ "</S12:Envelope>";
+
+ private static final String X509ISSUER_SERIAL_XML = "<S12:Envelope
xmlns:S12=\"http://www.w3.org/2003/05/soap-envelope\";
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";
xmlns:eb=\"http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/\";
xmlns:ebbp=\"http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0\";
xmlns:ns5=\"http://www.w3.org/1999/xlink\";>\n" +
+ " <S12:Header>\n" +
+ " <wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
S12:mustUnderstand=\"true\">\n" +
+ " <xenc:EncryptedKey
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"EK-70fae604-dd7d-4eca-a6fb-f86cab628ef3\">\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes128\"/>\n" +
+ " <ds:KeyInfo>\n" +
+ " <xenc:AgreementMethod
Algorithm=\"http://www.w3.org/2009/xmlenc11#ECDH-ES\";>\n" +
+ " <xenc11:KeyDerivationMethod
xmlns:xenc11=\"http://www.w3.org/2009/xmlenc11#\";
Algorithm=\"http://www.w3.org/2009/xmlenc11#ConcatKDF\";>\n" +
+ " <xenc11:ConcatKDFParams>\n" +
+ " <ds:DigestMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n" +
+ " </xenc11:ConcatKDFParams>\n" +
+ " </xenc11:KeyDerivationMethod>\n" +
+ " <xenc:OriginatorKeyInfo>\n" +
+ " <ds:KeyValue>\n" +
+ " <dsig11:ECKeyValue
xmlns:dsig11=\"http://www.w3.org/2009/xmldsig11#\";>\n" +
+ " <dsig11:NamedCurve URI=\"urn:oid:1.3.132.0.35\"/>\n" +
+ "
<dsig11:PublicKey>BACyQlDSqpHbovJmv3FBpMghZoQYGgz80Odwq8Kg+Na0jlBDnoObQAiYP75CL0QFMEFUZln/fVk0OslooRXS3oSVIQASiRs0iVoxxSJmGLddnmh1Geyn0WVVVrWrAsq+DUpgF+o4uyKRdjNqT3zdRQKvXP9EXi5gTu1pM9rRXmjD4hu4Dg==</dsig11:PublicKey>\n"
+
+ " </dsig11:ECKeyValue>\n" +
+ " </ds:KeyValue>\n" +
+ " </xenc:OriginatorKeyInfo>\n" +
+ " <xenc:RecipientKeyInfo>\n" +
+ " <ds:X509Data>\n" +
+ " <ds:X509IssuerSerial>\n" +
+ " <ds:X509IssuerName>CN=issuer-ca, OU=eDeliveryAS4-2.0,
OU=wss4j, O=apache, C=EU</ds:X509IssuerName>\n" +
+ "
<ds:X509SerialNumber>12685121184234350225</ds:X509SerialNumber>\n" +
+ " </ds:X509IssuerSerial>\n" +
+ " </ds:X509Data>\n" +
+ " </xenc:RecipientKeyInfo>\n" +
+ " </xenc:AgreementMethod>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>304N9yfr39kEasVxmqVzetY5BNxy65Jt</xenc:CipherValue>\n" +
+ " </xenc:CipherData>\n" +
+ " <xenc:ReferenceList>\n" +
+ " <xenc:DataReference
URI=\"#ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"/>\n" +
+ " </xenc:ReferenceList>\n" +
+ " </xenc:EncryptedKey>\n" +
+ " </wsse:Security>\n" +
+ " </S12:Header>\n" +
+ " <S12:Body
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
wsu:Id=\"id-103ba36e-7163-40bf-beba-cbb61d80f894\">\n" +
+ " <xenc:EncryptedData
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"
Type=\"http://www.w3.org/2001/04/xmlenc#Content\";>\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"/>\n" +
+ " <ds:KeyInfo
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";>\n" +
+ " <wsse:SecurityTokenReference
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\";
wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\";>\n"
+
+ " <wsse:Reference
URI=\"#EK-802eb082-00c9-43da-a578-f68fe376b976\"/>\n" +
+ " </wsse:SecurityTokenReference>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>60eDOiVgEBqqPaLsrhyx+r1hYBoskcb69/iklYF3ISQAcGSBDRr9v5qMJRxwu9h3sij2plx4ac4GW+KXGwvI6VEEHoKSAsNWg+VwJEbnaIpfV5HaG/fdCz/vSEQ/XZNfkUwxlIP3iaywc2E6fPR/SA==</xenc:CipherValue>\n"
+
+ " </xenc:CipherData>\n" +
+ " </xenc:EncryptedData>\n" +
+ " </S12:Body>\n" +
+ "</S12:Envelope>";
+
+
+ private static final String X509CERT_XML = "<S12:Envelope
xmlns:S12=\"http://www.w3.org/2003/05/soap-envelope\";
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";
xmlns:eb=\"http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/\";
xmlns:ebbp=\"http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0\";
xmlns:ns5=\"http://www.w3.org/1999/xlink\";>\n" +
+ " <S12:Header>\n" +
+ " <wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
S12:mustUnderstand=\"true\">\n" +
+ " <xenc:EncryptedKey
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"EK-70fae604-dd7d-4eca-a6fb-f86cab628ef3\">\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes128\"/>\n" +
+ " <ds:KeyInfo>\n" +
+ " <xenc:AgreementMethod
Algorithm=\"http://www.w3.org/2009/xmlenc11#ECDH-ES\";>\n" +
+ " <xenc11:KeyDerivationMethod
xmlns:xenc11=\"http://www.w3.org/2009/xmlenc11#\";
Algorithm=\"http://www.w3.org/2009/xmlenc11#ConcatKDF\";>\n" +
+ " <xenc11:ConcatKDFParams>\n" +
+ " <ds:DigestMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n" +
+ " </xenc11:ConcatKDFParams>\n" +
+ " </xenc11:KeyDerivationMethod>\n" +
+ " <xenc:OriginatorKeyInfo>\n" +
+ " <ds:KeyValue>\n" +
+ " <dsig11:ECKeyValue
xmlns:dsig11=\"http://www.w3.org/2009/xmldsig11#\";>\n" +
+ " <dsig11:NamedCurve URI=\"urn:oid:1.3.132.0.35\"/>\n" +
+ "
<dsig11:PublicKey>BACyQlDSqpHbovJmv3FBpMghZoQYGgz80Odwq8Kg+Na0jlBDnoObQAiYP75CL0QFMEFUZln/fVk0OslooRXS3oSVIQASiRs0iVoxxSJmGLddnmh1Geyn0WVVVrWrAsq+DUpgF+o4uyKRdjNqT3zdRQKvXP9EXi5gTu1pM9rRXmjD4hu4Dg==</dsig11:PublicKey>\n"
+
+ " </dsig11:ECKeyValue>\n" +
+ " </ds:KeyValue>\n" +
+ " </xenc:OriginatorKeyInfo>\n" +
+ " <xenc:RecipientKeyInfo>\n" +
+ " <ds:X509Data>\n" +
+ "
<ds:X509Certificate>MIICJTCCAdegAwIBAgIJALAKmoInEiaRMAUGAytlcDBdMQswCQYDVQQGEwJFVTEPMA0GA1UEChMGYXBhY2hlMQ4wDAYDVQQLEwV3c3M0ajEZMBcGA1UECxMQZURlbGl2ZXJ5QVM0LTIuMDESMBAGA1UEAxMJaXNzdWVyLWNhMB4XDTI0MDEyMzA5MjU0OVoXDTM0MDEyMDA5MjU0OVowXTELMAkGA1UEBhMCRVUxDzANBgNVBAoTBmFwYWNoZTEOMAwGA1UECxMFd3NzNGoxGTAXBgNVBAsTEGVEZWxpdmVyeUFTNC0yLjAxEjAQBgNVBAMTCXNlY3A1MjFyMTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEANDRUPByrM1VA/RFIk9yGLGTXlGWmHYgcdRswLyc/w0oTgG/+ScxavJQR1iGlnaFX47jH1kieDjWz
[...]
+ " </ds:X509Data>\n" +
+ " </xenc:RecipientKeyInfo>\n" +
+ " </xenc:AgreementMethod>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>304N9yfr39kEasVxmqVzetY5BNxy65Jt</xenc:CipherValue>\n" +
+ " </xenc:CipherData>\n" +
+ " <xenc:ReferenceList>\n" +
+ " <xenc:DataReference
URI=\"#ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"/>\n" +
+ " </xenc:ReferenceList>\n" +
+ " </xenc:EncryptedKey>\n" +
+ " </wsse:Security>\n" +
+ " </S12:Header>\n" +
+ " <S12:Body
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
wsu:Id=\"id-103ba36e-7163-40bf-beba-cbb61d80f894\">\n" +
+ " <xenc:EncryptedData
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"
Type=\"http://www.w3.org/2001/04/xmlenc#Content\";>\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"/>\n" +
+ " <ds:KeyInfo
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";>\n" +
+ " <wsse:SecurityTokenReference
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\";
wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\";>\n"
+
+ " <wsse:Reference
URI=\"#EK-802eb082-00c9-43da-a578-f68fe376b976\"/>\n" +
+ " </wsse:SecurityTokenReference>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>60eDOiVgEBqqPaLsrhyx+r1hYBoskcb69/iklYF3ISQAcGSBDRr9v5qMJRxwu9h3sij2plx4ac4GW+KXGwvI6VEEHoKSAsNWg+VwJEbnaIpfV5HaG/fdCz/vSEQ/XZNfkUwxlIP3iaywc2E6fPR/SA==</xenc:CipherValue>\n"
+
+ " </xenc:CipherData>\n" +
+ " </xenc:EncryptedData>\n" +
+ " </S12:Body>\n" +
+ "</S12:Envelope>";
+
+ private static final String ECKEY_VALUE_XML = "<S12:Envelope
xmlns:S12=\"http://www.w3.org/2003/05/soap-envelope\";
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";
xmlns:eb=\"http://docs.oasis-open.org/ebxml-msg/ebms/v3.0/ns/core/200704/\";
xmlns:ebbp=\"http://docs.oasis-open.org/ebxml-bp/ebbp-signals-2.0\";
xmlns:ns5=\"http://www.w3.org/1999/xlink\";>\n" +
+ " <S12:Header>\n" +
+ " <wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
S12:mustUnderstand=\"true\">\n" +
+ " <xenc:EncryptedKey
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"EK-70fae604-dd7d-4eca-a6fb-f86cab628ef3\">\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#kw-aes128\"/>\n" +
+ " <ds:KeyInfo>\n" +
+ " <xenc:AgreementMethod
Algorithm=\"http://www.w3.org/2009/xmlenc11#ECDH-ES\";>\n" +
+ " <xenc11:KeyDerivationMethod
xmlns:xenc11=\"http://www.w3.org/2009/xmlenc11#\";
Algorithm=\"http://www.w3.org/2009/xmlenc11#ConcatKDF\";>\n" +
+ " <xenc11:ConcatKDFParams>\n" +
+ " <ds:DigestMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#sha256\"/>\n" +
+ " </xenc11:ConcatKDFParams>\n" +
+ " </xenc11:KeyDerivationMethod>\n" +
+ " <xenc:OriginatorKeyInfo>\n" +
+ " <ds:KeyValue>\n" +
+ " <dsig11:ECKeyValue
xmlns:dsig11=\"http://www.w3.org/2009/xmldsig11#\";>\n" +
+ " <dsig11:NamedCurve URI=\"urn:oid:1.3.132.0.35\"/>\n" +
+ "
<dsig11:PublicKey>BACyQlDSqpHbovJmv3FBpMghZoQYGgz80Odwq8Kg+Na0jlBDnoObQAiYP75CL0QFMEFUZln/fVk0OslooRXS3oSVIQASiRs0iVoxxSJmGLddnmh1Geyn0WVVVrWrAsq+DUpgF+o4uyKRdjNqT3zdRQKvXP9EXi5gTu1pM9rRXmjD4hu4Dg==</dsig11:PublicKey>\n"
+
+ " </dsig11:ECKeyValue>\n" +
+ " </ds:KeyValue>\n" +
+ " </xenc:OriginatorKeyInfo>\n" +
+ " <xenc:RecipientKeyInfo>\n" +
+ " <ds:KeyValue>\n" +
+ " <dsig11:ECKeyValue
xmlns:dsig11=\"http://www.w3.org/2009/xmldsig11#\";>\n" +
+ " <dsig11:NamedCurve URI=\"urn:oid:1.3.132.0.35\"/>\n" +
+ "
<dsig11:PublicKey>BADQ0VDwcqzNVQP0RSJPchixk15Rlph2IHHUbMC8nP8NKE4Bv/knMWryUEdYhpZ2hV+O4x9ZIng41szauFEGZgVYsAGYEe350FHsn7ipgRvN+CWUpP7U7GFfcJqx9ecjD+5mucsBH9MRRWOqRTcU/7ey0NYygtShUVnDmcu6yRh16XGA3g==</dsig11:PublicKey>\n"
+
+ " </dsig11:ECKeyValue>\n" +
+ " </ds:KeyValue>\n" +
+ " </xenc:RecipientKeyInfo>\n" +
+ " </xenc:AgreementMethod>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>304N9yfr39kEasVxmqVzetY5BNxy65Jt</xenc:CipherValue>\n" +
+ " </xenc:CipherData>\n" +
+ " <xenc:ReferenceList>\n" +
+ " <xenc:DataReference
URI=\"#ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"/>\n" +
+ " </xenc:ReferenceList>\n" +
+ " </xenc:EncryptedKey>\n" +
+ " </wsse:Security>\n" +
+ " </S12:Header>\n" +
+ " <S12:Body
xmlns:wsu=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\";
wsu:Id=\"id-103ba36e-7163-40bf-beba-cbb61d80f894\">\n" +
+ " <xenc:EncryptedData
xmlns:xenc=\"http://www.w3.org/2001/04/xmlenc#\";
Id=\"ED-af4fd424-0178-4523-bd2c-f990ac78b6e5\"
Type=\"http://www.w3.org/2001/04/xmlenc#Content\";>\n" +
+ " <xenc:EncryptionMethod
Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"/>\n" +
+ " <ds:KeyInfo
xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\";>\n" +
+ " <wsse:SecurityTokenReference
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\";
xmlns:wsse11=\"http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd\";
wsse11:TokenType=\"http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey\";>\n"
+
+ " <wsse:Reference
URI=\"#EK-802eb082-00c9-43da-a578-f68fe376b976\"/>\n" +
+ " </wsse:SecurityTokenReference>\n" +
+ " </ds:KeyInfo>\n" +
+ " <xenc:CipherData>\n" +
+ "
<xenc:CipherValue>60eDOiVgEBqqPaLsrhyx+r1hYBoskcb69/iklYF3ISQAcGSBDRr9v5qMJRxwu9h3sij2plx4ac4GW+KXGwvI6VEEHoKSAsNWg+VwJEbnaIpfV5HaG/fdCz/vSEQ/XZNfkUwxlIP3iaywc2E6fPR/SA==</xenc:CipherValue>\n"
+
+ " </xenc:CipherData>\n" +
+ " </xenc:EncryptedData>\n" +
+ " </S12:Body>\n" +
+ "</S12:Envelope>";
+
+
+ public RecipientKeyInfoTest() {
+ WSSConfig.init();
+ }
+
+ @Test
+ public void testECDHEncryptionWithX509SKI() throws Exception {
+ Document document = SOAPUtil.toSOAPPart(X509SKI_XML);
+
+ final WSSecurityEngine secEngine = new WSSecurityEngine();
+ final RequestData requestData = new RequestData();
+
+ Crypto encCrypto = CryptoFactory.getInstance("wss-ecdh.properties");
+ requestData.setDecCrypto(encCrypto);
+ requestData.setCallbackHandler(new KeystoreCallbackHandler());
+ requestData.setIgnoredBSPRules(List.of(BSPRule.R5426));
+ WSHandlerResult wsHandlerResults =
secEngine.processSecurityHeader(document, requestData);
+ assertEquals(1, wsHandlerResults.getResults().size());
+ WSSecurityEngineResult result = wsHandlerResults.getResults().get(0);
+ assertArrayEquals(new byte[] {35, 14, -124, -105, -120, -7, -92, -63,
-59, -72, -52, 121, 69, -83, 42, -89},
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
+ }
+
+ @Test
+ public void testECDHEncryptionWithX509IssuerSerial() throws Exception {
+ Document document = SOAPUtil.toSOAPPart(X509ISSUER_SERIAL_XML);
+
+ final WSSecurityEngine secEngine = new WSSecurityEngine();
+ final RequestData requestData = new RequestData();
+
+ Crypto encCrypto = CryptoFactory.getInstance("wss-ecdh.properties");
+ requestData.setDecCrypto(encCrypto);
+ requestData.setCallbackHandler(new KeystoreCallbackHandler());
+ requestData.setIgnoredBSPRules(List.of(BSPRule.R5426));
+ WSHandlerResult wsHandlerResults =
secEngine.processSecurityHeader(document, requestData);
+ assertEquals(1, wsHandlerResults.getResults().size());
+ WSSecurityEngineResult result = wsHandlerResults.getResults().get(0);
+ assertArrayEquals(new byte[] {35, 14, -124, -105, -120, -7, -92, -63,
-59, -72, -52, 121, 69, -83, 42, -89},
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
+ }
+
+ @Test
+ public void testECDHEncryptionWithX509certificate() throws Exception {
+ Document document = SOAPUtil.toSOAPPart(X509CERT_XML);
+
+ final WSSecurityEngine secEngine = new WSSecurityEngine();
+ final RequestData requestData = new RequestData();
+
+ Crypto encCrypto = CryptoFactory.getInstance("wss-ecdh.properties");
+ requestData.setDecCrypto(encCrypto);
+ requestData.setCallbackHandler(new KeystoreCallbackHandler());
+ requestData.setIgnoredBSPRules(List.of(BSPRule.R5426));
+ WSHandlerResult wsHandlerResults =
secEngine.processSecurityHeader(document, requestData);
+ assertEquals(1, wsHandlerResults.getResults().size());
+ WSSecurityEngineResult result = wsHandlerResults.getResults().get(0);
+ assertArrayEquals(new byte[] {35, 14, -124, -105, -120, -7, -92, -63,
-59, -72, -52, 121, 69, -83, 42, -89},
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
+ }
+
+ @Test
+ public void testECDHEncryptionWithECKeyValue() throws Exception {
+ Document document = SOAPUtil.toSOAPPart(ECKEY_VALUE_XML);
+
+ final WSSecurityEngine secEngine = new WSSecurityEngine();
+ final RequestData requestData = new RequestData();
+
+ Crypto encCrypto = CryptoFactory.getInstance("wss-ecdh.properties");
+ requestData.setDecCrypto(encCrypto);
+ requestData.setCallbackHandler(new KeystoreCallbackHandler());
+ requestData.setIgnoredBSPRules(List.of(BSPRule.R5426));
+ WSHandlerResult wsHandlerResults =
secEngine.processSecurityHeader(document, requestData);
+ assertEquals(1, wsHandlerResults.getResults().size());
+ WSSecurityEngineResult result = wsHandlerResults.getResults().get(0);
+ assertArrayEquals(new byte[] {35, 14, -124, -105, -120, -7, -92, -63,
-59, -72, -52, 121, 69, -83, 42, -89},
(byte[])result.get(WSSecurityEngineResult.TAG_SECRET));
+ }
+}
\ No newline at end of file
