Author: fadushin
Date: Fri Apr 11 11:51:20 2008
New Revision: 647266
URL: http://svn.apache.org/viewvc?rev=647266&view=rev
Log:
WSS-66 Possible security hole when PasswordDigest is used by client
* Applied Steve and Colm's patch (with test case)
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNew5.java
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java?rev=647266&r1=647265&r2=647266&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecUsernameToken.java
Fri Apr 11 11:51:20 2008
@@ -41,8 +41,6 @@
private UsernameToken ut = null;
- private String id = null;
-
private boolean nonce = false;
private boolean created = false;
@@ -134,14 +132,14 @@
passwordType);
ut.setName(user);
ut.setPassword(password);
- String utId = "UsernameToken-" + ut.hashCode();
- ut.setID(utId);
if (nonce) {
ut.addNonce(doc);
}
if (created) {
ut.addCreated(wssConfig.isPrecisionInMilliSeconds(),
doc);
}
+ String utId = "UsernameToken-" + ut.hashCode();
+ ut.setID(utId);
}
/**
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java?rev=647266&r1=647265&r2=647266&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/message/token/UsernameToken.java
Fri Apr 11 11:51:20 2008
@@ -439,11 +439,10 @@
String password) {
String passwdDigest = null;
try {
- byte[] b1 = Base64.decode(nonce);
- byte[] b2 = created.getBytes("UTF-8");
+ byte[] b1 = nonce != null ? Base64.decode(nonce) : new byte[0];
+ byte[] b2 = created != null ? created.getBytes("UTF-8") : new
byte[0];
byte[] b3 = password.getBytes("UTF-8");
byte[] b4 = new byte[b1.length + b2.length + b3.length];
- int i = 0;
int offset = 0;
System.arraycopy(b1, 0, b4, offset, b1.length);
offset += b1.length;
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java?rev=647266&r1=647265&r2=647266&view=diff
==============================================================================
---
webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
(original)
+++
webservices/wss4j/trunk/src/org/apache/ws/security/processor/UsernameTokenProcessor.java
Fri Apr 11 11:51:20 2008
@@ -117,11 +117,9 @@
throw new WSSecurityException(WSSecurityException.FAILURE,
"noPassword", new Object[]{user});
}
- if (nonce != null && createdTime != null) {
- String passDigest = UsernameToken.doPasswordDigest(nonce,
createdTime, origPassword);
- if (!passDigest.equals(password)) {
- throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
- }
+ String passDigest = UsernameToken.doPasswordDigest(nonce,
createdTime, origPassword);
+ if (!passDigest.equals(password)) {
+ throw new
WSSecurityException(WSSecurityException.FAILED_AUTHENTICATION);
}
ut.setRawPassword(origPassword);
} else if (cb != null) {
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNew5.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNew5.java?rev=647266&r1=647265&r2=647266&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNew5.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNew5.java Fri Apr 11
11:51:20 2008
@@ -28,6 +28,7 @@
import org.apache.axis.message.SOAPEnvelope;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.WSSecurityEngine;
import org.apache.ws.security.WSConstants;
@@ -45,7 +46,7 @@
/**
- * WS-Security Test Case
+ * WS-Security Test Case for UsernameTokens.
* <p/>
*
* @author Davanum Srinivas ([EMAIL PROTECTED])
@@ -117,8 +118,6 @@
/**
* Test that adds a UserNameToken with password Digest to a WS-Security
envelope
* <p/>
- *
- * @throws java.lang.Exception Thrown when there is any problem in signing
or verification
*/
public void testUsernameTokenDigest() throws Exception {
WSSecUsernameToken builder = new WSSecUsernameToken();
@@ -149,8 +148,6 @@
/**
* Test that adds a UserNameToken with password text to a WS-Security
envelope
* <p/>
- *
- * @throws java.lang.Exception Thrown when there is any problem in signing
or verification
*/
public void testUsernameTokenText() throws Exception {
WSSecUsernameToken builder = new WSSecUsernameToken();
@@ -170,6 +167,89 @@
log.info("After adding UsernameToken PW Text....");
verify(signedDoc);
}
+
+ /**
+ * A test for WSS-66 - the nonce string is null
+ * http://issues.apache.org/jira/browse/WSS-66
+ * "Possible security hole when PasswordDigest is used by client."
+ */
+ public void testNullNonce() throws Exception {
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setPasswordType(WSConstants.PASSWORD_DIGEST);
+ builder.setUserInfo("wernerd", "BAD_PASSWORD");
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document utDoc = builder.build(doc, secHeader);
+
+ //
+ // Manually find the Nonce node and set the content to null
+ //
+ org.w3c.dom.Element elem = builder.getUsernameTokenElement();
+ org.w3c.dom.NodeList list = elem.getElementsByTagName("wsse:Nonce");
+ org.w3c.dom.Node nonceNode = list.item(0);
+ nonceNode.setTextContent(null);
+
+ if (log.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(utDoc);
+ log.debug(outputString);
+ }
+
+ try {
+ //
+ // Verification should fail as the password is bad
+ //
+ verify(utDoc);
+ throw new Exception("Expected failure due to a bad password");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.FAILED_AUTHENTICATION);
+ // expected
+ }
+ }
+
+ /**
+ * A test for WSS-66 - the created string is null
+ * http://issues.apache.org/jira/browse/WSS-66
+ * "Possible security hole when PasswordDigest is used by client."
+ */
+ public void testNullCreated() throws Exception {
+ WSSecUsernameToken builder = new WSSecUsernameToken();
+ builder.setPasswordType(WSConstants.PASSWORD_DIGEST);
+ builder.setUserInfo("wernerd", "BAD_PASSWORD");
+
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+ Document utDoc = builder.build(doc, secHeader);
+
+ //
+ // Manually find the Created node and set the content to null
+ //
+ org.w3c.dom.Element elem = builder.getUsernameTokenElement();
+ org.w3c.dom.NodeList list = elem.getElementsByTagName("wsu:Created");
+ org.w3c.dom.Node nonceNode = list.item(0);
+ nonceNode.setTextContent(null);
+
+ if (log.isDebugEnabled()) {
+ String outputString =
+
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(utDoc);
+ log.debug(outputString);
+ }
+
+ try {
+ //
+ // Verification should fail as the password is bad
+ //
+ verify(utDoc);
+ throw new Exception("Expected failure due to a bad password");
+ } catch (WSSecurityException ex) {
+ assertTrue(ex.getErrorCode() ==
WSSecurityException.FAILED_AUTHENTICATION);
+ // expected
+ }
+ }
+
/**
* Verifies the soap envelope
* <p/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
