TestWSSecurityNewDK.java

coheigea Tue, 20 Oct 2009 04:38:04 -0700

Author: coheigea
Date: Tue Oct 20 11:37:34 2009
New Revision: 827038

URL: http://svn.apache.org/viewvc?rev=827038&view=rev
Log:
[WSS-211] - WSS4J does not support ThumbprintSHA1 in DerivedKeyTokens


Modified:
    
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
    webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java

Modified: 
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java?rev=827038&r1=827037&r2=827038&view=diff
==============================================================================
--- 
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
 (original)
+++ 
webservices/wss4j/trunk/src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java
 Tue Oct 20 11:37:34 2009
@@ -42,6 +42,7 @@
 import javax.security.auth.callback.UnsupportedCallbackException;
 
 import java.io.IOException;
+import java.security.cert.X509Certificate;
 import java.util.List;
 
 /**
@@ -158,8 +159,13 @@
                 // Now use the callback and get it
                 secret = getSecret(cb, uri);
             } else if (processor == null && keyIdentifierValue != null
-                && keyIdentifierValueType != null) {                
-                secret = getSecret(cb, keyIdentifierValue, 
keyIdentifierValueType); 
+                && keyIdentifierValueType != null) {
+                X509Certificate[] certs = str.getKeyIdentifier(crypto);
+                if (certs == null || certs.length < 1 || certs[0] == null) {
+                    this.secret = this.getSecret(cb, keyIdentifierValue, 
keyIdentifierValueType); 
+                } else {
+                    this.secret = this.getSecret(cb, crypto, certs);
+                }
             } else if (processor instanceof UsernameTokenProcessor) {
                 secret = ((UsernameTokenProcessor) 
processor).getDerivedKey(cb);
             } else if (processor instanceof EncryptedKeyProcessor) {
@@ -247,6 +253,55 @@
         return pwcb.getKey();
     }
     
+    private byte[] getSecret(
+        CallbackHandler cb,
+        Crypto crypto,
+        X509Certificate certs[]
+    ) throws WSSecurityException {
+        if (cb == null) {
+            throw new WSSecurityException(WSSecurityException.FAILURE, 
"noCallback");
+        }
+
+        String alias = crypto.getAliasForX509Cert(certs[0]);
+
+        WSPasswordCallback pwCb = 
+            new WSPasswordCallback(alias, WSPasswordCallback.DECRYPT);
+        try {
+            Callback[] callbacks = new Callback[]{pwCb};
+            cb.handle(callbacks);
+        } catch (IOException e) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE,
+                "noPassword",
+                new Object[]{alias}, 
+                e
+            );
+        } catch (UnsupportedCallbackException e) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE,
+                "noPassword",
+                new Object[]{alias}, 
+                e
+            );
+        }
+
+        String password = pwCb.getPassword();
+        if (password == null) {
+            throw new WSSecurityException(
+                WSSecurityException.FAILURE, "noPassword", new Object[]{alias}
+            );
+        }
+
+        java.security.Key privateKey;
+        try {
+            privateKey = crypto.getPrivateKey(alias, password);
+            return privateKey.getEncoded();
+        } catch (Exception e) {
+            throw new WSSecurityException(WSSecurityException.FAILED_CHECK, 
null, null, e);
+        }
+    }
+    
+    
     /**
      * Returns the wsu:Id of the DerivedKeyToken
      * @see org.apache.ws.security.processor.Processor#getId()

Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java
URL: 
http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java?rev=827038&r1=827037&r2=827038&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNewDK.java Tue Oct 20 
11:37:34 2009
@@ -31,6 +31,7 @@
 import org.apache.ws.security.message.WSSecDKSign;
 import org.apache.ws.security.message.WSSecEncryptedKey;
 import org.apache.ws.security.message.WSSecHeader;
+import org.apache.ws.security.message.token.SecurityTokenReference;
 import org.apache.xml.security.signature.XMLSignature;
 import org.w3c.dom.Document;
 
@@ -39,6 +40,7 @@
 import javax.security.auth.callback.UnsupportedCallbackException;
 
 import java.io.IOException;
+import java.security.cert.X509Certificate;
 
 import junit.framework.Test;
 import junit.framework.TestCase;
@@ -189,6 +191,74 @@
          verify(doc);
      }
      
+     
+     /**
+      * A test for WSS-211 - "WSS4J does not support ThumbprintSHA1 in 
DerivedKeyTokens".
+      * Here we're signing the SOAP body, where the signature refers to a 
DerivedKeyToken
+      * which uses a Thumbprint-SHA1 reference to the encoded certificate 
(which is in the
+      * keystore)
+      */
+     public void testSignatureThumbprintSHA1() throws Exception {
+         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
+         WSSecHeader secHeader = new WSSecHeader();
+         secHeader.insertSecurityHeader(doc);
+
+         SecurityTokenReference secToken = new SecurityTokenReference(doc);
+         X509Certificate[] certs = crypto.getCertificates("wss40");
+         secToken.setKeyIdentifierThumb(certs[0]);
+         secToken.getElement();
+         
+         WSSecDKSign sigBuilder = new WSSecDKSign();
+         java.security.Key key = crypto.getPrivateKey("wss40", "security");
+         sigBuilder.setExternalKey(key.getEncoded(), secToken.getElement());
+         sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+         sigBuilder.build(doc, secHeader);
+         
+         sigBuilder.prependDKElementToHeader(secHeader);
+         
+         if (LOG.isDebugEnabled()) {
+             LOG.debug("Encrypted message: ThumbprintSHA1 + DerivedKeys");
+             String outputString = 
+                 
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+             LOG.debug(outputString);
+         }
+         verify(doc);
+     }
+     
+     
+     /**
+      * Here we're signing the SOAP body, where the signature refers to a 
DerivedKeyToken
+      * which uses an SKI reference to the encoded certificate (which is in the
+      * keystore)
+      */
+     public void testSignatureSKI() throws Exception {
+         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
+         WSSecHeader secHeader = new WSSecHeader();
+         secHeader.insertSecurityHeader(doc);
+
+         SecurityTokenReference secToken = new SecurityTokenReference(doc);
+         X509Certificate[] certs = crypto.getCertificates("wss40");
+         secToken.setKeyIdentifierSKI(certs[0], crypto);
+         secToken.getElement();
+         
+         WSSecDKSign sigBuilder = new WSSecDKSign();
+         java.security.Key key = crypto.getPrivateKey("wss40", "security");
+         sigBuilder.setExternalKey(key.getEncoded(), secToken.getElement());
+         sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+         sigBuilder.build(doc, secHeader);
+         
+         sigBuilder.prependDKElementToHeader(secHeader);
+         
+         if (LOG.isDebugEnabled()) {
+             LOG.debug("Encrypted message: SKI + DerivedKeys");
+             String outputString = 
+                 
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+             LOG.debug(outputString);
+         }
+         verify(doc);
+     }
+     
+     
      public void testSignatureEncrypt() throws Exception {
         Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
         WSSecHeader secHeader = new WSSecHeader();



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r827038 - in /webservices/wss4j/trunk: src/org/apache/ws/security/processor/DerivedKeyTokenProcessor.java test/wssec/TestWSSecurityNewDK.java

Reply via email to