/** * Test that first signs, then encrypts a WS-Security envelope. * * <p> * * @throws Exception Thrown when there is any problem in signing, encryption, decryption, or * verification */ public void testEncryptedKeySignature() throws Exception { SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope(); LOG.info("Before Sign/Encryption...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); WSSecEncryptedKey encrKey = new WSSecEncryptedKey(); encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL); encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security"); encrKey.setKeySize(192); encrKey.prepare(doc, crypto); WSSecEncrypt encrypt = new WSSecEncrypt(); encrypt.setEncKeyId(encrKey.getId()); encrypt.setEphemeralKey(encrKey.getEphemeralKey()); encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES); encrypt.setEncryptSymmKey(false); encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement()); WSSecSignature sign = new WSSecSignature(); sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING); sign.setCustomTokenId(encrKey.getId()); sign.setSecretKey(encrKey.getEphemeralKey()); sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1); Document signedDoc = sign.build(doc, crypto, secHeader); Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader); if (LOG.isDebugEnabled()) { LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:"); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc); LOG.debug(outputString); } LOG.info("After Sign/Encryption...."); verify(encryptedSignedDoc); }
/** * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key (bytes), rather than a * generated session key which is then encrypted using a public key. * * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption */ public void testEncryptionSHA1SymmetricBytes() throws Exception { WSSecEncrypt builder = new WSSecEncrypt(); builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); builder.setEphemeralKey(keyData); builder.setEncryptSymmKey(false); builder.setUseKeyIdentifier(true); LOG.info("Before Encrypting EncryptedKeySHA1...."); Document doc = unsignedEnvelope.getAsDocument(); WSSecHeader secHeader = new WSSecHeader(); secHeader.insertSecurityHeader(doc); Document encryptedDoc = builder.build(doc, crypto, secHeader); String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc); if (LOG.isDebugEnabled()) { LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:"); LOG.debug(outputString); } assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1); LOG.info("After Encrypting EncryptedKeySHA1...."); verify(encryptedDoc); }
private WSSecBase doEncryption( TokenWrapper recToken, SecurityToken encrTok, boolean attached, List<WSEncryptionPart> encrParts, boolean atEnd) { // Do encryption if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) { Token encrToken = recToken.getToken(); policyAsserted(recToken); policyAsserted(encrToken); AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite(); if (encrToken.isDerivedKeys()) { return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd); } else { try { WSSecEncrypt encr = new WSSecEncrypt(wssConfig); String encrTokId = encrTok.getId(); if (attached) { encrTokId = encrTok.getWsuId(); if (encrTokId == null && (encrToken instanceof SecureConversationToken || encrToken instanceof SecurityContextToken)) { encr.setEncKeyIdDirectId(true); encrTokId = encrTok.getId(); } else if (encrTokId == null) { encrTokId = encrTok.getId(); } if (encrTokId.startsWith("#")) { encrTokId = encrTokId.substring(1); } } else { encr.setEncKeyIdDirectId(true); } if (encrTok.getTokenType() != null) { encr.setCustomReferenceValue(encrTok.getTokenType()); } encr.setEncKeyId(encrTokId); encr.setEphemeralKey(encrTok.getSecret()); Crypto crypto = getEncryptionCrypto(recToken); if (crypto != null) { this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto); setEncryptionUser(encr, recToken, false, crypto); } encr.setDocument(saaj.getSOAPPart()); encr.setEncryptSymmKey(false); encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption()); if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) { // Setting the AttachedReference or the UnattachedReference according to the flag Element ref; if (attached) { ref = encrTok.getAttachedReference(); } else { ref = encrTok.getUnattachedReference(); } String tokenType = encrTok.getTokenType(); if (ref != null) { SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false); encr.setSecurityTokenReference(secRef); } else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML_NS.equals(tokenType)) { encr.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType) || WSConstants.SAML2_NS.equals(tokenType)) { encr.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } else { encr.setCustomReferenceValue(tokenType); encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER); } } else if (encrToken instanceof UsernameToken) { encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE); } else if (!isRequestor()) { if (encrTok.getSHA1() != null) { encr.setCustomReferenceValue(encrTok.getSHA1()); encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER); } else { encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF); } } encr.prepare(saaj.getSOAPPart(), crypto); if (encr.getBSTTokenId() != null) { encr.prependBSTElementToHeader(secHeader); } Element refList = encr.encryptForRef(null, encrParts); if (atEnd) { this.insertBeforeBottomUp(refList); } else { this.addDerivedKeyElement(refList); } return encr; } catch (WSSecurityException e) { policyNotAsserted(recToken, e); } } } return null; }