Exemplo n.º 1
0
  /**
   * Test that first signs, then encrypts a WS-Security envelope.
   *
   * <p>
   *
   * @throws Exception Thrown when there is any problem in signing, encryption, decryption, or
   *     verification
   */
  public void testEncryptedKeySignature() throws Exception {

    SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
    LOG.info("Before Sign/Encryption....");
    Document doc = unsignedEnvelope.getAsDocument();

    WSSecHeader secHeader = new WSSecHeader();
    secHeader.insertSecurityHeader(doc);

    WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
    encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
    encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
    encrKey.setKeySize(192);
    encrKey.prepare(doc, crypto);

    WSSecEncrypt encrypt = new WSSecEncrypt();
    encrypt.setEncKeyId(encrKey.getId());
    encrypt.setEphemeralKey(encrKey.getEphemeralKey());
    encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
    encrypt.setEncryptSymmKey(false);
    encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());

    WSSecSignature sign = new WSSecSignature();
    sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
    sign.setCustomTokenId(encrKey.getId());
    sign.setSecretKey(encrKey.getEphemeralKey());
    sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);

    Document signedDoc = sign.build(doc, crypto, secHeader);
    Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);

    if (LOG.isDebugEnabled()) {
      LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
      String outputString =
          org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
      LOG.debug(outputString);
    }

    LOG.info("After Sign/Encryption....");
    verify(encryptedSignedDoc);
  }
Exemplo n.º 2
0
  /**
   * Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key (bytes), rather than a
   * generated session key which is then encrypted using a public key.
   *
   * @throws java.lang.Exception Thrown when there is any problem in encryption or decryption
   */
  public void testEncryptionSHA1SymmetricBytes() throws Exception {
    WSSecEncrypt builder = new WSSecEncrypt();
    builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
    builder.setEphemeralKey(keyData);
    builder.setEncryptSymmKey(false);
    builder.setUseKeyIdentifier(true);

    LOG.info("Before Encrypting EncryptedKeySHA1....");
    Document doc = unsignedEnvelope.getAsDocument();
    WSSecHeader secHeader = new WSSecHeader();
    secHeader.insertSecurityHeader(doc);
    Document encryptedDoc = builder.build(doc, crypto, secHeader);

    String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
    if (LOG.isDebugEnabled()) {
      LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:");
      LOG.debug(outputString);
    }
    assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1);

    LOG.info("After Encrypting EncryptedKeySHA1....");
    verify(encryptedDoc);
  }
  private WSSecBase doEncryption(
      TokenWrapper recToken,
      SecurityToken encrTok,
      boolean attached,
      List<WSEncryptionPart> encrParts,
      boolean atEnd) {
    // Do encryption
    if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
      Token encrToken = recToken.getToken();
      policyAsserted(recToken);
      policyAsserted(encrToken);
      AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
      if (encrToken.isDerivedKeys()) {
        return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
      } else {
        try {
          WSSecEncrypt encr = new WSSecEncrypt(wssConfig);
          String encrTokId = encrTok.getId();
          if (attached) {
            encrTokId = encrTok.getWsuId();
            if (encrTokId == null
                && (encrToken instanceof SecureConversationToken
                    || encrToken instanceof SecurityContextToken)) {
              encr.setEncKeyIdDirectId(true);
              encrTokId = encrTok.getId();
            } else if (encrTokId == null) {
              encrTokId = encrTok.getId();
            }
            if (encrTokId.startsWith("#")) {
              encrTokId = encrTokId.substring(1);
            }
          } else {
            encr.setEncKeyIdDirectId(true);
          }
          if (encrTok.getTokenType() != null) {
            encr.setCustomReferenceValue(encrTok.getTokenType());
          }
          encr.setEncKeyId(encrTokId);
          encr.setEphemeralKey(encrTok.getSecret());
          Crypto crypto = getEncryptionCrypto(recToken);
          if (crypto != null) {
            this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
            setEncryptionUser(encr, recToken, false, crypto);
          }

          encr.setDocument(saaj.getSOAPPart());
          encr.setEncryptSymmKey(false);
          encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());

          if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) {
            // Setting the AttachedReference or the UnattachedReference according to the flag
            Element ref;
            if (attached) {
              ref = encrTok.getAttachedReference();
            } else {
              ref = encrTok.getUnattachedReference();
            }

            String tokenType = encrTok.getTokenType();
            if (ref != null) {
              SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false);
              encr.setSecurityTokenReference(secRef);
            } else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
                || WSConstants.SAML_NS.equals(tokenType)) {
              encr.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE);
              encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
                || WSConstants.SAML2_NS.equals(tokenType)) {
              encr.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
              encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            } else {
              encr.setCustomReferenceValue(tokenType);
              encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
            }
          } else if (encrToken instanceof UsernameToken) {
            encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
          } else if (!isRequestor()) {
            if (encrTok.getSHA1() != null) {
              encr.setCustomReferenceValue(encrTok.getSHA1());
              encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
            } else {
              encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF);
            }
          }

          encr.prepare(saaj.getSOAPPart(), crypto);

          if (encr.getBSTTokenId() != null) {
            encr.prependBSTElementToHeader(secHeader);
          }

          Element refList = encr.encryptForRef(null, encrParts);
          if (atEnd) {
            this.insertBeforeBottomUp(refList);
          } else {
            this.addDerivedKeyElement(refList);
          }
          return encr;
        } catch (WSSecurityException e) {
          policyNotAsserted(recToken, e);
        }
      }
    }
    return null;
  }