/**
* Test that first signs, then encrypts a WS-Security envelope.
*
* <p>
*
* @throws Exception Thrown when there is any problem in signing, encryption, decryption, or
* verification
*/
public void testEncryptedKeySignature() throws Exception {
SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
LOG.info("Before Sign/Encryption....");
Document doc = unsignedEnvelope.getAsDocument();
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
WSSecEncryptedKey encrKey = new WSSecEncryptedKey();
encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
encrKey.setUserInfo("16c73ab6-b892-458f-abf5-2f875f74882e", "security");
encrKey.setKeySize(192);
encrKey.prepare(doc, crypto);
WSSecEncrypt encrypt = new WSSecEncrypt();
encrypt.setEncKeyId(encrKey.getId());
encrypt.setEphemeralKey(encrKey.getEphemeralKey());
encrypt.setSymmetricEncAlgorithm(WSConstants.TRIPLE_DES);
encrypt.setEncryptSymmKey(false);
encrypt.setEncryptedKeyElement(encrKey.getEncryptedKeyElement());
WSSecSignature sign = new WSSecSignature();
sign.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
sign.setCustomTokenId(encrKey.getId());
sign.setSecretKey(encrKey.getEphemeralKey());
sign.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
Document signedDoc = sign.build(doc, crypto, secHeader);
Document encryptedSignedDoc = encrypt.build(signedDoc, crypto, secHeader);
if (LOG.isDebugEnabled()) {
LOG.debug("Signed and encrypted message with IssuerSerial key identifier (both), 3DES:");
String outputString =
org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedSignedDoc);
LOG.debug(outputString);
}
LOG.info("After Sign/Encryption....");
verify(encryptedSignedDoc);
}
/**
* Test that encrypts using EncryptedKeySHA1, where it uses a symmetric key (bytes), rather than a
* generated session key which is then encrypted using a public key.
*
* @throws java.lang.Exception Thrown when there is any problem in encryption or decryption
*/
public void testEncryptionSHA1SymmetricBytes() throws Exception {
WSSecEncrypt builder = new WSSecEncrypt();
builder.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
builder.setEphemeralKey(keyData);
builder.setEncryptSymmKey(false);
builder.setUseKeyIdentifier(true);
LOG.info("Before Encrypting EncryptedKeySHA1....");
Document doc = unsignedEnvelope.getAsDocument();
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
Document encryptedDoc = builder.build(doc, crypto, secHeader);
String outputString = org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(encryptedDoc);
if (LOG.isDebugEnabled()) {
LOG.debug("Encrypted message with ENCRYPTED_KEY_SHA1_IDENTIFIER:");
LOG.debug(outputString);
}
assertTrue(outputString.indexOf("#EncryptedKeySHA1") != -1);
LOG.info("After Encrypting EncryptedKeySHA1....");
verify(encryptedDoc);
}
private WSSecBase doEncryption(
TokenWrapper recToken,
SecurityToken encrTok,
boolean attached,
List<WSEncryptionPart> encrParts,
boolean atEnd) {
// Do encryption
if (recToken != null && recToken.getToken() != null && encrParts.size() > 0) {
Token encrToken = recToken.getToken();
policyAsserted(recToken);
policyAsserted(encrToken);
AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
if (encrToken.isDerivedKeys()) {
return doEncryptionDerived(recToken, encrTok, encrToken, attached, encrParts, atEnd);
} else {
try {
WSSecEncrypt encr = new WSSecEncrypt(wssConfig);
String encrTokId = encrTok.getId();
if (attached) {
encrTokId = encrTok.getWsuId();
if (encrTokId == null
&& (encrToken instanceof SecureConversationToken
|| encrToken instanceof SecurityContextToken)) {
encr.setEncKeyIdDirectId(true);
encrTokId = encrTok.getId();
} else if (encrTokId == null) {
encrTokId = encrTok.getId();
}
if (encrTokId.startsWith("#")) {
encrTokId = encrTokId.substring(1);
}
} else {
encr.setEncKeyIdDirectId(true);
}
if (encrTok.getTokenType() != null) {
encr.setCustomReferenceValue(encrTok.getTokenType());
}
encr.setEncKeyId(encrTokId);
encr.setEphemeralKey(encrTok.getSecret());
Crypto crypto = getEncryptionCrypto(recToken);
if (crypto != null) {
this.message.getExchange().put(SecurityConstants.ENCRYPT_CRYPTO, crypto);
setEncryptionUser(encr, recToken, false, crypto);
}
encr.setDocument(saaj.getSOAPPart());
encr.setEncryptSymmKey(false);
encr.setSymmetricEncAlgorithm(algorithmSuite.getEncryption());
if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken) {
// Setting the AttachedReference or the UnattachedReference according to the flag
Element ref;
if (attached) {
ref = encrTok.getAttachedReference();
} else {
ref = encrTok.getUnattachedReference();
}
String tokenType = encrTok.getTokenType();
if (ref != null) {
SecurityTokenReference secRef = new SecurityTokenReference(cloneElement(ref), false);
encr.setSecurityTokenReference(secRef);
} else if (WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSConstants.WSS_SAML_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else if (WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
|| WSConstants.SAML2_NS.equals(tokenType)) {
encr.setCustomReferenceValue(WSConstants.WSS_SAML2_KI_VALUE_TYPE);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
} else {
encr.setCustomReferenceValue(tokenType);
encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
}
} else if (encrToken instanceof UsernameToken) {
encr.setCustomReferenceValue(WSConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
} else if (!isRequestor()) {
if (encrTok.getSHA1() != null) {
encr.setCustomReferenceValue(encrTok.getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
} else {
encr.setKeyIdentifierType(WSConstants.EMBED_SECURITY_TOKEN_REF);
}
}
encr.prepare(saaj.getSOAPPart(), crypto);
if (encr.getBSTTokenId() != null) {
encr.prependBSTElementToHeader(secHeader);
}
Element refList = encr.encryptForRef(null, encrParts);
if (atEnd) {
this.insertBeforeBottomUp(refList);
} else {
this.addDerivedKeyElement(refList);
}
return encr;
} catch (WSSecurityException e) {
policyNotAsserted(recToken, e);
}
}
}
return null;
}