cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1332598 - in /cxf/trunk: rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/ systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/
Date Tue, 01 May 2012 10:05:59 GMT
Author: sergeyb
Date: Tue May  1 10:05:58 2012
New Revision: 1332598

URL: http://svn.apache.org/viewvc?rev=1332598&view=rev
Log:
[CXF-4146] Better configuration for the out encryption and signature handlers, which also
makes easy to enforce that the server uses the algorithms used by the client

Modified:
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
    cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
    cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java?rev=1332598&r1=1332597&r2=1332598&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
(original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlEncOutInterceptor.java
Tue May  1 10:05:58 2012
@@ -66,17 +66,19 @@ public class XmlEncOutInterceptor extend
     
     private boolean encryptSymmetricKey = true;
     private SecretKey symmetricKey;
-    private String keyEncAlgo = XMLCipher.RSA_OAEP; 
-    private String symEncAlgo = XMLCipher.AES_256;
-    private String keyIdentifierType = SecurityUtils.X509_CERT;
-    private String digestAlgo;
+    
+    private EncryptionProperties encProps = new EncryptionProperties();
     
     public XmlEncOutInterceptor() {
         addAfter(XmlSigOutInterceptor.class.getName());
     } 
 
+    public void setEncryptionProperties(EncryptionProperties props) {
+        this.encProps = props;
+    }
+    
     public void setKeyIdentifierType(String type) {
-        keyIdentifierType = type;
+        encProps.setEncryptionKeyIdType(type);   
     }
     
     public void setSymmetricEncAlgorithm(String algo) {
@@ -84,15 +86,15 @@ public class XmlEncOutInterceptor extend
             || algo.startsWith(EncryptionConstants.EncryptionSpec11NS))) {
             algo = EncryptionConstants.EncryptionSpecNS + algo;
         }
-        symEncAlgo = algo;
+        encProps.setEncryptionSymmetricKeyAlgo(algo);
     }
     
     public void setKeyEncAlgorithm(String algo) {
-        keyEncAlgo = algo;
+        encProps.setEncryptionKeyTransportAlgo(algo);
     }
     
     public void setDigestAlgorithm(String algo) {
-        digestAlgo = algo;
+        encProps.setEncryptionDigestAlgo(algo);
     }
     
     protected Document processDocument(Message message, Document payloadDoc) 
@@ -103,10 +105,13 @@ public class XmlEncOutInterceptor extend
     protected Document encryptDocument(Message message, Document payloadDoc) 
         throws Exception {
         
-        byte[] secretKey = getSymmetricKey();
+        String symEncAlgo = encProps.getEncryptionSymmetricKeyAlgo() == null 
+            ? XMLCipher.AES_256 : encProps.getEncryptionSymmetricKeyAlgo();
+        
+        byte[] secretKey = getSymmetricKey(symEncAlgo);
 
         Document encryptedDataDoc = DOMUtils.createDocument();
-        Element encryptedDataElement = createEncryptedDataElement(encryptedDataDoc);
+        Element encryptedDataElement = createEncryptedDataElement(encryptedDataDoc, symEncAlgo);
         if (encryptSymmetricKey) {
             X509Certificate receiverCert = null;
             
@@ -134,8 +139,14 @@ public class XmlEncOutInterceptor extend
                 throw new WSSecurityException("Receiver certificate is not available");
             }
 
-            byte[] encryptedSecretKey = encryptSymmetricKey(secretKey, receiverCert);
-            addEncryptedKeyElement(encryptedDataElement, receiverCert, encryptedSecretKey);
+            String keyEncAlgo = encProps.getEncryptionKeyTransportAlgo() == null
+                ? XMLCipher.RSA_OAEP : encProps.getEncryptionKeyTransportAlgo();
+            String digestAlgo = encProps.getEncryptionDigestAlgo();
+            
+            byte[] encryptedSecretKey = encryptSymmetricKey(secretKey, receiverCert,
+                                                            keyEncAlgo, digestAlgo);
+            addEncryptedKeyElement(encryptedDataElement, receiverCert, encryptedSecretKey,
+                                   keyEncAlgo, digestAlgo);
         }
                
         // encrypt payloadDoc
@@ -156,10 +167,10 @@ public class XmlEncOutInterceptor extend
         return encryptedDataDoc;
     }
     
-    private byte[] getSymmetricKey() throws Exception {
+    private byte[] getSymmetricKey(String symEncAlgo) throws Exception {
         synchronized (this) {
             if (symmetricKey == null) {
-                KeyGenerator keyGen = getKeyGenerator();
+                KeyGenerator keyGen = getKeyGenerator(symEncAlgo);
                 symmetricKey = keyGen.generateKey();
             } 
         }
@@ -171,7 +182,7 @@ public class XmlEncOutInterceptor extend
         return certs[0];
     }
     
-    private KeyGenerator getKeyGenerator() throws WSSecurityException {
+    private KeyGenerator getKeyGenerator(String symEncAlgo) throws WSSecurityException {
         try {
             //
             // Assume AES as default, so initialize it
@@ -199,7 +210,9 @@ public class XmlEncOutInterceptor extend
     // Apache Security XMLCipher does not support 
     // Certificates for encrypting the keys
     protected byte[] encryptSymmetricKey(byte[] keyBytes, 
-                                         X509Certificate remoteCert) throws WSSecurityException
{
+                                         X509Certificate remoteCert,
+                                         String keyEncAlgo,
+                                         String digestAlgo) throws WSSecurityException {
         Cipher cipher = 
             EncryptionUtils.initCipherWithCert(
                 keyEncAlgo, digestAlgo, Cipher.ENCRYPT_MODE, remoteCert
@@ -237,12 +250,14 @@ public class XmlEncOutInterceptor extend
     
     private void addEncryptedKeyElement(Element encryptedDataElement,
                                         X509Certificate cert,
-                                        byte[] encryptedKey) throws Exception {
+                                        byte[] encryptedKey,
+                                        String keyEncAlgo,
+                                        String digestAlgo) throws Exception {
         
         Document doc = encryptedDataElement.getOwnerDocument();
         
         String encodedKey = Base64Utility.encode(encryptedKey);
-        Element encryptedKeyElement = createEncryptedKeyElement(doc);
+        Element encryptedKeyElement = createEncryptedKeyElement(doc, keyEncAlgo, digestAlgo);
         String encKeyId = "EK-" + UUIDGenerator.getUUID();
         encryptedKeyElement.setAttributeNS(null, "Id", encKeyId);
                 
@@ -285,8 +300,11 @@ public class XmlEncOutInterceptor extend
                 WSConstants.SIG_NS, WSConstants.SIG_PREFIX + ":" + WSConstants.KEYINFO_LN
             );
         
+        String keyIdType = encProps.getEncryptionKeyIdType() == null
+            ? SecurityUtils.X509_CERT : encProps.getEncryptionKeyIdType();
+        
         Node keyIdentifierNode = null; 
-        if (keyIdentifierType.equals(SecurityUtils.X509_CERT)) {
+        if (keyIdType.equals(SecurityUtils.X509_CERT)) {
             byte data[] = null;
             try {
                 data = remoteCert.getEncoded();
@@ -304,7 +322,7 @@ public class XmlEncOutInterceptor extend
             
             x509Data.appendChild(cert);
             keyIdentifierNode = x509Data;
-        } else if (keyIdentifierType.equals(SecurityUtils.X509_ISSUER_SERIAL)) {
+        } else if (keyIdType.equals(SecurityUtils.X509_ISSUER_SERIAL)) {
             String issuer = remoteCert.getIssuerDN().getName();
             java.math.BigInteger serialNumber = remoteCert.getSerialNumber();
             DOMX509IssuerSerial domIssuerSerial = 
@@ -314,7 +332,7 @@ public class XmlEncOutInterceptor extend
             DOMX509Data domX509Data = new DOMX509Data(encryptedDataDoc, domIssuerSerial);
             keyIdentifierNode = domX509Data.getElement();
         } else {
-            throw new WSSecurityException("Unsupported key identifier:" + keyIdentifierType);
+            throw new WSSecurityException("Unsupported key identifier:" + keyIdType);
         }
  
         keyInfoElement.appendChild(keyIdentifierNode);
@@ -322,7 +340,9 @@ public class XmlEncOutInterceptor extend
         return keyInfoElement;
     }
     
-    protected Element createEncryptedKeyElement(Document encryptedDataDoc) {
+    protected Element createEncryptedKeyElement(Document encryptedDataDoc, 
+                                                String keyEncAlgo,
+                                                String digestAlgo) {
         Element encryptedKey = 
             encryptedDataDoc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX +
":EncryptedKey");
 
@@ -341,7 +361,7 @@ public class XmlEncOutInterceptor extend
         return encryptedKey;
     }
     
-    protected Element createEncryptedDataElement(Document encryptedDataDoc) {
+    protected Element createEncryptedDataElement(Document encryptedDataDoc, String symEncAlgo)
{
         Element encryptedData = 
             encryptedDataDoc.createElementNS(WSConstants.ENC_NS, WSConstants.ENC_PREFIX +
":EncryptedData");
 

Modified: cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java?rev=1332598&r1=1332597&r2=1332598&view=diff
==============================================================================
--- cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
(original)
+++ cxf/trunk/rt/rs/security/xml/src/main/java/org/apache/cxf/rs/security/xml/XmlSigOutInterceptor.java
Tue May  1 10:05:58 2012
@@ -66,12 +66,16 @@ public class XmlSigOutInterceptor extend
     
     private QName envelopeQName = DEFAULT_ENV_QNAME;
     private String sigStyle = ENVELOPED_SIG;
-    private String defaultSigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
-    private String digestAlgo = Constants.ALGO_ID_DIGEST_SHA1;
+    
+    private SignatureProperties sigProps = new SignatureProperties();
     
     public XmlSigOutInterceptor() {
     } 
 
+    public void setSignatureProperties(SignatureProperties props) {
+        this.sigProps = props;
+    }
+    
     public void setStyle(String style) {
         if (!SUPPORTED_STYLES.contains(style)) {
             throw new IllegalArgumentException("Unsupported XML Signature style");
@@ -80,11 +84,11 @@ public class XmlSigOutInterceptor extend
     }
     
     public void setSignatureAlgorithm(String algo) {
-        defaultSigAlgo = algo;
+        sigProps.setSignatureAlgo(algo);
     }
     
     public void setDigestAlgorithm(String algo) {
-        digestAlgo = algo;
+        sigProps.setSignatureDigestAlgo(algo);
     }
     
     
@@ -114,7 +118,9 @@ public class XmlSigOutInterceptor extend
     
         X509Certificate[] issuerCerts = SecurityUtils.getCertificates(crypto, user);
         
-        String sigAlgo = defaultSigAlgo;
+        String sigAlgo = sigProps.getSignatureAlgo() == null 
+            ? SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1 : sigProps.getSignatureAlgo();
+        
         String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
         if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
             sigAlgo = XMLSignature.ALGO_ID_SIGNATURE_DSA;
@@ -131,13 +137,16 @@ public class XmlSigOutInterceptor extend
         String id = UUID.randomUUID().toString();
         String referenceId = "#" + id;
         
+        String digestAlgo = sigProps.getSignatureDigestAlgo() == null 
+            ? Constants.ALGO_ID_DIGEST_SHA1 : sigProps.getSignatureDigestAlgo();
+        
         XMLSignature sig = null;
         if (ENVELOPING_SIG.equals(sigStyle)) {
-            sig = prepareEnvelopingSignature(doc, id, referenceId, sigAlgo);
+            sig = prepareEnvelopingSignature(doc, id, referenceId, sigAlgo, digestAlgo);
         } else if (DETACHED_SIG.equals(sigStyle)) {
-            sig = prepareDetachedSignature(doc, id, referenceId, sigAlgo);
+            sig = prepareDetachedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
         } else {
-            sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo);
+            sig = prepareEnvelopedSignature(doc, id, referenceId, sigAlgo, digestAlgo);
         }
         
         
@@ -150,7 +159,8 @@ public class XmlSigOutInterceptor extend
     private XMLSignature prepareEnvelopingSignature(Document doc, 
                                                     String id, 
                                                     String referenceId,
-                                                    String sigAlgo) throws Exception {
+                                                    String sigAlgo,
+                                                    String digestAlgo) throws Exception {
         Element docEl = doc.getDocumentElement();
         Document newDoc = DOMUtils.createDocument();
         doc.removeChild(docEl);
@@ -174,7 +184,8 @@ public class XmlSigOutInterceptor extend
     private XMLSignature prepareDetachedSignature(Document doc, 
             String id, 
             String referenceId,
-            String sigAlgo) throws Exception {
+            String sigAlgo,
+            String digestAlgo) throws Exception {
         Element docEl = doc.getDocumentElement();
         Document newDoc = DOMUtils.createDocument();
         doc.removeChild(docEl);
@@ -200,7 +211,8 @@ public class XmlSigOutInterceptor extend
     private XMLSignature prepareEnvelopedSignature(Document doc, 
             String id, 
             String referenceURI,
-            String sigAlgo) throws Exception {
+            String sigAlgo,
+            String digestAlgo) throws Exception {
         doc.getDocumentElement().setAttributeNS(null, "ID", id);
         doc.getDocumentElement().setIdAttributeNS(null, "ID", true);    
     

Modified: cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
URL: http://svn.apache.org/viewvc/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml?rev=1332598&r1=1332597&r2=1332598&view=diff
==============================================================================
--- cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
(original)
+++ cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
Tue May  1 10:05:58 2012
@@ -92,17 +92,24 @@ under the License.
     </bean>
     
     <bean id="xmlSigOutHandler" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor"/>
+    <bean id="xmlSigOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlSigOutInterceptor">
+        <property name="signatureProperties" ref="sigProps"/>
+    </bean>
+    
     <bean id="xmlEncInHandler" class="org.apache.cxf.rs.security.xml.XmlEncInHandler"/>
     
     <bean id="xmlEncInHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncInHandler">
         <property name="encryptionProperties" ref="encProps"/>
     </bean>
     
-    
     <bean id="xmlEncOutHandler" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
         <property name="symmetricEncAlgorithm" value="aes128-cbc"/>
     </bean>
     
+    <bean id="xmlEncOutHandlerWithProps" class="org.apache.cxf.rs.security.xml.XmlEncOutInterceptor">
+        <property name="encryptionProperties" ref="encProps"/>
+    </bean>
+    
     <jaxrs:server 
        address="https://localhost:${testutil.ports.jaxrs-xmlsec}/xmlsig"> 
        <jaxrs:serviceBeans>
@@ -177,8 +184,8 @@ under the License.
           <ref bean="xmlSigInHandlerWithProps"/>
        </jaxrs:providers> 
        <jaxrs:outInterceptors>
-          <ref bean="xmlSigOutHandler"/>
-          <ref bean="xmlEncOutHandler"/>
+          <ref bean="xmlSigOutHandlerWithProps"/>
+          <ref bean="xmlEncOutHandlerWithProps"/>
        </jaxrs:outInterceptors>
        <jaxrs:properties>
            <entry key="ws-security.callback-handler" 



Mime
View raw message