cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf git commit: [CXF-6098] - Use RSA-SHA256 by default when issuing tokens in the STS
Date Tue, 11 Nov 2014 14:16:46 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 58e6563da -> effcaf3f6


[CXF-6098] - Use RSA-SHA256 by default when issuing tokens in the STS


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/effcaf3f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/effcaf3f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/effcaf3f

Branch: refs/heads/master
Commit: effcaf3f6cfb4b3287d683285592f2693af42b29
Parents: 58e6563
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Nov 11 14:08:17 2014 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Nov 11 14:08:17 2014 +0000

----------------------------------------------------------------------
 .../org/apache/cxf/sts/SignatureProperties.java |  5 ++-
 .../token/provider/SAMLProviderKeyTypeTest.java | 47 +++++++++++++-------
 2 files changed, 35 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/effcaf3f/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java
index d446e12..73cbad3 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/SignatureProperties.java
@@ -28,7 +28,7 @@ import org.apache.wss4j.dom.WSConstants;
  * or generate a symmetric key in the STS.
  */
 public class SignatureProperties {
-    private String signatureAlgorithm = WSConstants.RSA_SHA1;
+    private String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
     private String c14nAlgorithm = WSConstants.C14N_EXCL_OMIT_COMMENTS;
     private List<String> acceptedSignatureAlgorithms = new ArrayList<String>();
     private List<String> acceptedC14nAlgorithms = new ArrayList<String>();
@@ -36,10 +36,11 @@ public class SignatureProperties {
     private long keySize = 256;
     private long minimumKeySize = 128;
     private long maximumKeySize = 512;
-    private String digestAlgorithm = WSConstants.SHA1;
+    private String digestAlgorithm = WSConstants.SHA256;
     
     public SignatureProperties() {
         // Default signature algorithms
+        acceptedSignatureAlgorithms.add(WSConstants.RSA_SHA1);
         acceptedSignatureAlgorithms.add(signatureAlgorithm);
         
         // Default c14n algorithms

http://git-wip-us.apache.org/repos/asf/cxf/blob/effcaf3f/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
----------------------------------------------------------------------
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
index 38191ab..8b9cdd7 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderKeyTypeTest.java
@@ -507,26 +507,32 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert {
             createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
         KeyRequirements keyRequirements = providerParameters.getKeyRequirements();
         
-        String signatureAlgorithm = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
-        keyRequirements.setSignatureAlgorithm(signatureAlgorithm);
-        
-        // This will fail as the requested signature algorithm is rejected
+        // Default
         TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
         assertTrue(providerResponse != null);
         assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId()
!= null);
         
         Element token = providerResponse.getToken();
         String tokenString = DOM2Writer.nodeToString(token);
+        assertTrue(tokenString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
+        
+        // Try with unsupported alternative
+        String signatureAlgorithm = WSConstants.DSA;
+        keyRequirements.setSignatureAlgorithm(signatureAlgorithm);
+        
+        // This will fail as the requested signature algorithm is rejected
+        providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId()
!= null);
+        
+        token = providerResponse.getToken();
+        tokenString = DOM2Writer.nodeToString(token);
         assertFalse(tokenString.contains(signatureAlgorithm));
-        assertTrue(tokenString.contains(WSConstants.RSA_SHA1));
+        assertTrue(tokenString.contains("http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"));
         
-        STSPropertiesMBean stsProperties = providerParameters.getStsProperties();
-        SignatureProperties sigProperties = new SignatureProperties();
-        List<String> acceptedSignatureAlgorithms = new ArrayList<String>();
-        acceptedSignatureAlgorithms.add(signatureAlgorithm);
-        acceptedSignatureAlgorithms.add(WSConstants.RSA_SHA1);
-        sigProperties.setAcceptedSignatureAlgorithms(acceptedSignatureAlgorithms);
-        stsProperties.setSignatureProperties(sigProperties);
+        // Supported alternative
+        signatureAlgorithm = WSConstants.RSA_SHA1;
+        keyRequirements.setSignatureAlgorithm(signatureAlgorithm);
         
         // This will succeed as the requested signature algorithm is accepted
         providerResponse = samlTokenProvider.createToken(providerParameters);
@@ -546,10 +552,8 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert {
         TokenProvider samlTokenProvider = new SAMLTokenProvider();
         TokenProviderParameters providerParameters = 
             createProviderParameters(WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE);
-        SignatureProperties signatureProperties = 
-                providerParameters.getStsProperties().getSignatureProperties();
-        signatureProperties.setDigestAlgorithm(WSConstants.SHA256);
         
+        // Default
         TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters);
         assertTrue(providerResponse != null);
         assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId()
!= null);
@@ -557,6 +561,19 @@ public class SAMLProviderKeyTypeTest extends org.junit.Assert {
         Element token = providerResponse.getToken();
         String tokenString = DOM2Writer.nodeToString(token);
         assertTrue(tokenString.contains(WSConstants.SHA256));
+        
+        // Supported alternative
+        SignatureProperties signatureProperties = 
+                providerParameters.getStsProperties().getSignatureProperties();
+        signatureProperties.setDigestAlgorithm(WSConstants.SHA1);
+        
+        providerResponse = samlTokenProvider.createToken(providerParameters);
+        assertTrue(providerResponse != null);
+        assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId()
!= null);
+        
+        token = providerResponse.getToken();
+        tokenString = DOM2Writer.nodeToString(token);
+        assertTrue(tokenString.contains(WSConstants.SHA1));
     }
     
     /**


Mime
View raw message