cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf] branch wss4j_2.3.0 updated: Picking up changes to symmetricKey in WSSEcEncryptedKey
Date Tue, 29 Jan 2019 17:11:33 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch wss4j_2.3.0
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/wss4j_2.3.0 by this push:
     new ac7d439  Picking up changes to symmetricKey in WSSEcEncryptedKey
ac7d439 is described below

commit ac7d4392ae003e789ef6f4b0da56ac61e803ef9c
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Tue Jan 29 17:11:03 2019 +0000

    Picking up changes to symmetricKey in WSSEcEncryptedKey
---
 .../saml/sso/AbstractSAMLCallbackHandler.java      |  11 +-
 .../policyhandlers/AbstractBindingBuilder.java     |   7 +-
 .../policyhandlers/AsymmetricBindingHandler.java   | 256 +++++++++++---------
 .../policyhandlers/SymmetricBindingHandler.java    | 261 ++++++++++++---------
 .../policyhandlers/TransportBindingHandler.java    |  12 +-
 .../wss4j/saml/AbstractSAMLCallbackHandler.java    |   8 +-
 .../cxf/sts/operation/AbstractOperation.java       |  14 +-
 .../sts/token/provider/DefaultSubjectProvider.java |  16 +-
 .../cxf/sts/token/provider/TokenProviderUtils.java |  10 +-
 .../cxf/sts/operation/IssueSamlUnitTest.java       |  10 +-
 10 files changed, 358 insertions(+), 247 deletions(-)

diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
index 35d3deb..e473bdf 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.security.auth.callback.CallbackHandler;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -43,6 +45,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.bean.SubjectBean;
 import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
 import org.apache.wss4j.common.saml.bean.SubjectLocalityBean;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
 import org.joda.time.DateTime;
@@ -212,8 +215,12 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
             WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
             encrKey.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
             encrKey.setUseThisCert(certs[0]);
-            encrKey.prepare(null);
-            ephemeralKey = encrKey.getSymmetricKey().getEncoded();
+
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+            SecretKey symmetricKey = keyGen.generateKey();
+
+            encrKey.prepare(null, symmetricKey);
+            ephemeralKey = symmetricKey.getEncoded();
             Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
 
             // Append the EncryptedKey to a KeyInfo element
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
index f754061..7e5162c 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AbstractBindingBuilder.java
@@ -35,6 +35,7 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.SecretKey;
 import javax.security.auth.callback.CallbackHandler;
 import javax.xml.XMLConstants;
 import javax.xml.crypto.dsig.Reference;
@@ -1493,7 +1494,8 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         return null;
     }
 
-    protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token) throws WSSecurityException {
+    protected WSSecEncryptedKey getEncryptedKeyBuilder(AbstractToken token,
+                                                       SecretKey symmetricKey) throws WSSecurityException {
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey(secHeader);
         encrKey.setIdAllocator(wssConfig.getIdAllocator());
         encrKey.setCallbackLookup(callbackLookup);
@@ -1514,11 +1516,10 @@ public abstract class AbstractBindingBuilder extends AbstractCommonBindingHandle
         String encrUser = setEncryptionUser(encrKey, token, false, crypto);
 
         AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
-        encrKey.setSymmetricEncAlgorithm(algType.getEncryption());
         encrKey.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
         encrKey.setMGFAlgorithm(algType.getMGFAlgo());
 
-        encrKey.prepare(crypto);
+        encrKey.prepare(crypto, symmetricKey);
 
         if (alsoIncludeToken) {
             X509Certificate encCert = getEncryptCert(crypto, encrUser);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
index 39ad0ce..a20c52b 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/AsymmetricBindingHandler.java
@@ -28,6 +28,8 @@ import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.crypto.dsig.Reference;
 import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
@@ -54,6 +56,7 @@ import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.derivedKey.ConversationConstants;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.engine.WSSConfig;
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
@@ -224,12 +227,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                     encToken = abinding.getInitiatorToken();
                 }
             }
-            doEncryption(encToken, enc, false);
+
             if (encToken != null) {
+                if (encToken.getToken() != null && !enc.isEmpty()) {
+                    if (encToken.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                        doEncryptionDerived(encToken, enc);
+                    } else {
+                        String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+                        KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+                        SecretKey symmetricKey = keyGen.generateKey();
+                        doEncryption(encToken, enc, false, symmetricKey);
+                    }
+                }
                 assertTokenWrapper(encToken);
                 assertToken(encToken.getToken());
             }
-
         } catch (Exception e) {
             String reason = e.getMessage();
             LOG.log(Level.WARNING, "Sign before encryption failed due to : " + reason);
@@ -333,9 +345,21 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
         }
 
         WSSecBase encrBase = null;
+        SecretKey symmetricKey = null;
         if (encryptionToken != null && !encrParts.isEmpty()) {
-            encrBase = doEncryption(wrapper, encrParts, true);
-            handleEncryptedSignedHeaders(encrParts, sigParts);
+            if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                encrBase = doEncryptionDerived(wrapper, encrParts);
+            } else {
+                String symEncAlgorithm = abinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+                try {
+                    KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+                    symmetricKey = keyGen.generateKey();
+                    encrBase = doEncryption(wrapper, encrParts, true, symmetricKey);
+                } catch (WSSecurityException ex) {
+                    LOG.log(Level.FINE, ex.getMessage(), ex);
+                    throw new Fault(ex);
+                }
+            }
         }
 
         if (!isRequestor()) {
@@ -369,12 +393,14 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
         }
 
         if (encrBase != null) {
-            encryptTokensInSecurityHeader(encryptionToken, encrBase);
+            encryptTokensInSecurityHeader(encryptionToken, encrBase, symmetricKey);
         }
     }
 
 
-    private void encryptTokensInSecurityHeader(AbstractToken encryptionToken, WSSecBase encrBase) {
+    private void encryptTokensInSecurityHeader(AbstractToken encryptionToken,
+                                               WSSecBase encrBase,
+                                               SecretKey symmetricKey) {
         List<WSEncryptionPart> secondEncrParts = new ArrayList<>();
 
         // Check for signature protection
@@ -428,7 +454,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
                 } else {
                     this.insertBeforeBottomUp(secondRefList);
                 }
-                ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts);
+                ((WSSecEncrypt)encrBase).encryptForRef(secondRefList, secondEncrParts, symmetricKey);
 
             } catch (WSSecurityException ex) {
                 LOG.log(Level.FINE, ex.getMessage(), ex);
@@ -439,125 +465,121 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
 
     private WSSecBase doEncryption(AbstractTokenWrapper recToken,
                                     List<WSEncryptionPart> encrParts,
-                                    boolean externalRef) {
-        //Do encryption
-        if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
-            AbstractToken encrToken = recToken.getToken();
-            assertPolicy(recToken);
-            assertPolicy(encrToken);
-            AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
-            if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-                return doEncryptionDerived(recToken, encrToken, encrParts, algorithmSuite);
-            }
-            try {
-                WSSecEncrypt encr = new WSSecEncrypt(secHeader);
-                encr.setEncryptionSerializer(new StaxSerializer());
-                encr.setIdAllocator(wssConfig.getIdAllocator());
-                encr.setCallbackLookup(callbackLookup);
-                encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
-                encr.setStoreBytesInAttachment(storeBytesInAttachment);
-                encr.setExpandXopInclude(isExpandXopInclude());
-                encr.setWsDocInfo(wsDocInfo);
-
-                Crypto crypto = getEncryptionCrypto();
-
-                SecurityToken securityToken = getSecurityToken();
-                if (!isRequestor() && securityToken != null
-                    && recToken.getToken() instanceof SamlToken) {
-                    String tokenType = securityToken.getTokenType();
-                    if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
-                        || WSS4JConstants.SAML_NS.equals(tokenType)) {
-                        encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
-                        encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                        encr.setCustomEKTokenId(securityToken.getId());
-                    } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
-                        || WSS4JConstants.SAML2_NS.equals(tokenType)) {
-                        encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
-                        encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                        encr.setCustomEKTokenId(securityToken.getId());
-                    } else {
-                        setKeyIdentifierType(encr, encrToken);
-                    }
+                                    boolean externalRef,
+                                    SecretKey symmetricKey) {
+        AbstractToken encrToken = recToken.getToken();
+        assertPolicy(recToken);
+        assertPolicy(encrToken);
+        try {
+            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+            encr.setEncryptionSerializer(new StaxSerializer());
+            encr.setIdAllocator(wssConfig.getIdAllocator());
+            encr.setCallbackLookup(callbackLookup);
+            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+            encr.setStoreBytesInAttachment(storeBytesInAttachment);
+            encr.setExpandXopInclude(isExpandXopInclude());
+            encr.setWsDocInfo(wsDocInfo);
+
+            Crypto crypto = getEncryptionCrypto();
+
+            SecurityToken securityToken = getSecurityToken();
+            if (!isRequestor() && securityToken != null
+                && recToken.getToken() instanceof SamlToken) {
+                String tokenType = securityToken.getTokenType();
+                if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+                    || WSS4JConstants.SAML_NS.equals(tokenType)) {
+                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                    encr.setCustomEKTokenId(securityToken.getId());
+                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+                    || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+                    encr.setCustomEKTokenValueType(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                    encr.setCustomEKTokenId(securityToken.getId());
                 } else {
                     setKeyIdentifierType(encr, encrToken);
                 }
-                //
-                // Using a stored cert is only suitable for the Issued Token case, where
-                // we're extracting the cert from a SAML Assertion on the provider side
-                //
-                if (!isRequestor() && securityToken != null
-                    && securityToken.getX509Certificate() != null) {
-                    encr.setUseThisCert(securityToken.getX509Certificate());
-                } else if (!isRequestor() && securityToken != null
-                    && securityToken.getKey() instanceof PublicKey) {
-                    encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
-                    encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
-                } else {
-                    setEncryptionUser(encr, encrToken, false, crypto);
-                }
-                if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
-                    unassertPolicy(recToken, "Missing security configuration. "
-                            + "Make sure jaxws:client element is configured "
-                            + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
-                }
-                AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
-                encr.setSymmetricEncAlgorithm(algType.getEncryption());
-                encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
-                encr.setMGFAlgorithm(algType.getMGFAlgo());
-                encr.setDigestAlgorithm(algType.getEncryptionDigest());
-                encr.prepare(crypto);
-
-                Element encryptedKeyElement = encr.getEncryptedKeyElement();
-                List<Element> attachments = encr.getAttachmentEncryptedDataElements();
-                //Encrypt, get hold of the ref list and add it
-                if (externalRef) {
-                    Element refList = encr.encryptForRef(null, encrParts);
-                    if (refList != null) {
-                        insertBeforeBottomUp(refList);
-                    }
-                    if (attachments != null) {
-                        for (Element attachment : attachments) {
-                            this.insertBeforeBottomUp(attachment);
-                        }
-                    }
-                    if (refList != null || (attachments != null && !attachments.isEmpty())) {
-                        this.addEncryptedKeyElement(encryptedKeyElement);
-                    }
-                } else {
-                    Element refList = encr.encryptForRef(null, encrParts);
-                    if (refList != null || (attachments != null && !attachments.isEmpty())) {
-                        this.addEncryptedKeyElement(encryptedKeyElement);
-                    }
-
-                    // Add internal refs
-                    if (refList != null) {
-                        encryptedKeyElement.appendChild(refList);
-                    }
-                    if (attachments != null) {
-                        for (Element attachment : attachments) {
-                            this.addEncryptedKeyElement(attachment);
-                        }
+            } else {
+                setKeyIdentifierType(encr, encrToken);
+            }
+            //
+            // Using a stored cert is only suitable for the Issued Token case, where
+            // we're extracting the cert from a SAML Assertion on the provider side
+            //
+            if (!isRequestor() && securityToken != null
+                && securityToken.getX509Certificate() != null) {
+                encr.setUseThisCert(securityToken.getX509Certificate());
+            } else if (!isRequestor() && securityToken != null
+                && securityToken.getKey() instanceof PublicKey) {
+                encr.setUseThisPublicKey((PublicKey)securityToken.getKey());
+                encr.setKeyIdentifierType(WSConstants.KEY_VALUE);
+            } else {
+                setEncryptionUser(encr, encrToken, false, crypto);
+            }
+            if (!encr.isCertSet() && encr.getUseThisPublicKey() == null && crypto == null) {
+                unassertPolicy(recToken, "Missing security configuration. "
+                    + "Make sure jaxws:client element is configured "
+                    + "with a " + SecurityConstants.ENCRYPT_PROPERTIES + " value.");
+            }
+            AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
+            AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
+            encr.setSymmetricEncAlgorithm(algType.getEncryption());
+            encr.setKeyEncAlgo(algType.getAsymmetricKeyWrap());
+            encr.setMGFAlgorithm(algType.getMGFAlgo());
+            encr.setDigestAlgorithm(algType.getEncryptionDigest());
+            encr.prepare(crypto, symmetricKey);
+
+            Element encryptedKeyElement = encr.getEncryptedKeyElement();
+            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+            //Encrypt, get hold of the ref list and add it
+            if (externalRef) {
+                Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+                if (refList != null) {
+                    insertBeforeBottomUp(refList);
+                }
+                if (attachments != null) {
+                    for (Element attachment : attachments) {
+                        this.insertBeforeBottomUp(attachment);
                     }
                 }
+                if (refList != null || (attachments != null && !attachments.isEmpty())) {
+                    this.addEncryptedKeyElement(encryptedKeyElement);
+                }
+            } else {
+                Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+                if (refList != null || (attachments != null && !attachments.isEmpty())) {
+                    this.addEncryptedKeyElement(encryptedKeyElement);
+                }
 
-                // Put BST before EncryptedKey element
-                if (encr.getBSTTokenId() != null) {
-                    encr.prependBSTElementToHeader();
+                // Add internal refs
+                if (refList != null) {
+                    encryptedKeyElement.appendChild(refList);
+                }
+                if (attachments != null) {
+                    for (Element attachment : attachments) {
+                        this.addEncryptedKeyElement(attachment);
+                    }
                 }
+            }
 
-                return encr;
-            } catch (WSSecurityException e) {
-                LOG.log(Level.FINE, e.getMessage(), e);
-                unassertPolicy(recToken, e);
+            // Put BST before EncryptedKey element
+            if (encr.getBSTTokenId() != null) {
+                encr.prependBSTElementToHeader();
             }
+
+            return encr;
+        } catch (WSSecurityException e) {
+            LOG.log(Level.FINE, e.getMessage(), e);
+            unassertPolicy(recToken, e);
         }
         return null;
     }
 
     private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
-                                     AbstractToken encrToken,
-                                     List<WSEncryptionPart> encrParts,
-                                     AlgorithmSuite algorithmSuite) {
+                                     List<WSEncryptionPart> encrParts) {
+        AbstractToken encrToken = recToken.getToken();
+        assertPolicy(recToken);
+        assertPolicy(encrToken);
         try {
             WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
             dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -579,6 +601,8 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
             dkEncr.getParts().addAll(encrParts);
             dkEncr.setCustomValueType(WSS4JConstants.SOAPMESSAGE_NS11 + "#"
                 + WSS4JConstants.ENC_KEY_VALUE_TYPE);
+
+            AlgorithmSuite algorithmSuite = abinding.getAlgorithmSuite();
             AlgorithmSuiteType algType = algorithmSuite.getAlgorithmSuiteType();
             dkEncr.setSymmetricEncAlgorithm(algType.getEncryption());
             dkEncr.setDerivedKeyLength(algType.getEncryptionDerivedKeyLength() / 8);
@@ -797,7 +821,11 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
     private void createEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken token)
         throws WSSecurityException {
         //Set up the encrypted key to use
-        encrKey = this.getEncryptedKeyBuilder(token);
+        AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+        KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+        SecretKey symmetricKey = keyGen.generateKey();
+
+        encrKey = this.getEncryptedKeyBuilder(token, symmetricKey);
         Element bstElem = encrKey.getBinarySecurityTokenElement();
         if (bstElem != null) {
             // If a BST is available then use it
@@ -806,7 +834,7 @@ public class AsymmetricBindingHandler extends AbstractBindingBuilder {
 
         // Add the EncryptedKey
         this.addEncryptedKeyElement(encrKey.getEncryptedKeyElement());
-        encryptedKeyValue = encrKey.getSymmetricKey().getEncoded();
+        encryptedKeyValue = symmetricKey.getEncoded();
         encryptedKeyId = encrKey.getId();
     }
 
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
index e56fc39..e96cbfe 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/SymmetricBindingHandler.java
@@ -24,6 +24,8 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Level;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.crypto.dsig.Reference;
 import javax.xml.namespace.QName;
 import javax.xml.soap.SOAPException;
@@ -206,7 +208,24 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                 sigParts.addAll(this.getSignedParts(null));
 
                 List<WSEncryptionPart> encrParts = getEncryptedParts();
-                WSSecBase encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true);
+
+                WSSecBase encr = null;
+                SecretKey symmetricKey = null;
+                if (encryptionWrapper.getToken() != null && !encrParts.isEmpty()) {
+                    if (encryptionWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                        encr = doEncryptionDerived(encryptionWrapper, tok, attached, encrParts, true);
+                    } else {
+                        byte[] ephemeralKey = tok.getSecret();
+                        String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+                        if (ephemeralKey != null) {
+                            symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+                        } else {
+                            KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+                            symmetricKey = keyGen.generateKey();
+                        }
+                        encr = doEncryption(encryptionWrapper, tok, attached, encrParts, true, symmetricKey);
+                    }
+                }
                 handleEncryptedSignedHeaders(encrParts, sigParts);
 
                 if (!isRequestor()) {
@@ -248,18 +267,18 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
                         secondEncrParts.addAll(encryptedTokensList);
                     }
 
-                    Element secondRefList = null;
+                    if (!secondEncrParts.isEmpty()) {
+                        Element secondRefList = null;
 
-                    if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys
-                        && !secondEncrParts.isEmpty()) {
-                        secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null,
-                                secondEncrParts);
-                    } else if (!secondEncrParts.isEmpty()) {
-                        //Encrypt, get hold of the ref list and add it
-                        secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts);
-                    }
-                    if (secondRefList != null) {
-                        this.addDerivedKeyElement(secondRefList);
+                        if (encryptionToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                            secondRefList = ((WSSecDKEncrypt)encr).encryptForExternalRef(null, secondEncrParts);
+                        } else {
+                            //Encrypt, get hold of the ref list and add it
+                            secondRefList = ((WSSecEncrypt)encr).encryptForRef(null, secondEncrParts, symmetricKey);
+                        }
+                        if (secondRefList != null) {
+                            this.addDerivedKeyElement(secondRefList);
+                        }
                     }
                 }
             }
@@ -385,23 +404,38 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
             if (isRequestor()) {
                 enc.addAll(encryptedTokensList);
             }
-            doEncryption(encrAbstractTokenWrapper,
-                         encrTok,
-                         tokIncluded,
-                         enc,
-                         false);
+
+            if (encrAbstractTokenWrapper.getToken() != null && !enc.isEmpty()) {
+                if (encrAbstractTokenWrapper.getToken().getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
+                    doEncryptionDerived(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false);
+                } else {
+                    byte[] ephemeralKey = encrTok.getSecret();
+                    SecretKey symmetricKey = null;
+                    String symEncAlgorithm = sbinding.getAlgorithmSuite().getAlgorithmSuiteType().getEncryption();
+                    if (ephemeralKey != null) {
+                        symmetricKey = KeyUtils.prepareSecretKey(symEncAlgorithm, ephemeralKey);
+                    } else {
+                        KeyGenerator keyGen = KeyUtils.getKeyGenerator(symEncAlgorithm);
+                        symmetricKey = keyGen.generateKey();
+                    }
+                    doEncryption(encrAbstractTokenWrapper, encrTok, tokIncluded, enc, false, symmetricKey);
+                }
+            }
         } catch (Exception e) {
             LOG.log(Level.FINE, e.getMessage(), e);
             throw new Fault(e);
         }
     }
 
-    private WSSecBase doEncryptionDerived(AbstractTokenWrapper recToken,
+    private WSSecDKEncrypt doEncryptionDerived(AbstractTokenWrapper recToken,
                                           SecurityToken encrTok,
-                                          AbstractToken encrToken,
                                           boolean attached,
                                           List<WSEncryptionPart> encrParts,
                                           boolean atEnd) {
+
+        AbstractToken encrToken = recToken.getToken();
+        assertPolicy(recToken);
+        assertPolicy(encrToken);
         try {
             WSSecDKEncrypt dkEncr = new WSSecDKEncrypt(secHeader);
             dkEncr.setEncryptionSerializer(new StaxSerializer());
@@ -506,114 +540,107 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
         return null;
     }
 
-    private WSSecBase doEncryption(AbstractTokenWrapper recToken,
+    private WSSecEncrypt doEncryption(AbstractTokenWrapper recToken,
                                    SecurityToken encrTok,
                                    boolean attached,
                                    List<WSEncryptionPart> encrParts,
-                                   boolean atEnd) {
-        //Do encryption
-        if (recToken != null && recToken.getToken() != null && !encrParts.isEmpty()) {
-            AbstractToken encrToken = recToken.getToken();
-            assertPolicy(recToken);
-            assertPolicy(encrToken);
-            AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
-            if (encrToken.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-                return doEncryptionDerived(recToken, encrTok, encrToken,
-                                           attached, encrParts, atEnd);
-            }
-            try {
-                WSSecEncrypt encr = new WSSecEncrypt(secHeader);
-                encr.setEncryptionSerializer(new StaxSerializer());
-                encr.setIdAllocator(wssConfig.getIdAllocator());
-                encr.setCallbackLookup(callbackLookup);
-                encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
-                encr.setStoreBytesInAttachment(storeBytesInAttachment);
-                encr.setExpandXopInclude(isExpandXopInclude());
-                encr.setWsDocInfo(wsDocInfo);
-                String encrTokId = encrTok.getId();
-                if (attached) {
-                    encrTokId = encrTok.getWsuId();
-                    if (encrTokId == null
-                        && (encrToken instanceof SecureConversationToken
-                            || encrToken instanceof SecurityContextToken)) {
-                        encr.setEncKeyIdDirectId(true);
-                        encrTokId = encrTok.getId();
-                    } else if (encrTokId == null) {
-                        encrTokId = encrTok.getId();
-                    }
-                    if (encrTokId.startsWith("#")) {
-                        encrTokId = encrTokId.substring(1);
-                    }
-                } else {
+                                   boolean atEnd,
+                                   SecretKey symmetricKey) {
+        AbstractToken encrToken = recToken.getToken();
+        assertPolicy(recToken);
+        assertPolicy(encrToken);
+        try {
+            WSSecEncrypt encr = new WSSecEncrypt(secHeader);
+            encr.setEncryptionSerializer(new StaxSerializer());
+            encr.setIdAllocator(wssConfig.getIdAllocator());
+            encr.setCallbackLookup(callbackLookup);
+            encr.setAttachmentCallbackHandler(new AttachmentCallbackHandler(message));
+            encr.setStoreBytesInAttachment(storeBytesInAttachment);
+            encr.setExpandXopInclude(isExpandXopInclude());
+            encr.setWsDocInfo(wsDocInfo);
+            String encrTokId = encrTok.getId();
+            if (attached) {
+                encrTokId = encrTok.getWsuId();
+                if (encrTokId == null
+                    && (encrToken instanceof SecureConversationToken
+                        || encrToken instanceof SecurityContextToken)) {
                     encr.setEncKeyIdDirectId(true);
+                    encrTokId = encrTok.getId();
+                } else if (encrTokId == null) {
+                    encrTokId = encrTok.getId();
                 }
-                if (encrTok.getTokenType() != null) {
-                    encr.setCustomReferenceValue(encrTok.getTokenType());
+                if (encrTokId.startsWith("#")) {
+                    encrTokId = encrTokId.substring(1);
                 }
-                encr.setEncKeyId(encrTokId);
-                encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
-                encr.setEphemeralKey(encrTok.getSecret());
-                Crypto crypto = getEncryptionCrypto();
-                if (crypto != null) {
-                    setEncryptionUser(encr, encrToken, false, crypto);
-                }
-
-                encr.setEncryptSymmKey(false);
-                encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
-                encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
+            } else {
+                encr.setEncKeyIdDirectId(true);
+            }
+            if (encrTok.getTokenType() != null) {
+                encr.setCustomReferenceValue(encrTok.getTokenType());
+            }
+            encr.setEncKeyId(encrTokId);
+            AlgorithmSuite algorithmSuite = sbinding.getAlgorithmSuite();
+            encr.setSymmetricEncAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryption());
+            Crypto crypto = getEncryptionCrypto();
+            if (crypto != null) {
+                setEncryptionUser(encr, encrToken, false, crypto);
+            }
 
-                if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
-                    || encrToken instanceof SecureConversationToken) {
-                    //Setting the AttachedReference or the UnattachedReference according to the flag
-                    Element ref;
-                    if (attached) {
-                        ref = encrTok.getAttachedReference();
-                    } else {
-                        ref = encrTok.getUnattachedReference();
-                    }
+            encr.setEncryptSymmKey(false);
+            encr.setMGFAlgorithm(algorithmSuite.getAlgorithmSuiteType().getMGFAlgo());
+            encr.setDigestAlgorithm(algorithmSuite.getAlgorithmSuiteType().getEncryptionDigest());
 
-                    String tokenType = encrTok.getTokenType();
-                    if (ref != null) {
-                        SecurityTokenReference secRef =
-                            new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
-                        encr.setSecurityTokenReference(secRef);
-                    } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
-                        || WSS4JConstants.SAML_NS.equals(tokenType)) {
-                        encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
-                        encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                    } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
-                        || WSS4JConstants.SAML2_NS.equals(tokenType)) {
-                        encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
-                        encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                    } else {
-                        encr.setCustomReferenceValue(tokenType);
-                        encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
-                    }
-                } else if (encrToken instanceof UsernameToken) {
-                    encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
-                } else if (encrToken instanceof KerberosToken && !isRequestor()) {
-                    encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
-                    encr.setEncKeyId(encrTok.getSHA1());
-                } else if (!isRequestor() && encrTok.getSHA1() != null) {
-                    encr.setCustomReferenceValue(encrTok.getSHA1());
-                    encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+            if (encrToken instanceof IssuedToken || encrToken instanceof SpnegoContextToken
+                || encrToken instanceof SecureConversationToken) {
+                //Setting the AttachedReference or the UnattachedReference according to the flag
+                Element ref;
+                if (attached) {
+                    ref = encrTok.getAttachedReference();
+                } else {
+                    ref = encrTok.getUnattachedReference();
                 }
 
-                encr.prepare(crypto);
-
-                if (encr.getBSTTokenId() != null) {
-                    encr.prependBSTElementToHeader();
+                String tokenType = encrTok.getTokenType();
+                if (ref != null) {
+                    SecurityTokenReference secRef =
+                        new SecurityTokenReference(cloneElement(ref), new BSPEnforcer());
+                    encr.setSecurityTokenReference(secRef);
+                } else if (WSS4JConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)
+                    || WSS4JConstants.SAML_NS.equals(tokenType)) {
+                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML_KI_VALUE_TYPE);
+                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                } else if (WSS4JConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)
+                    || WSS4JConstants.SAML2_NS.equals(tokenType)) {
+                    encr.setCustomReferenceValue(WSS4JConstants.WSS_SAML2_KI_VALUE_TYPE);
+                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
+                } else {
+                    encr.setCustomReferenceValue(tokenType);
+                    encr.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);
                 }
+            } else if (encrToken instanceof UsernameToken) {
+                encr.setCustomReferenceValue(WSS4JConstants.WSS_USERNAME_TOKEN_VALUE_TYPE);
+            } else if (encrToken instanceof KerberosToken && !isRequestor()) {
+                encr.setCustomReferenceValue(WSS4JConstants.WSS_KRB_KI_VALUE_TYPE);
+                encr.setEncKeyId(encrTok.getSHA1());
+            } else if (!isRequestor() && encrTok.getSHA1() != null) {
+                encr.setCustomReferenceValue(encrTok.getSHA1());
+                encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
+            }
 
-                Element refList = encr.encryptForRef(null, encrParts);
-                List<Element> attachments = encr.getAttachmentEncryptedDataElements();
-                addAttachmentsForEncryption(atEnd, refList, attachments);
+            encr.prepare(crypto, symmetricKey);
 
-                return encr;
-            } catch (WSSecurityException e) {
-                LOG.log(Level.FINE, e.getMessage(), e);
-                unassertPolicy(recToken, e);
+            if (encr.getBSTTokenId() != null) {
+                encr.prependBSTElementToHeader();
             }
+
+            Element refList = encr.encryptForRef(null, encrParts, symmetricKey);
+            List<Element> attachments = encr.getAttachmentEncryptedDataElements();
+            addAttachmentsForEncryption(atEnd, refList, attachments);
+
+            return encr;
+        } catch (WSSecurityException e) {
+            LOG.log(Level.FINE, e.getMessage(), e);
+            unassertPolicy(recToken, e);
         }
         return null;
     }
@@ -914,10 +941,14 @@ public class SymmetricBindingHandler extends AbstractBindingBuilder {
     }
 
     private String setupEncryptedKey(AbstractTokenWrapper wrapper, AbstractToken sigToken) throws WSSecurityException {
-        WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken);
+        AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+        KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+        SecretKey symmetricKey = keyGen.generateKey();
+
+        WSSecEncryptedKey encrKey = this.getEncryptedKeyBuilder(sigToken, symmetricKey);
         assertTokenWrapper(wrapper);
         String id = encrKey.getId();
-        byte[] secret = encrKey.getSymmetricKey().getEncoded();
+        byte[] secret = symmetricKey.getEncoded();
 
         Instant created = Instant.now();
         Instant expires = created.plusSeconds(WSS4JUtils.getSecurityTokenLifetime(message) / 1000L);
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
index 2723478..d25b1fd 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/TransportBindingHandler.java
@@ -25,6 +25,8 @@ import java.util.Collection;
 import java.util.List;
 import java.util.logging.Level;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.crypto.dsig.Reference;
 import javax.xml.soap.SOAPException;
 import javax.xml.soap.SOAPMessage;
@@ -50,6 +52,7 @@ import org.apache.wss4j.common.ext.WSPasswordCallback;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.token.SecurityTokenReference;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.engine.WSSConfig;
 import org.apache.wss4j.dom.message.WSSecDKSign;
@@ -356,7 +359,11 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             signPartsAndElements(wrapper.getSignedParts(), wrapper.getSignedElements());
 
         if (token.getDerivedKeys() == DerivedKeys.RequireDerivedKeys) {
-            WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token);
+            AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(algType.getEncryption());
+            SecretKey symmetricKey = keyGen.generateKey();
+
+            WSSecEncryptedKey encrKey = getEncryptedKeyBuilder(token, symmetricKey);
             assertPolicy(wrapper);
 
             Element bstElem = encrKey.getBinarySecurityTokenElement();
@@ -379,10 +386,9 @@ public class TransportBindingHandler extends AbstractBindingBuilder {
             dkSig.setExpandXopInclude(isExpandXopInclude());
             dkSig.setWsDocInfo(wsDocInfo);
 
-            AlgorithmSuiteType algType = binding.getAlgorithmSuite().getAlgorithmSuiteType();
             dkSig.setDerivedKeyLength(algType.getSignatureDerivedKeyLength() / 8);
 
-            dkSig.setExternalKey(encrKey.getSymmetricKey().getEncoded(), encrKey.getId());
+            dkSig.setExternalKey(symmetricKey.getEncoded(), encrKey.getId());
 
             dkSig.prepare();
 
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
index 0e54cf2..158e5f8 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/saml/AbstractSAMLCallbackHandler.java
@@ -23,6 +23,8 @@ import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.security.auth.callback.CallbackHandler;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -40,6 +42,7 @@ import org.apache.wss4j.common.saml.bean.AuthenticationStatementBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean;
 import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.bean.SubjectBean;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
 
@@ -170,7 +173,10 @@ public abstract class AbstractSAMLCallbackHandler implements CallbackHandler {
             WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
             encrKey.setKeyIdentifierType(WSConstants.X509_KEY_IDENTIFIER);
             encrKey.setUseThisCert(certs[0]);
-            encrKey.prepare(null);
+
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+            SecretKey symmetricKey = keyGen.generateKey();
+            encrKey.prepare(null, symmetricKey);
             Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
 
             // Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
index ba5bb13..0b4b80c 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/operation/AbstractOperation.java
@@ -29,6 +29,8 @@ import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.bind.JAXBElement;
 import javax.xml.namespace.QName;
 
@@ -77,6 +79,7 @@ import org.apache.cxf.ws.security.tokenstore.TokenStore;
 import org.apache.wss4j.common.WSS4JConstants;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.util.DateUtil;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.common.util.XMLUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
@@ -375,10 +378,17 @@ public abstract class AbstractOperation {
         WSSecEncryptedKey builder = new WSSecEncryptedKey(doc);
         builder.setUserInfo(name);
         builder.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
-        builder.setEphemeralKey(secret);
         builder.setKeyEncAlgo(keyWrapAlgorithm);
 
-        builder.prepare(stsProperties.getEncryptionCrypto());
+        SecretKey symmetricKey = null;
+        if (secret != null) {
+            symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+        } else {
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+            symmetricKey = keyGen.generateKey();
+        }
+
+        builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
 
         return builder.getEncryptedKeyElement();
     }
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
index d5f2284..c080d4b 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java
@@ -27,6 +27,8 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
 import javax.security.auth.kerberos.KerberosPrincipal;
@@ -55,6 +57,7 @@ import org.apache.wss4j.common.saml.bean.KeyInfoBean.CERT_IDENTIFIER;
 import org.apache.wss4j.common.saml.bean.SubjectBean;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.message.WSSecEncryptedKey;
 
 /**
@@ -331,11 +334,18 @@ public class DefaultSubjectProvider implements SubjectProvider {
         // Create an EncryptedKey
         WSSecEncryptedKey encrKey = new WSSecEncryptedKey(doc);
         encrKey.setKeyIdentifierType(encryptionProperties.getKeyIdentifierType());
-        encrKey.setEphemeralKey(secret);
-        encrKey.setSymmetricEncAlgorithm(encryptionProperties.getEncryptionAlgorithm());
         encrKey.setUseThisCert(certificate);
         encrKey.setKeyEncAlgo(encryptionProperties.getKeyWrapAlgorithm());
-        encrKey.prepare(encryptionCrypto);
+
+        SecretKey symmetricKey = null;
+        if (secret != null) {
+            symmetricKey = KeyUtils.prepareSecretKey(encryptionProperties.getEncryptionAlgorithm(), secret);
+        } else {
+            KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionProperties.getEncryptionAlgorithm());
+            symmetricKey = keyGen.generateKey();
+        }
+
+        encrKey.prepare(encryptionCrypto, symmetricKey);
         Element encryptedKeyElement = encrKey.getEncryptedKeyElement();
 
         // Append the EncryptedKey to a KeyInfo element
diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
index b4cb1a7..e907da1 100644
--- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
+++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/TokenProviderUtils.java
@@ -25,6 +25,8 @@ import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.bind.JAXBElement;
 import javax.xml.namespace.QName;
 
@@ -43,6 +45,7 @@ import org.apache.cxf.ws.security.wss4j.WSS4JUtils;
 import org.apache.wss4j.common.ConfigurationConstants;
 import org.apache.wss4j.common.WSEncryptionPart;
 import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.dom.message.WSSecEncrypt;
@@ -171,8 +174,11 @@ public final class TokenProviderUtils {
         WSEncryptionPart encryptionPart = new WSEncryptionPart(id, "Element");
         encryptionPart.setElement(element);
 
-        builder.prepare(stsProperties.getEncryptionCrypto());
-        builder.encryptForRef(null, Collections.singletonList(encryptionPart));
+        KeyGenerator keyGen = KeyUtils.getKeyGenerator(encryptionAlgorithm);
+        SecretKey symmetricKey = keyGen.generateKey();
+
+        builder.prepare(stsProperties.getEncryptionCrypto(), symmetricKey);
+        builder.encryptForRef(null, Collections.singletonList(encryptionPart), symmetricKey);
 
         return (Element)frag.getFirstChild();
     }
diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
index 6c555ba..e6756a7 100644
--- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
+++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/operation/IssueSamlUnitTest.java
@@ -27,6 +27,8 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
 
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.xml.bind.JAXBElement;
 import javax.xml.namespace.QName;
 
@@ -71,6 +73,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.common.saml.builder.SAML1Constants;
 import org.apache.wss4j.common.saml.builder.SAML2Constants;
 import org.apache.wss4j.common.util.DOM2Writer;
+import org.apache.wss4j.common.util.KeyUtils;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDocInfo;
 import org.apache.wss4j.dom.engine.WSSConfig;
@@ -839,9 +842,12 @@ public class IssueSamlUnitTest {
         builder.setKeyIdentifierType(WSConstants.ISSUER_SERIAL);
         builder.setKeyEncAlgo(WSS4JConstants.KEYTRANSPORT_RSAOAEP);
 
-        builder.prepare(stsProperties.getSignatureCrypto());
+        KeyGenerator keyGen = KeyUtils.getKeyGenerator(WSConstants.AES_128);
+        SecretKey symmetricKey = keyGen.generateKey();
+
+        builder.prepare(stsProperties.getSignatureCrypto(), symmetricKey);
         Element encryptedKeyElement = builder.getEncryptedKeyElement();
-        byte[] secret = builder.getSymmetricKey().getEncoded();
+        byte[] secret = symmetricKey.getEncoded();
 
         EntropyType entropyType = new EntropyType();
         entropyType.getAny().add(encryptedKeyElement);


Mime
View raw message