This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch RAMPART-252
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit b258a530dd3cd3c6bef1aba7ef0007168c968a48
Merge: 1d944fb c92232d
Author: Andreas Veithen <veit...@apache.org>
AuthorDate: Sun Jan 29 15:45:48 2017 +0000
Merge r1240268 from trunk.
.../ExtendedPolicyValidatorCallbackHandler.java | 24 +
.../rampart/PolicyBasedResultsValidator.java | 694 ++++++++++---------
.../java/org/apache/rampart/RampartConstants.java | 3 +
.../java/org/apache/rampart/RampartEngine.java | 33 +-
.../org/apache/rampart/RampartMessageData.java | 54 +-
.../org/apache/rampart/TokenCallbackHandler.java | 4 +-
.../rampart/builder/AsymmetricBindingBuilder.java | 238 ++++---
.../org/apache/rampart/builder/BindingBuilder.java | 318 +++++----
.../rampart/builder/SymmetricBindingBuilder.java | 152 +++--
.../rampart/builder/TransportBindingBuilder.java | 194 +++---
.../main/java/org/apache/rampart/errors.properties | 3 +
.../rampart/handler/CertificateValidator.java | 45 ++
.../handler/PostDispatchVerificationHandler.java | 4 +-
.../apache/rampart/handler/RampartReceiver.java | 10 +-
.../apache/rampart/handler/WSDoAllReceiver.java | 39 +-
.../org/apache/rampart/handler/WSDoAllSender.java | 27 +-
.../handler/config/InflowConfiguration.java | 21 +
.../handler/config/OutflowConfiguration.java | 21 +
.../apache/rampart/policy/RampartPolicyData.java | 62 +-
.../rampart/policy/model/OptimizePartsConfig.java | 11 +-
.../apache/rampart/saml/SAML1AssertionHandler.java | 12 +-
.../org/apache/rampart/util/MessageOptimizer.java | 25 +-
.../java/org/apache/rampart/util/RampartUtil.java | 750 ++++++++++++---------
.../src/main/java/org/apache/rahas/PWCallback.java | 14 +-
.../main/java/org/apache/rampart/PWCallback.java | 18 +-
.../apache/axis2/oasis/ping/PingPortSkeleton.java | 31 +-
.../axis2/security/InteropScenarioClient.java | 7 +-
.../src/org/apache/axis2/security/PWCallback.java | 10 +-
.../org/apache/axis2/security/Scenario4Test.java | 9 +-
.../org/apache/axis2/security/Scenario5Test.java | 4 +-
.../test/java/org/apache/rampart/RampartTest.java | 4 +-
.../src/test/resources/security/s2a.service.xml | 2 +-
.../test/resources/security/s4.client.axis2.xml | 5 +-
.../src/test/resources/security/s4.service.xml | 5 +-
.../test/resources/security/s5.client.axis2.xml | 4 +-
.../org/apache/rampart/MessageBuilderTestBase.java | 3 +-
.../java/org/apache/rampart/RampartEngineTest.java | 33 +-
.../java/org/apache/rampart/TestCBHandler.java | 44 +-
.../rampart-tests/test-resources/PWCallback.java | 8 +-
.../src/main/java/org/apache/rahas/RahasData.java | 31 +-
.../java/org/apache/rahas/client/STSClient.java | 30 +-
.../main/java/org/apache/rahas/errors.properties | 5 +-
.../org/apache/rahas/impl/SAML2TokenIssuer.java | 19 +-
.../org/apache/rahas/impl/SAMLTokenIssuer.java | 49 +-
.../apache/rahas/impl/SAMLTokenIssuerConfig.java | 11 +-
.../org/apache/rahas/impl/SAMLTokenRenewer.java | 11 +-
.../org/apache/rahas/impl/SAMLTokenValidator.java | 6 +-
.../org/apache/rahas/impl/TokenIssuerUtil.java | 13 +-
.../org/apache/rahas/impl/util/CommonUtil.java | 140 ++++
.../org/apache/rahas/impl/util/SAML2Utils.java | 13 +-
.../java/org/apache/rahas/impl/util/SAMLUtils.java | 22 +-
.../apache/rahas/impl/SAML2TokenIssuerTest.java | 73 ++
.../org/apache/rahas/impl/util/SAMLUtilsTest.java | 37 +-
.../java/org/apache/rahas/test/util/TestUtil.java | 61 ++
pom.xml | 22 +-
55 files changed, 2059 insertions(+), 1429 deletions(-)
diff --cc
modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
index 9cd2a2b,774bf38..1eab066
---
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@@ -556,39 -561,12 +565,37 @@@ public class PolicyBasedResultsValidato
WSSecurityEngineResult[] actionResults = fetchActionResults(results,
WSConstants.SIGN);
// Find elements that are signed
- Vector actuallySigned = new Vector();
+ List<QName> actuallySigned = new ArrayList<QName>();
- if (actionResults != null) {
+ if (actionResults != null) {
+
+ AlgorithmSuite suite = rpd.getAlgorithmSuite();
+
- for (int j = 0; j < actionResults.length; j++) {
-
- WSSecurityEngineResult actionResult = actionResults[j];
+ for (WSSecurityEngineResult actionResult : actionResults) {
+ // Validate signature algorithms
+ String sigMethod = null;
+ String canonMethod = null;
+ sigMethod = (String)
actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ canonMethod = (String) actionResult
+
.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+
+ if (sigMethod == null || canonMethod == null) {
+ throw new RampartException("algorithmNotFound");
+ }
+ // Check whether signature algorithm is correct
+ if (!(sigMethod.equals(suite.getAsymmetricSignature()) ||
sigMethod.equals(suite
+ .getSymmetricSignature()))) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getAsymmetricSignature(), sigMethod });
+ }
+ // Check whether the canonicalization algorithm is correct
+ if (!canonMethod.equals(suite.getInclusiveC14n())) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getInclusiveC14n(), canonMethod });
+ }
+
- List wsDataRefs =
(List)actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
-
+ List wsDataRefs = (List)
actionResult.get(WSSecurityEngineResult.TAG_DATA_REF_URIS);
+
// if header was encrypted before it was signed, protected
// element is 'EncryptedHeader.' the actual element is
// first child element
@@@ -995,29 -1012,13 +1041,29 @@@
.size()]);
}
+ private void validateEncryptionAlgorithm(ArrayList refList,
AlgorithmSuite algorithmSuite) throws RampartException {
+
+ for (int i = 0; i < refList.size(); i++) {
+ WSDataRef dataRef = (WSDataRef) refList.get(i);
+
+ //ArrayList can contain null elements
+ if (dataRef == null) {
+ continue;
+ }
+
+ if (!(algorithmSuite.getEncryption().equals(dataRef.getAlgo()))) {
+ throw new RampartException("invalidAlgorithm", new
String[]{algorithmSuite.getEncryption(), dataRef.getAlgo()});
+ }
+ }
+ }
+
private boolean isRefIdPresent(ArrayList refList , QName qname) {
-
- for (int i = 0; i < refList.size() ; i++) {
- WSDataRef dataRef = (WSDataRef)refList.get(i);
-
+
+ for (Object aRefList : refList) {
+ WSDataRef dataRef = (WSDataRef) aRefList;
+
//ArrayList can contain null elements
- if(dataRef == null) {
+ if (dataRef == null) {
continue;
}
//QName of the decrypted element
diff --cc
modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
index f8678de,acb2b73..7cc40d7
---
a/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
@@@ -56,13 -53,8 +56,10 @@@ import org.w3c.dom.Element
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
- import java.util.Date;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Vector;
+ import java.util.*;
+import javax.xml.stream.XMLStreamReader;
+
public class SymmetricBindingBuilder extends BindingBuilder {
@@@ -667,22 -655,13 +666,23 @@@
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
// Use key identifier in the KeyInfo in server side
if (!rmd.isInitiator()) {
- if(encrTok instanceof EncryptedKeyToken) {
+ if (encrTok instanceof EncryptedKeyToken) {
- encr.setUseKeyIdentifier(true);
+ // TODO was encr.setUseKeyIdentifier(true); verify
+ encr.setEncKeyIdDirectId(true);
-
encr.setCustomReferenceValue(((EncryptedKeyToken)encrTok).getSHA1());
+ encr.setCustomReferenceValue(((EncryptedKeyToken)
encrTok).getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
- }
+ }
+ } else if (isIssuedToken) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(encrTokId);
+
encr.setKeyIdentifierType(WSConstants.SAML_ASSERTION_IDENTIFIER);
+ try {
+ //
RampartUtil.insertSiblingAfter(rmd,this.timestampElement,getLLOMfromOM(encrTok.getToken()));
+ } catch (Exception e) {
+ log.debug("error while converting SAML issued
token to a dom element");
+ }
}
+
encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()));
diff --cc
modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
index f8ac898,8e188b1..65ee52e
--- a/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
@@@ -100,6 -102,5 +102,7 @@@ requiredElementsMissing = Required Elem
repeatingNonceValue = Nonce value : {0}, already seen before for user name :
{1}. Possibly this could be a replay attack.
invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart
configuration file.
invalidIssuerAddress = Invalid value for Issuer
+algorithmNotFound = Couldn't find the algorithm used
+invalidAlgorithm = Algorithm verification failed. Required Algorithm : {0},
Algorithm found {1}
invalidSignatureAlgo=Invalid signature algorithm for Asymmetric binding
+
