This is an automated email from the ASF dual-hosted git repository.
billblough pushed a commit to branch RAMPART-252
in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 0455173a88c41265e65842259e7757dda9bd0188
Author: Andreas Veithen <veit...@apache.org>
AuthorDate: Sun Jan 29 14:00:51 2017 +0000
RAMPART-252: Commit patch provided by Prabath Siriwardena.
---
.../rampart/PolicyBasedResultsValidator.java | 47 +++++++++++++++++++++-
.../rampart/builder/SymmetricBindingBuilder.java | 39 ++++++++++++++++--
.../main/java/org/apache/rampart/errors.properties | 4 +-
pom.xml | 2 +-
4 files changed, 86 insertions(+), 6 deletions(-)
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
index 4d5aa35..a64e287 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/PolicyBasedResultsValidator.java
@@ -453,6 +453,8 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
}
+ //validate the algorithms
+ validateEncryptionAlgorithm(encrRefs, rpd.getAlgorithmSuite());
//Check for encrypted body
if(rpd.isEncryptBody()&& !rpd.isEncryptBodyOptional()) {
@@ -546,6 +548,7 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
throws RampartException {
RampartMessageData rmd = data.getRampartMessageData();
+ RampartPolicyData rpd = rmd.getPolicyData();
Node envelope = rmd.getDocument().getFirstChild();
@@ -553,9 +556,35 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
// Find elements that are signed
Vector actuallySigned = new Vector();
- if (actionResults != null) {
+ if (actionResults != null) {
+
+ AlgorithmSuite suite = rpd.getAlgorithmSuite();
+
for (int j = 0; j < actionResults.length; j++) {
WSSecurityEngineResult actionResult = actionResults[j];
+
+ // Validate signature algorithms
+ String sigMethod = null;
+ String canonMethod = null;
+ sigMethod = (String)
actionResult.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+ canonMethod = (String) actionResult
+
.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+
+ if (sigMethod == null || canonMethod == null) {
+ throw new RampartException("algorithmNotFound");
+ }
+ // Check whether signature algorithm is correct
+ if (!(sigMethod.equals(suite.getAsymmetricSignature()) ||
sigMethod.equals(suite
+ .getSymmetricSignature()))) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getAsymmetricSignature(), sigMethod });
+ }
+ // Check whether the canonicalization algorithm is correct
+ if (!canonMethod.equals(suite.getInclusiveC14n())) {
+ throw new RampartException("invalidAlgorithm", new
String[] {
+ suite.getInclusiveC14n(), canonMethod });
+ }
+
Set signedIDs = (Set) actionResult
.get(WSSecurityEngineResult.TAG_SIGNED_ELEMENT_IDS);
for (Iterator i = signedIDs.iterator(); i.hasNext();) {
@@ -942,6 +971,22 @@ public class PolicyBasedResultsValidator implements
PolicyValidatorCallbackHandl
.size()]);
}
+ private void validateEncryptionAlgorithm(ArrayList refList, AlgorithmSuite
algorithmSuite) throws RampartException {
+
+ for (int i = 0; i < refList.size(); i++) {
+ WSDataRef dataRef = (WSDataRef) refList.get(i);
+
+ //ArrayList can contain null elements
+ if (dataRef == null) {
+ continue;
+ }
+
+ if (!(algorithmSuite.getEncryption().equals(dataRef.getAlgo()))) {
+ throw new RampartException("invalidAlgorithm", new
String[]{algorithmSuite.getEncryption(), dataRef.getAlgo()});
+ }
+ }
+ }
+
private boolean isRefIdPresent(ArrayList refList , QName qname) {
for (int i = 0; i < refList.size() ; i++) {
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
b/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
index abc7e27..4bdd2ed 100644
---
a/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
+++
b/modules/rampart-core/src/main/java/org/apache/rampart/builder/SymmetricBindingBuilder.java
@@ -17,6 +17,9 @@
package org.apache.rampart.builder;
import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.OMFactory;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.om.impl.dom.DOOMAbstractFactory;
import org.apache.axis2.context.MessageContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -58,6 +61,8 @@ import java.util.HashMap;
import java.util.Iterator;
import java.util.Vector;
+import javax.xml.stream.XMLStreamReader;
+
public class SymmetricBindingBuilder extends BindingBuilder {
@@ -538,6 +543,12 @@ public class SymmetricBindingBuilder extends
BindingBuilder {
//Encryption
Token encrToken = rpd.getEncryptionToken();
+
+ boolean isIssuedToken = false;
+ if (encrToken instanceof IssuedToken) {
+ isIssuedToken = true;
+ }
+
Element encrTokElem = null;
if(sigToken.equals(encrToken)) {
//Use the same token
@@ -659,12 +670,22 @@ public class SymmetricBindingBuilder extends
BindingBuilder {
encr.setSymmetricEncAlgorithm(rpd.getAlgorithmSuite().getEncryption());
// Use key identifier in the KeyInfo in server side
if (!rmd.isInitiator()) {
- if(encrTok instanceof EncryptedKeyToken) {
+ if (encrTok instanceof EncryptedKeyToken) {
encr.setUseKeyIdentifier(true);
-
encr.setCustomReferenceValue(((EncryptedKeyToken)encrTok).getSHA1());
+ encr.setCustomReferenceValue(((EncryptedKeyToken)
encrTok).getSHA1());
encr.setKeyIdentifierType(WSConstants.ENCRYPTED_KEY_SHA1_IDENTIFIER);
- }
+ }
+ } else if (isIssuedToken) {
+ encr.setUseKeyIdentifier(true);
+ encr.setCustomReferenceValue(encrTokId);
+
encr.setKeyIdentifierType(WSConstants.SAML_ASSERTION_IDENTIFIER);
+ try {
+ //
RampartUtil.insertSiblingAfter(rmd,this.timestampElement,getLLOMfromOM(encrTok.getToken()));
+ } catch (Exception e) {
+ log.debug("error while converting SAML issued
token to a dom element");
+ }
}
+
encr.prepare(doc, RampartUtil.getEncryptionCrypto(rpd
.getRampartConfig(), rmd.getCustomClassLoader()));
@@ -696,6 +717,18 @@ public class SymmetricBindingBuilder extends
BindingBuilder {
}
+ private Element getLLOMfromOM(OMElement element) {
+ // Get the StAX reader from the created element
+ XMLStreamReader llomReader = element.getXMLStreamReader();
+ // Create the DOOM OMFactory
+ OMFactory doomFactory = DOOMAbstractFactory.getOMFactory();
+ // Create the new builder
+ StAXOMBuilder doomBuilder = new StAXOMBuilder(doomFactory, llomReader);
+ // Get the document element
+ OMElement newElem = doomBuilder.getDocumentElement();
+ return (Element) newElem;
+ }
+
/**
* @param rmd
* @param sigToken
diff --git
a/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
b/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
index 28089fb..2920547 100644
--- a/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
+++ b/modules/rampart-core/src/main/java/org/apache/rampart/errors.properties
@@ -97,4 +97,6 @@ unexprectedSignature = Unexpected signature
invalidTransport = Expected transport is "https" but incoming transport found
: \"{0}\"
requiredElementsMissing = Required Elements not found in the incoming message
: {0}
repeatingNonceValue = Nonce value : {0}, already seen before for user name :
{1}. Possibly this could be a replay attack.
-invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart
configuration file.
\ No newline at end of file
+invalidNonceLifeTime = Invalid value for nonceLifeTime in rampart
configuration file.
+algorithmNotFound = Couldn't find the algorithm used
+invalidAlgorithm = Algorithm verification failed. Required Algorithm : {0},
Algorithm found {1}
diff --git a/pom.xml b/pom.xml
index cfe800c..ccfc963 100644
--- a/pom.xml
+++ b/pom.xml
@@ -369,7 +369,7 @@
<axis2.version>SNAPSHOT</axis2.version>
<addressing.mar.version>SNAPSHOT</addressing.mar.version>
- <wss4j.version>1.5.8</wss4j.version>
+ <wss4j.version>1.5.9</wss4j.version>
<xmlsec.version>1.4.2</xmlsec.version>
<opensaml.version>1.1</opensaml.version>
